Versions Compared

Old Version 6

changes.mady.by.user Eve Maler

Saved on

compared with

New Version Current

changes.mady.by.user Eve Maler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

UMA1 Interop Features and Feature Tests

...

NOTE: This page is very much in-progress. The full draft set of features and feature tests is attached.

The features and

Main UMA1 Interop Testing page | Participants and Solutions | Results

Table of Contents
maxLevel4
minLevel2

The feature tests provided below are historical. We are redesigning them in light of feedback from the OpenID Connect interop and conformance testing process and Roland Hedberg's UMA test suite implementation process. The tests below may be inaccurate with respect to UMA V1.0 Candidate specs, as they date from the pre-V0.9 era.

...

These feature tests relate exclusively to the core protocol specspecification, any other normatively referenced specstechnical specifications, and the software components entities that serve as protocol endpoints implementing these specifications. None relate to the Binding Obligations document specification because this document that spec describes expected behaviors of operators and users of these endpoints, which makes them untestable for the purposes of an interop.

...

AS makes available its configuration data in the correct form at the correct location. Supporting clauses:

  • Core Sec 1.4: "The authorization server MUST provide configuration data in a JSON [RFC4627] document that resides in an /uma-configuration directory at at its hostmeta [hostmeta] location."
  • Core Sec 1.4: "Authorization server configuration data MAY contain extension properties that are not defined in this specification."
  • Core Sec 1.4: "All endpoint URIs SHOULD require the use of a transport-layer security mechanism such as TLS. The authorization server MUST declare all of its endpoints in its configuration data (see Section 1.4)."
  • (Also all the REQUIREDs/MUSTs and MAYs appearing in Core Sec 1.4 regarding the JSON format for AM configuration data.)
  • RSR Sec 1.3: "If the authorization server declares its endpoints and any other configuration data in a machine-readable form, for example [OAuth-linktypes] or [OAuth-meta], it SHOULD convey its resource set registration endpoint in this fashion as well."

...

 Feature tests are marked as either required (req) or optional (opt) based on the optionality of the underlying spec clauses they're derived from, where req is for all testable MUST/REQUIRED clauses and opt is for all other testable clauses. We have not yet defined what "full conformance" means in any formal sense. (A few untestable clauses do appear in the technical specifications.)

A feature test identifier has three parts, separated by hyphens. Every identifier starts with FT. The second part indicates the software entity being tested: AS, RS, or C. The third part, which may have embedded hyphens, describes the nature of the test. The supporting clauses in the technical specifications have been classified using feature "tags". The tests are grouped under primary feature tags for ease of test result reporting.

Feature tests for "config"

Machine-readability of entity capabilities and constraints. 

AS supports generating dynamic client credentials and RS and client support getting them. Supporting clauses:

  • Core Sec 1.4: "dynamic_client_endpoint - OPTIONAL. The endpoint to use for performing dynamic client registration. Usage is defined by [DynClientReg]. The presence of this property indicates authorization server support for the dynamic client registration feature and its absent indicates a lack of support."
  • Core Sec 2: "It is OPTIONAL for the client credentials to be provided dynamically through [DynClientReg]); alternatively, they MAY use a static process."
Issues: Typo in Core Sec 1.4: s/absent/absence/
IDreq/optDescriptionSuccess
FT-as-config-datareqASAS provides configuration data that conforms to specified formatformats and provides all required properties and values.

Data conforms

to format requirementsFails

and is complete

 

FT-as-config-

endpts

endpt

optASreqAS makes config data available through SSL/TLS-protected URL https://as_uri/.well-known/uma-configuration.AS config data endpoint uses https: scheme and RS or client is able to validate AS's certificateFailswith specific URL form, with a valid certificate
FT-rs-get-config-datareqRSoptRS successfully accesses and parses AS config data properties it needs at http://\{as_uri}/.well-known/uma-configuration or https://\{as_uri}/.well-known/uma-configuration, including all endpoint-related properties not specific to the client RS and including handling of non-understood extension properties.RS successfully accesses and parses AS config dataFails
FT-c-get-config-datareqCoptClient successfully accesses and parses AS config data properties it needs at http://\{as_uri}/.well-known/uma-configuration or https://\{as_uri}/.well-known/uma-configuration, including all endpoint-related properties not specific to the RS client and including handling of non-understood extension properties.Client successfully accesses and parses AS config dataFailsF-dyn-client-regopt


Feature tests for "dynreg"

Client registration of resource servers (which are clients of the AS's protection API) and clients of resource servers (which are also clients of the AS's authorization API) at run time when services have not "met" before a resource owner or requesting party forces the issue.

IDreq/optDescriptionSuccess
FT-as-dyn-client-regoptASAS config data "dynamic_client_endpoint" property is non-nullAS config data "dynamic_client_endpoint" property has a valid URL value for a DynClientReg endpointFailsprovides a URI valueProperty has a URI provided
FT-rs-get-dyn-client-credsoptRSRS interacts with AS to request and receive client credentials dynamicallyRS gets client credentials dynamicallyFails
FT-c-get-dyn-client-credsoptC C interacts with AS to request and receive client credentials dynamicallyC gets client credentials dynamicallyFails
         

Historical supporting clauses:

F-pat:

  • Sec 1.5: "oauth_token_profiles_supported REQUIRED. …. The AM is REQUIRED to support this profile, and to supply this string value explicitly. The AM MAY declare its support for additional access token profiles by providing a unique absolute URI in a string value in the array for each one." (This profile being the bearer token profile.)
  • Sec 1.5: "oauth_grant_types_supported REQUIRED. …. Each string value MUST be one of the grant_type values defined in [OAuth2], or alternatively an extension grant type indicated by a unique absolute URI."
  • Sec 1.5: "token_endpoint REQUIRED."
  • Sec 1.5: "user_endpoint REQUIRED."
  • Sec 2.3: "The host MUST use OAuth 2.0 [OAuth2] to obtain the protection API token."
  • Sec 1.3: "The AM presents the following endpoints to the host as part of its protection API; these endpoints are OAuth-protected and require a PAT for access, for which the "protection" OAuth scope is required…"
  • Sec 1.5: "resource_set_registration_endpoint REQUIRED. …. A PAT MUST accompany requests to this protected endpoint."
  • Sec 2.4.3: "The host MUST use its valid PAT obtained previously to gain access to this endpoint." (This endpoint being resource_set_registration_endpoint.)
  • Sec 3.2: "The host registers the permission using the POST method at the AM's permission registration endpoint, providing its PAT to get access to this endpoint."

F-aat:

  • Sec 1.3: "The AM presents the following endpoints to the host as part of its protection API; these endpoints are OAuth-protected and require a PAT for access, for which the "protection" OAuth scope is required…"
  • Sec 1.5: "resource_set_registration_endpoint REQUIRED. …. A PAT MUST accompany requests to this protected endpoint."
  • Sec 2.4.3: "The host MUST use its valid PAT obtained previously to gain access to this endpoint." (This endpoint being resource_set_registration_endpoint.)
  • Sec 3.2: "The host registers the permission using the POST method at the AM's permission registration endpoint, providing its PAT to get access to this endpoint."
  • Sec 1.3: "The AM presents the following endpoint to the requester as part of its authorization API; this endpoint is OAuth-protected and requires an AAT for access, for which the "authorization" OAuth scope is required…"
  • Sec 3.4.4: "The requester performs a POST on the RPT endpoint, supplying its own AAT in the header in order to gain access to the RPT endpoint."

F-rset-reg:

  • Sec 2.4 intro: "Once the host has received a PAT, for any of the user's sets of resources that are to be protected by this AM, it MUST register these resource sets at the AM's registration endpoint."
  • Sec 2.4.1: "Scope description documents MUST be accessible to AMs through GET calls made to these URI references" (These being scope URI references.) 
  • Sec 2.4.3: "The AM MUST present an API for registering resource set descriptions at a set of URIs with the structure "{rsreguri}/resource_set/{rsid}", where the PAT provides sufficient context to distinguish between identical resource set identifiers assigned by different hosts."
  • Sec 2.4.3: "Following is a summary of the five registration operations the AM is REQUIRED to support…"
  • Sec 2.4.3: "If the request to the resource set registration endpoint is incorrect, then the AM responds with an error message (see Section 4.2) by including one of the following error codes with the response…"
  • Sec 2.4.3.1: "On successfully registering a resource set, the host MUST use UMA mechanisms to limit access to any resources corresponding to this resource set, relying on the AM to supply currently valid permissions for authorized access."
  • Sec 2.4.3.1: "On successful registration, the AM MAY return a redirect policy URI to the host in a property with the name "policy_uri"."
  • Sec 2.4.3.3: "On successful update, the AM MAY return a redirect policy URI to the host in a property with the name "policy_uri"."
  • Sec 2.4.1: "Scope descriptions MAY contain extension properties that are not defined in this specification."
  • Sec 2.4.1: "A host MUST list a resource set's available scopes using URI references (as defined in Section 2.4.2). The scopes available for use at any one host MUST have unique URI references so that the host's scope descriptions are uniquely distinguishable. A scope URI reference MAY include a fragment identifier. Scope descriptions MAY reside anywhere."
  • Sec 2.4.2: "Resource set descriptions MAY contain extension properties that are not defined in this specification."
  • Sec 2.4.2: "The AM SHOULD use the scope names and any icons defined as part of the referenced scopes in its user interface to assist the user in setting policies for protecting this resource set."
  • Sec 2.4.2: "When a host creates or updates a resource set description (see Section 2.4.3), the AM MUST attempt to retrieve the referenced scope descriptions. It MAY cache such descriptions as long as indicated in the HTTP cache-control header for the scope description resource unless the resource set description is subsequently updated within the validity period. At the beginning of an authorizing user's login session at the AM, the AM MUST attempt to re-retrieve scope descriptions applying to that user whose cached versions have expired."

  

Feature tests for "pat"

 "Protection of the protection API" at the authorization server, and the association made between the authorization server, resource server, and resource owner as a result of protection API token (PAT) issuance.

IDreq/optDescriptionSuccess
FT-rs-get-patreqAS issues PAT to RS using OAuth authorization_code grant flow and request for protection API scopeAS issues PAT to RS IFF RS engages correctly
FT-as-require-patreqAS requires OAuth clients of protection API (definitionally, RSs) to present valid OAuth access tokens with protection API scope in order to use endpointsAS allows RSs to make protection API calls IFF they present protection API scope
FT-rs-use-patreqRS presents valid OAuth access token with protection API scope when making calls to all protection API endpointsRS presents PAT to all protection API endpoints

Feature tests for "aat"

"Protection of the authorization API" at the authorization server, and the association made between the authorization server, client, and requesting party as a result of authorization API token (AAT) issuance.

IDreq/optDescriptionSuccess
FT-c-get-aatreqAS issues AAT to Client given OAuth authorization_code grant flow and request for authorization API scopeAS issues AAT to client IFF client engages correctly
FT-as-require-aatreqAS requires OAuth clients of authorization API (definitionally, Clients) to present valid OAuth access tokens with authorization API scope in order to use endpointsAS allows Client to make authorization API calls IFF they present authorization API scope
FT-c-use-aatreqClient presents valid OAuth access token with authorization API scope when making calls to all authorization API endpointsClient presents AAT to all authorization API endpoints

Feature tests for "protapi"

RS-AS communication through the protection API and its various endpoints.

IDreq/optDescriptionSuccess
FT-as-rsrreqAS presents all of the following methods at a resource set registration endpoint of form rsreguri/resource_set/rsid, and treats others as unsupported: PUT with unique ID to register new resource set description; GET with unique ID to read already-registered resource set description, handling the presence of any policy_uri property in AS's response; PUT with If-Match and unique ID to update already-registered resource set description, handling the presence of any policy_uri property in AS's response; DELETE with a unique ID to delete an already-registered resource set description; and GET on resource_set path to read list of already-registered resource set descriptions.RS able to use all elements of resource set registration API
FT-rs-rsrreqRS uses: PUT with unique ID to register new resource set description; GET with unique ID to read already-registered resource set description, handling the presence of any policy_uri property in AS's response; PUT with If-Match and unique ID to update already-registered resource set description, handling the presence of any policy_uri property in AS's response; DELETE with a unique ID to delete an already-registered resource set description; and GET on resource_set path to read list of already-registered resource set descriptions. RS links to well-formed scope descriptions and provides well-formed resource set descriptions.RS uses all elements of resource set registration API and scope and resource set description formats correctly
FT-as-rsr-errorreqAS issues errors for resource set registration error conditions, including unsupported_method_type, not_found, and precondition_failed.AS issues resource set registration API errors for error conditions
FT-as-rsr-scope-extreqIf a scope description contains extension properties, the AS proceeds normally in handling the scope description.AS does not produce an error on encountering extension properties in scope description
FT-as-introspectreqAS presents the token introspection endpoint, supporting only the POST method.RS able to use token introspection endpoint
FT-rs-introspectreqRS presents a valid RPT at AS's token introspection endpoint to get token's status.RS gets well-formed RPT status
FT-as-reg-permreqAS presents a permission registration endpoint that enables RS to register permission associated with correct resource owner, resource set, and scopes, and returns securely random permission ticket in response to RS registration of requested permission.AS returns permission ticket that is securely random
FT-rs-reg-permreqRS presents a valid PAT, and valid previously registered resource set and scope information, at AS's permission registration endpoint to register a requested permission that is relevant for the type of access attempted by client.RS registers requested permission

 

Feature tests for "authzapi"

C-AS communication through the authorization API and its various endpoints.

IDreq/optRoleDescriptionSuccess
FT-as-rptreqASAS presents the RPT endpoint and AS issues RPT in response to client's request for an RPT at the correct endpoint with a valid AAT.Client able to get RPT using endpoint
FT-c-rptreqCClient presents valid AAT at AS's RPT endpoint to get RPT.Client gets new or refreshed RPT
FT-c-authz-datareqCClient presents valid AAT, valid RPT, and permission ticket at AS's authorization endpoint to POST request that authorization data be associated with RPT.Client receives back normal success or error message
FT-as-authz-data-denyreqASAS determines that the client should not get authorization data, and returns either an invalid_ticket error, an expired_ticket error, or a not_authorized_permission error.AS returns one of the errors
FT-as-authz-data-givereqASAS associates new authorization data with the RPT that the client presented and responds with success.AS adds authorization data and responds with success
FT-as-need-claimsreqASAS indicates it needs requesting party claims to considering adding permission to "bearer" profile RPT.AS responds to the client with a need_claims error

Feature tests for "access"

C-RS communication through the UMA-protected resource interface for the purpose of attempting and granting or denying access.

IDreq/optRoleDescriptionSuccess
FT-rs-no-rptreqRSRS responds to client not bearing an RPT with HTTP 401 and correct as_uri corresponding to AS protecting the resource to which access was attempted.RS responds with HTTP 401 and as_uri
FT-rs-invalid-rptreqRSRS responds to client bearing an invalid RPT with HTTP 401 and correct as_uri corresponding to AS protecting the resource to which access was attempted.RS responds with HTTP 401 and as_uri
FT-c-rptreqCC requests access to a resource by providing a correctly formed and located RPT. 
FT-rs-insufficient-permreqRSRS responds to client bearing a valid "bearer" profile RPT that has insufficient permissions with HTTP 403, as_uri, and permission ticket corresponding to resource for which access was attempted. NOTE: Conducting this test depends on RS-specific API and scope details.RS responds with HTTP 403, as_uri, and permission ticket
FT-rs-respect-authzreqRSRS limits access to resource that is currently under protection at an AS for which a valid RPT with valid authorization data has not been presented by a client. NOTE: Conducting this test depends on RS-specific API and scope details.RS blocks and grants client's access according to RPT's current status

Feature tests for "claims"

TBS.