...
- The resolution to issue #19 involved a breaking change in the 2 Feb 2012 rev. The XRD-formatted AM metadata residing at /.well-known/host-meta is now JSON-formatted metadata residing at /.well-known/uma-configuration.
- The requester access token has been split into two tokens, and all of the tokens have been renamed. The host access token is now the PAT. The requester access token used at the AM's API is now the AAT, and consists of vanilla OAuth. The requester access token used at the host is now the RPT. The AAT does not use the client_credentials flow, as previously required, but rather typically uses the authorization_code flow.
- The token and user authorization endpoints for the different APIs at the AM have been joined together, and are now distinguished through the "protection" scope (for the protection API) and the "authorization" scope (for the authorization API).
- The token status description format and JSON media type, and the RPT/permission delivery response, have been updated to reflect the RPT naming.
- The configuration data format has changed to reflect all the changes above.
- The Phase 2/3 flow has changed and been simplified to match the requirements of the new AAT and RPT.
- The requester now asks for permission in a back-channel interaction, and the AM now produces a need_claims error that instructs the requester to use a redirect-based claims-gathering flow (renamed from "authorization flow").
Other recent changes of note that do not affect implementations:
- Token types are now called token profiles, claim types are now called claim profiles, and these changes are reflected in the configuration parameter names.
- The token and claim profiles defined in this spec now have their own subsections that appear in the TOC for easier reference.