Versions Compared

Old Version 85

changes.mady.by.user Eve Maler

Saved on

compared with

New Version 86

changes.mady.by.user Eve Maler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Following is a catalog of notable changes.

Core changes

From I-D rev 11 to rev 12:

  • Notable changes:
    • Enhanced the Security Considerations section.

From I-D rev 10 to rev 11:

  • Breaking changes:
    • Section 3.4: not_authorized_permission error code: Changed to not_authorized.
    • RPT handling: Changed extensively to remove the RPT issuance endpoint and enable the authorization data request endpoint to do all RPT issuance duties. Permission ticket issuance is now handled on an "eager" basis, when a client either without an RPT or with an invalid or insufficient-authorization-data RPT approaches the RS seeking access. This affects several sections:
      • Section 1.4: configuration data
      • Section 3: introduction
      • Section 3.1.1 and 3.1.2: client approaching RS
      • Section 3.2: RS registering permission
      • Section 3.4: RPT issuance and authorization data addition
      • Section 5.2: Extensibility profile implications
    • Section 1.4:
      • Changed the claim_profiles_supported property in the configuration data to claim_token_profiles_supported
      • Changed the user_endpoint property in the configuration data to authorization_endpoint, to match the final IETF RFC 6749 name in OAuth 2.0
      • Changed the authorization_request_endpoint property in the configuration data to rpt_endpoint, to distinguish it more fully from the OAuth endpoint and to shorten it
      • (Also affects Section 5) Changed how uma_profiles_supported works, so that the API extensibility profiles don't have reserved keywords but rather use the regular URI mechanism for indicating profiles
    • Section 3.3.2:
      • Names of several properties in the permissions structure for the RPT "Bearer" token introspection response have changed to align them with JWT names: expires_at to exp, issued_by to iat
      • The JWT "scope" property at the top level is now disallowed in favor of "scopes" at the permissions level.
    • PAT and AAT OAuth scopes:
      • Renamed from URIs to simple strings: "uma_protection" and "uma_authorization"; the JSON scope description documents provided to enable the old URIs to resolve no longer have any relation to the UMA Core spec
  • Other changes of note:
    • Section 3.1.1 and Section 3.1.2: Extraneous host_id removed from example of RS's response to client.
    • Enabled explicit use of OAuth-based authentication protocols such as OpenID Connect for OAuth protection driving PAT and AAT issuance.
    • Identifiers for spec-defined profiles now use https instead of http
    • Migrated the claim profiling spec's requesting party claims endpoint configuration data to the core spec, and made it optional to supply.
    • Migrated the claim profiling spec's "need_claims" extensions to the core spec, broadened it to "need_info", and gave it "error_details" hints in the core spec.
    • Section 3.1.1: Requirement for RS to return 403 to a tokenless client has been softened to a SHOULD.
    • Section 3.3.2: The token introspection response has been aligned with the latest token introspection spec. nbf has been added at the permissions level, exp is now optional, and all permissions-level properties that duplicate JWT-level claims in intent now get overridden by any JWT-level claims present in the response. Finally, the "permissions" JWT claim has been registered with IANA.
    • Extensive new redirect-pattern claims gathering support added
    • Extensive new security and privacy considerations added
    • Section 1.4:
      • issuer property: Now required to match the actual published location of the config data.
      • Dynamic client configuration: When OIDC dynamic client configuration is used, this is now more intelligently handled through a reserved keyword "openid" that indicates that the OIDC configuration data should be consulted for the relevant endpoint.
      • pat_grant_types_supported and aat_grant_types_supported: Broadened to allow them to be strings even when not based on the OAuth grant type strings, similarly to token profiles.
      • issuer property: Now required to match the actual published location of the config data.
      • Dynamic client configuration: When OIDC dynamic client configuration is used, this is now more intelligently handled through a reserved keyword "openid" that indicates that the OIDC configuration data should be consulted for the relevant endpoint.
      • pat_grant_types_supported and aat_grant_types_supported: Broadened to allow them to be strings even when not based on the OAuth grant type strings, similarly to token profiles.

...

  • Breaking changes:
    • Changed the PUT method for the purpose of resource set creation at the authorization server, to POST. This had other rippling changes, such as removing the usage of If-Match, the precondition_failed error, ETag usage, and the privacy considerations warning about mapping real resource set names to obscured names that remove personally identifiable information.
  • Other changes of note:
    • Clarified that policy_uri is allowed on Create, Read, and Update, and also now allow it on Delete and List too.
    • Enhanced the Security Considerations section.

 From I-D rev 03 to rev 04:

...