[WG-UMA] About PAT/AAT OAuth scopes

Eve Maler eve at xmlgrrl.com
Fri Oct 17 23:40:04 CDT 2014

Hi Marcelo-- I've created issue #108 for this:


...and added some more thoughts in comments there.


On 7 Oct 2014, at 2:27 PM, DaCruzPinto , Marcelo <Marcelo_DaCruzPinto at McAfee.com> wrote:

> Hi UMAnitarians!
> I've been thinking about this for a while, and wanted to get your thoughts: Allowing the AS implementation to define specific OAuth scopes required for getting PATs and AATs (that is, making the scopes URLs defined in sections 1.3.1 and 1.3.2 more of a RECOMMENDED than a MUST). The reason this might be interesting is for an AS to use an external OAuth implementation provided by a third party, where PAT/AAT scopes might not be available.
> For example, an AS could use a third party's OAuth implementation "as-is" (e.g., Google or Twitter), and assuming the third party would not honor PAT/AAT scopes, the AS implementer would have to map these to existing scopes (e.g., reusing a scope that's already assigned to protecting a different resource at the OAuth server). The Client would retrieve the scopes that need to be used when talking to the OAuth endpoint using the UMA well-known configuration endpoint (as defined in 1.4)
> The only cons I can think of with allowing this is that a user may not be aware of what the RS or C are requesting to do with the OAuth provider (since the scopes may not have any reference to UMA or what action the requester is trying to perform)
> Do you think any of this makes sense? I run into this while thinking about a nodejs UMA implementation/prototype and how to focus just on UMA without having to also develop an OAuth server, hence I thought about using an existing (already deployed, but not "UMA-aware") OAuth server and run into this conundrum. 
> Does anybody think this makes sense?
> Marcelo.
> _______________________________________________
> WG-UMA mailing list
> WG-UMA at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma

Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-uma/attachments/20141017/a1524c1d/attachment.html>

More information about the WG-UMA mailing list