[WG-UMA] About PAT/AAT OAuth scopes

Eve Maler eve at xmlgrrl.com
Fri Oct 17 23:40:04 CDT 2014


Hi Marcelo-- I've created issue #108 for this:

https://github.com/xmlgrrl/UMA-Specifications/issues/108

...and added some more thoughts in comments there.

	Eve

On 7 Oct 2014, at 2:27 PM, DaCruzPinto , Marcelo <Marcelo_DaCruzPinto at McAfee.com> wrote:

> Hi UMAnitarians!
> 
> I've been thinking about this for a while, and wanted to get your thoughts: Allowing the AS implementation to define specific OAuth scopes required for getting PATs and AATs (that is, making the scopes URLs defined in sections 1.3.1 and 1.3.2 more of a RECOMMENDED than a MUST). The reason this might be interesting is for an AS to use an external OAuth implementation provided by a third party, where PAT/AAT scopes might not be available.
> 
> For example, an AS could use a third party's OAuth implementation "as-is" (e.g., Google or Twitter), and assuming the third party would not honor PAT/AAT scopes, the AS implementer would have to map these to existing scopes (e.g., reusing a scope that's already assigned to protecting a different resource at the OAuth server). The Client would retrieve the scopes that need to be used when talking to the OAuth endpoint using the UMA well-known configuration endpoint (as defined in 1.4)
> 
> The only cons I can think of with allowing this is that a user may not be aware of what the RS or C are requesting to do with the OAuth provider (since the scopes may not have any reference to UMA or what action the requester is trying to perform)
> 
> Do you think any of this makes sense? I run into this while thinking about a nodejs UMA implementation/prototype and how to focus just on UMA without having to also develop an OAuth server, hence I thought about using an existing (already deployed, but not "UMA-aware") OAuth server and run into this conundrum. 
> 
> Does anybody think this makes sense?
> 
> 
> Marcelo.
> _______________________________________________
> WG-UMA mailing list
> WG-UMA at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-uma/attachments/20141017/a1524c1d/attachment.html>


More information about the WG-UMA mailing list