...

Step

...

1:

...

User

...

registers

...

host

...

at

...

AM

...

In

...

order

...

for

...

a

...

host

...

to

...

be

...

able

...

to

...

delegate

...

authorization

...

to

...

an

...

authorization

...

manager

...

the

...

authorizing

...

user

...

must

...

introduce

...

the

...

host

...

to

...

the

...

AM.

...

The

...

result

...

of

...

this

...

step

...

is

...

the

...

following:

...

1. The

...

1. host

...

1. received

...

1. metadata

...

1. of

...

1. the

...

1. AM

...

1. like

...

1. OAuth

...

1. 2.0

...

1. endpoints

...

2. The

...

1. host

...

1. received

...

1. an

...

1. OAuth

...

1. access

...

1. token

...

1. in

...

1. order

...

1. to

...

1. verify

...

1. requester

...

1. access

...

1. tokens

...

1. in

...

1. step

...

1. 3

...

1. and

...

1. as

...

1. a

...

1. representation

...

1. of

...

1. the

...

1. user's

...

1. decision

...

1. to

...

2. The

...

1. AM

...

1. received

...

1. a

...

1. list

...

1. of

...

1. protected

...

1. resources

...

1. on

...

1. the

...

1. host

...

1. it

...

1. is

...

1. supposed

...

1. to

...

1. authorize

...

1. on

...

1. behalf

...

1. of

...

1. the

...

1. user.

...

The

...

following

...

sub

...

steps

...

are

...

performed

...

in

...

order

...

to

...

fulfill

...

these

...

requirements:

...

1. The

...

1. host

...

1. looks

...

1. up

...

1. the

...

1. authorization

...

1. manager

...

1. metadata

...

1. and

...

1. learns

...

1. about

...

1. API

...

1. endpoints

...

1. and

...

1. formats

...

1. supported

...

1. by

...

1. the

...

1. AM

...

2. The

...

1. host

...

1. obtains

...

1. OAuth

...

1. client

...

1. credentials

...

1. and

...

1. a

...

1. the

...

1. location

...

1. of

...

1. the

...

1. resource

...

1. registration

...

1. API

...

1. from

...

1. the

...

1. authorization

...

1. manager.

...

2. The

...

1. host

...

1. obtains

...

1. an

...

1. access

...

1. token

...

1. from

...

1. the

...

1. authorization

...

1. manager

...

1. by

...

1. following

...

1. the

...

1. OAuth

...

1. 2.0

...

1. web

...

1. server

...

1. flow.

...

2. The

...

1. host

...

1. registers

...

1. the

...

1. authorization

...

1. user's

...

1. resources

...

1. with

...

1. the

...

1. AM

...

1. by

...

1. using

...

1. the

...

1. resource

...

1. registration

...

1. API.

...

:=} *

Note
title	TODOs/Issues
Host and AM can both decide if they work with the other side * AM can refuse client id/secret. Needs error conditions * How can the Host trust the AM? There are trust frameworks around for that these days * no big difference between RRAPI to be in hostmeta or provisioned in step 2. Needs more input to get decision * step 2 might be a separate specification. * maybe in this specification the server can put in additional data specific to some namespace. Example: {code} Code Block { 'client_id' : '72z81uhbjhssd867e', 'client_secret' : 'test123', 'expires_in' : 3600, 'http://uma/am/resource_registration_uri' : 'http://....', {code} * format of RRAPI format of RRAPI (resource registration API) still open. Needs to get discussed with step 2. * maybe not all resources are listed (every tweet?) but maybe "tagged 'important'", "folder x" etc. How are they identified? Maybe about scopes/uri parameters? * should the host be able to define claims upfront? {note} h2. host looks up the authorization manager metadata The very first step for the host is to lookup the metadata of the authorization manager. There are many possible ways for the authorizing user to provide the location of the authorization manager or it might be discovered by the host. The exact process is beyond the scope of this specification and it is up to the host to choose a method. For example it could simply ask for the URL of the AM or it could be contained on a physical magnetic-stripe card. From the data provided or discovered the host then has to retrieve the hostmeta document as described in section 2 of \[[hostmeta|#hostmeta]. For example if the user gave

host looks up the authorization manager metadata

The very first step for the host is to lookup the metadata of the authorization manager. There are many possible ways for the authorizing user to provide the location of the authorization manager or it might be discovered by the host. The exact process is beyond the scope of this specification and it is up to the host to choose a method. For example it could simply ask for the URL of the AM or it could be contained on a physical magnetic-stripe card.

From the data provided or discovered the host then has to retrieve the hostmeta document as described in section 2 of [hostmeta.

For example if the user gave "am.example.com"

...

as

...

the

...

authorization

...

manager's

...

domain

...

then

...

the

...

host

...

would

...

create

...

the

...

URL

...

"https://am.example.com/.well-known/host-meta"

...

and

...

perform

...

a

...

GET

...

request

...

on

...

it.

...

The

...

authorization

...

manager

...

MUST

...

provide

...

a

...

XRD

...

1.0

...

formatted

...

document

...

at

...

the

...

hostmeta

...

location

...

where

...

it

...

has

...

to

...

document

...

the

...

the

...

following:

...

• One

...

• set

...

• of

...

• OAuth

...

• 2.0

...

• URI

...

• endpoints

...

• for

...

• the

...

• host

...

• to

...

• use

...

• One

...

• set

...

• of

...

• OAuth

...

• 2.0

...

• URI

...

• endpoints

...

• for

...

• any

...

• requester

...

• to

...

• use

...

• The

...

• location

...

• of

...

• the

...

• token

...

• verification

...

• API

...

• for

...

• the

...

• host

...

• to

...

• verify

...

• access

...

• tokens

...

• received

...

• from

...

• a

...

• requester

...

• in

...

• step

...

• 3.

...

• (The

...

• format

...

• of

...

• the

...

• access

...

• tokens

...

• to

...

• use)

...

• (The

...

• format

...

• of

...

• the

...

• claims

...

• formats

...

• the

...

• AM

...

• can

...

• generate)

...

The Property elements SHOULD be present in the hostmeta document:

Link relationships for the OAuth 2.0

...

endpoints

...

for

...

the

...

host:

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Link

...

relationships

...

for

...

the

...

OAuth

...

2.0

...

endpoints

...

for

...

the

...

requester:

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Example XRD document

<!-- Applies to both hosts and requesters -->
<Property 
    type="http://kantarainitiative.org/confluence/display/uma/token_formats">
       saml
</Property>
<Property 
    type="http://kantarainitiative.org/confluence/display/uma/claim_formats">
       json
</Property>

<!-- Host "authorization API" -->
<Link rel="http://kantarainitiative.org/confluence/display/uma/host_token_uri"
      href="https://am.example.com/host/token_uri"></Link>
<Link rel="http://kantarainitiative.org/confluence/display/uma/host_user_uri"
      href="https://am.example.com/host/user_uri"></Link>
<Link rel="http://kantarainitiative.org/confluence/display/uma/host_token_validation_uri"
      href="https://am.example.com/host/token_validation_uri"></Link>

<!-- Requester token-getting endpoints -->
<Link rel="http://kantarainitiative.org/confluence/display/uma/req_token_uri"
      href="https://am.example.com/requester/token_uri"></Link>
<Link rel="http://kantarainitiative.org/confluence/display/uma/req_user_uri"
      href="https://am.example.com/requester/user_uri"></Link>
{code}


h2. The host obtains OAuth client credentials and the location of the resource registration API from the authorization manager


In order for the host to initiate an OAuth flow to retrieve an access token for the resource registration API and the token verification API, it needs to have a client identifier and optionally a client secret. How this is transferred is beyond the scope of the OAuth specification and usually a manual process of preregistration and transferring this information is used.

In this step the host is the OAuth client and the authorization manager is the OAuth authorization server. For User Managed access the authorization server MUST provide the client identifier, an OPTIONAL client secret and the URI of the resource registration API which can be individual for each client. 

{note}
Should we really use a different name for the AM vs. AS? It can be confusing as we see here.
{note} 

In order to also allow for dynamic binding of a host and authorization manager, this specification also defines a protocol for dynamic and automatic client registration for OAuth.

h3. Dynamic binding of OAuth clients


{note}
It probably really should be a separate specification
{note}


h4. Terminology

Dynamic binding will be explained in OAuth terminology, using client and authorization server as the parties involved in the process. 

Moreover the following terminology is used:

*client registration endpoint:* This is the URI defining the location of the client registration API. This is used by the client to send the required data for obtaining a client identifier and additional information

h4. Discovery of client registration endpoint

In order for the client to obtain the URI of the client registration endpoint the authorization server MUST provide a hostmeta document containing a {{Link}} element with rel-value {{

The host obtains OAuth client credentials and the location of the resource registration API from the authorization manager

In order for the host to initiate an OAuth flow to retrieve an access token for the resource registration API and the token verification API, it needs to have a client identifier and optionally a client secret. How this is transferred is beyond the scope of the OAuth specification and usually a manual process of preregistration and transferring this information is used.

In this step the host is the OAuth client and the authorization manager is the OAuth authorization server. For User Managed access the authorization server MUST provide the client identifier, an OPTIONAL client secret and the URI of the resource registration API which can be individual for each client.

In order to also allow for dynamic binding of a host and authorization manager, this specification also defines a protocol for dynamic and automatic client registration for OAuth.

Dynamic binding of OAuth clients

Terminology

Dynamic binding will be explained in OAuth terminology, using client and authorization server as the parties involved in the process.

Moreover the following terminology is used:

client registration endpoint: This is the URI defining the location of the client registration API. This is used by the client to send the required data for obtaining a client identifier and additional information

Discovery of client registration endpoint

In order for the client to obtain the URI of the client registration endpoint the authorization server MUST provide a hostmeta document containing a Link element with rel-value http://kantarainitiative.org/uma/client_registration_uri

...

.

Overview

The dynamic client registration process works as follows:

1. The client send it's name and description as well as an optional image to the client registration endpoint
2. the authorization server checks the data and returns a JSON formatted document containing a client identifier, optional client secret and optionally additional information

The client registration flow

The client sends a client descriptor to the authorization server

The client creates a JSON document with the following keys/value pairs:

• the name of the client in the key name
• the URL to the service in the key name
• a short description of the client in the key description
• OPTIONAL: the URI to an icon representing the client in the key icon

An example client descriptor might look like follows:

{
    name : 'A wonderful image hoster',
    url: 'http://wonderfulimagehoster.com',
    description : 'as the name implies',
    icon: 'http://wonderfulimagehoster.com/logo.png'
}
{code}

The

...

client

...

then

...

performs

...

a

...

POST

...

request

...

to

...

the

...

client

...

registration

...

endpoint

...

using

...

application/json

...

as

...

content

...

type

...

and

...

sending

...

the

...

client

...

descriptor

...

in

...

the

...

body

...

of

...

the

...

message.

...

The

...

authorization

...

server

...

sends

...

a

...

response

...

containing

...

the

...

client

...

credentials

...

The

...

authorization

...

server

...

can

...

check

...

the

...

client

...

descriptor

...

as

...

it

...

requires

...

and

...

will

...

then

...

send

...

either

...

a

...

success

...

or

...

an

...

error

...

response.

...

The

...

success

...

response

...

is

...

a

...

JSON

...

document

...

consisting

...

of

...

a

...

REQUIRED

...

client

...

identifier

...

in

...

the

...

field

...

client_id

...

and

...

an

...

optional

...

matching

...

secret

...

in

...

the

...

field

...

client_secret

...

.

...

An

...

example

...

response

...

might

...

look

...

like

...

this:

...

}

Code Block
{ client_id : 'AGSD)=bjchdb