...
- Breaking changes:
- Section 1.3: TLS as defined and (mostly) required in OAuth (RFC 6749) is now a MUST in UMA for AS endpoints.
- Breaking changes:
- (Technically breaking but not expected to have huge impact:) TLS/HTTPS is now mandatory for the AS to implement in its protection and authorization APIs.
- Other changes of note:
- It is no longer required for the client to redirect a human requesting party to the AS for the claims-gathering process.
- A new claims profiling framework (now in a separate spec) describes how to leverage one of several common patterns for claims-gathering: client redirects the requesting party to AS, client pushes claims to the AS.
- A new framework for API extensibility, and a matching series of extensibility profiles, appears in the core spec. It enables tighter coupling between the AS and RS, AS and client, and RS and client, respectively, but only in a controlled manner to foster greater interoperability in such circumstances.
- The SHOULD for the usage of the SAML bearer token profile for PAT issuance is now just a MAY.
- In Section 4.2, the example was corrected to remove a wayward "status" : "error" property.
- Clarified that no request message body is expected when the client uses the RPT endpoint at the AS.
- Added a success example in Section 3.4.2 showing how authorization data is added and the RPT is simultaneously refreshed, a new capability.
...