[WG-UMA] About PAT/AAT OAuth scopes

DaCruzPinto , Marcelo Marcelo_DaCruzPinto at McAfee.com
Tue Oct 7 16:27:30 CDT 2014

Hi UMAnitarians!

I've been thinking about this for a while, and wanted to get your thoughts: Allowing the AS implementation to define specific OAuth scopes required for getting PATs and AATs (that is, making the scopes URLs defined in sections 1.3.1 and 1.3.2 more of a RECOMMENDED than a MUST). The reason this might be interesting is for an AS to use an external OAuth implementation provided by a third party, where PAT/AAT scopes might not be available.

For example, an AS could use a third party's OAuth implementation "as-is" (e.g., Google or Twitter), and assuming the third party would not honor PAT/AAT scopes, the AS implementer would have to map these to existing scopes (e.g., reusing a scope that's already assigned to protecting a different resource at the OAuth server). The Client would retrieve the scopes that need to be used when talking to the OAuth endpoint using the UMA well-known configuration endpoint (as defined in 1.4)

The only cons I can think of with allowing this is that a user may not be aware of what the RS or C are requesting to do with the OAuth provider (since the scopes may not have any reference to UMA or what action the requester is trying to perform)

Do you think any of this makes sense? I run into this while thinking about a nodejs UMA implementation/prototype and how to focus just on UMA without having to also develop an OAuth server, hence I thought about using an existing (already deployed, but not "UMA-aware") OAuth server and run into this conundrum.

Does anybody think this makes sense?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-uma/attachments/20141007/76b6146c/attachment.html>

More information about the WG-UMA mailing list