Versions Compared

Old Version 1

changes.mady.by.user Eve Maler

Saved on

compared with

New Version 2

changes.mady.by.user Eve Maler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

UMA Release Notes

Abstract 

...

Following are specification changes in V1.0.1 that affect authorization servers, and possibly clients that interact with them as well (, denoted with (+Client)) in the title.

AS Now Has Unique Redirect URI Endpoint for Claims Gathering (+Client)

Previously, the client was instructed to present the ordinary OAuth redirect_uri endpoint to which the AS should redirect requesting parties back after claims gathering, but this was ambiguously specified and incorrect. Now the client has a unique endpoint, claims_redirect_uri, that it needs to register. (144)

Permission Ticket Lifecycle Management (+Client)

Previously, little guidance was offered on how to manage permission tickets. Now some implications are explored, particularly as they relate to client interaction. (172) (Core Sec 3.2.2)

Requested Permission and Permission Ticket Matching

Previously, the matching of the "extents of access" of the requested permission registered by the RS and the permission ticket issued by the AS was implicit. Now it is spelled out. (175) (Core Sec 3.2)

New and Changed Security Considerations

Previously, the security considerations around accepting policy-setting context information from an incompletely trusted RS only covered "bad icon URIs". Now they cover all such policy-setting context information, following roughly the OAuth example. (151) (RSR Sec 4)

Previously, the security considerations around client-pushed claims were explored only in a very cursory fashion in the body of the text. Now they are treated at length in a new subsection. (160) (Core Sec 7.4.1)

Changes Affecting Resource Server (and Client) Implementations

Following are specification changes in V1.0.1 that affect resource servers, and possibly clients that interact with them as well (, denoted with (+Client)). in the title.

New and Changed Security Considerations

Previously, the security considerations around accepting policy-setting context information from an incompletely trusted AS were not covered. Now they cover the user_access_policy_uri, which is the only policy-setting context information passed from AS to RS. (185) (RSR Sec 4)

...