UMA Release Notes
...
Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
The following key shorthand terms and abbreviations are used in this document:
- AS: authorization server
- RS: resource server
- Core: UMA Core specification
- RSR: OAuth Resource Set Registration specification
- I-D: IETF Internet-Draft specification
- Sec: section
...
Anchor | ||||
---|---|---|---|---|
|
...
Previously, little was said about privacy implications of requesting party claims being transmitted to the AS. Now this section has been greatly expanded. (211) (Core Sec 8.2)
Changes Affecting Resource Server (+Client) Implementations
Following are specification changes in V1.0.1 that affect resource servers, and possibly clients that interact with them as well.
Caveat About
...
Resource Server API Constraint
Previously, the specification was missing an important caveat: Based on a client's initial RPT-free resource request, the RS needs to know the correct AS, PAT, and resource set ID to include in its follow-on call to the permission request endpoint at the AS. Thus, the API of the RS needs be structured so that it can derive this information from the client's request. Now this caveat appears in several locations. (161, 162, 225)
...
Previously, the security considerations around accepting policy-setting context information from an incompletely trusted AS were not covered. Now they cover the user_access_policy_uri
property, which is the only policy-setting context information passed from AS to RS. (185) (RSR Sec 4)
Specification Reorganizations
The specifications, particularly Core Sec 3, were reorganized in the fashion of OpenID Connect, with the goal of giving a subsection to every request and response message. Other notable changes include:
...
Anchor | ||||
---|---|---|---|---|
|
Following is a catalog of notable changes to the specifications in the pre-V1.0 timeframe.
Core Changes
Internet-Draft Rev 11 to Rev 12
...