UMA Release Notes
...
The UMA V1.0 specifications (Core, RSR) were approved in March 2015. The UMA V1.0.1 specifications (Core, RSR) are currently (Sep September 2015) in draft form; the Work Group's goal is to see their finalization by the end of 2015. The following release notes are therefore also in draft form. They are catalogued by according to their impact on software entities, with references implementations (where impact on client software in addition to authorization server or resource server software is denoted with (+Client) in the section title). Links to relevant GitHub issues . Where possible, and specific section numbers are referenced; they link to discussions and related commitsprovided where possible, enabling old-to-new text comparisons and tracking of discussions and rationales.
The following themes animated the V1.0.1 release process:
...
Following are specification changes in V1.0.1 that affect authorization servers, and possibly clients that interact with them as well (denoted with (+Client) in the title).
AS Now Has Unique Redirect URI Endpoint for Claims Gathering (+Client)
...
Previously, little was said about privacy implications of requesting party claims being transmitted to the AS. Now this section has been greatly expanded. (211) (Core Sec 8.2)
Changes Affecting Resource Server (+Client) Implementations
Following are specification changes in V1.0.1 that affect resource servers, and possibly clients that interact with them as well (denoted with (+Client) in the title).
Caveat About Protected Resource API Constraint
...
Previously, the security considerations around accepting policy-setting context information from an incompletely trusted AS were not covered. Now they cover the user_access_policy_uri property, which is the only policy-setting context information passed from AS to RS. (185) (RSR Sec 4)
Specification Reorganizations
The specifications, particularly Core Sec 3, were reorganized in the fashion of OpenID Connect, with the goal of giving a subsection to every request and response message. Other notable changes include:
- Several “commentary” subsections were added, such as Core Sec 3.2.2 discussing permission ticket creation and management, and RSR Sec 2.1.2 discussing scope interpretation.
- A new section, Core Sec 9.2, registers the permissions property in the new OAuth token introspection IANA registry (this is in addition to its registration in the JWT claims registry).
- Core Sec 7.4.1 breaks out the new, more extensive security considerations discussion of pushed claims.
- Core Sec 8 now has subsections to make privacy considerations easier to find and understand.
Sections are presented in original V1.0 sections (black) are presented in original Table Table of Contents order, mapped to their corresponding draft V1.0.1 sections (green). Where a V1.0.1 section or block of sections is repeated, it redistributes material previously appearing in the V1.0.1 sections (green). (links tbd)
Core Specification Reorganization
Found in Core V1.0 (go)
Find in Core draft V1.0.1 .0 sections under which the mentions appear.
Core Specification Reorganization
Found in Core V1.0 (go)
Find in Core draft V1.0.1 (go)
1. Introduction (go)
1.1. Notational Conventions
1.2. Terminology
1.3. Achieving Distributed Access Control
1.3.1. Protection API
1.3.2. Authorization API
1.3.3. Protected Resource Interface
1.3.4. Time-to-Live Considerations
1.4. Authorization Server Configuration Data
1. Introduction (go)
1.1 Notational Conventions
1.2 Terminology
1.3 Achieving Distributed Access Control
1.3.1 Protection API and Protection API Token
1.3.2 Authorization API and Authorization API Token
1.3.3 Protected Resource Interface and Requesting Party Token
1.3.4 Time-to-Live Considerations
1.4 Authorization Server Configuration Data
2. Protecting a Resource (go)
2. Protecting a Resource (go)
3. Getting Authorization and Accessing a Resource (go)
3.1 Client Attempts Access to Protected Resource
3. Getting Authorization and Accessing a Resource (go)
3.1 Client Attempts Access to Protected Resource (go)
3.1.1. Client Request to Resource Server With No RPT (go)
3.1.1 Client Request to Resource Server With No RPT (go)
3.3 Resource Server Responds to Client (go)
3.3.1 Resource Server Response to Client on Permission Registration Success
3.3.2 Resource Server Response to Client on Permission Registration Failure
3.1.2. Client Presents RPT (go)
3.1.2 Client Request to Resource Server With RPT (go)
3.3 Resource Server Responds to Client (go)
3.3.1 Resource Server Response to Client on Permission Registration Success
3.3.2 Resource Server Response to Client on Permission Registration Failure
3.3.3 Resource Server Response to Client on Sufficiency of Authorization
3.2. Resource Server Registers Requested Permission With Authorization Server (go)
3.2 Resource Server Registers Requested Permission With Authorization Server (go)
3.2.1 Resource Server Request to Permission Registration Endpoint
3.2.2 Permission Ticket Creation and Management
3.2.3 Authorization Server Response to Resource Server on Permission Registration Success
3.2.4 Authorization Server Response to Resource Server on Permission Registration Failure
3.3. Resource Server Determines RPT's Status (go)
3.3.1. Token Introspection
3.3.2. RPT Profile: Bearer
3.4 Resource Server Determines RPT Status (go)
3.4.1 Token Introspection Process
3.4.2 RPT Profile: Bearer
3.4. Client Seeks Authorization for Access (go)
3.5 Client Seeks Authorization for Access (go)
3.4.1. Client Requests Authorization Data (go)
3.5.1 Client Request to Authorization Server for Authorization Data (go)
3.5.2 Authorization Assessment Process
3.5.3 Authorization Server Response to Client on Authorization Success
3.5.4 Authorization Server Response to Client on Authorization Failure
3.4.1.1. Authentication Context Flows (go)
3.6 Client Responds to Authorization Server's Request for Additional Information (go)
3.6.1 Client Redirects Requesting Party to Authorization Server for Authentication
3.4.1.2. Claims-Gathering Flows (go)
3.6 Client Responds to Authorization Server's Request for Additional Information (go)
3.6.2 Client Pushes Claim Tokens to Authorization Server (go)
3.6.3 Client Redirects Requesting Party to Authorization Server for Claims-Gathering
4. Error Messages (go)
4.1. OAuth Error Responses
4.2. UMA Error Responses
4. Error Messages (go)
4.1 OAuth Error Responses
4.2 UMA Error Responses
5. Profiles for API Extensibility (go)
5.1. Protection API Extensibility Profile
5.2. Authorization API Extensibility Profile
5.3. Resource Interface Extensibility Profile
5. Profiles for API Extensibility (go)
5.1 Protection API Extensibility Profile
5.2 Authorization API Extensibility Profile
5.3 Resource Interface Extensibility Profile
6. Specifying Additional Profiles (go)
6.1. Specifying Profiles of UMA
6.2. Specifying RPT Profiles
6.3. Specifying Claim Token Format Profiles
6. Specifying Additional Profiles (go)
6.1 Specifying Profiles of UMA
6.2 Specifying RPT Profiles
6.3 Specifying Claim Token Format Profiles
7. Compatibility Notes (go)
n/a
8. Security Considerations (go)
7. Security Considerations (go)
8.1. Redirection and Impersonation Threats (go)
7.1 Requesting Party Redirection and Impersonation Threats (go)
8.2. Client Authentication (go)
7.2 Client Authentication (go)
8.3. JSON Usage (go)
7.3 JSON Usage (go)
8.4. Profiles, Binding Obligations, and Trust Establishment (go)
7.4 Profiles and Trust Establishment (go)
n/a
7.4.1 Requirements for Trust When Clients Push Claim Tokens (go)
9. Privacy Considerations (go)
8. Privacy Considerations (go)
8.1 Resource Set Information at the Authorization Server
8.2 Requesting Party Information at the Authorization Server
8.3 Profiles and Trust Establishment
10. IANA Considerations (go)
9. IANA Considerations (go)
10.1. JSON Web Token Claims Registration (go)
10.1.1. Registry Contents
9.1 JSON Web Token Claims Registration (go)
9.1.1 Registry Contents
n/a
9.2 OAuth Token Introspection Response Registration (go)
9.2.1 Registry Contents
10.2. Well-Known URI Registration (go)
10.2.1. Registry Contents
9.3 Well-Known URI Registration (go)
9.3.1 Registry Contents
11. Acknowledgments (go)
10. Acknowledgments (go)
12. References (go)
12.1. Normative References
12.2. Informative References
11. References (go)
11.1 Normative References
11.2 Informative References
RSR Specification Reorganization
Found in RSR V1.0 (go)
Find in RSR draft V1.0.1 (go)
1. Introduction (go)
1.1. Notational Conventions
1.2. Terminology
1.3. Authorization Server Configuration Data
1. Introduction (go)
1.1 Notational Conventions
1.2 Terminology
1.3 Authorization Server Configuration Data
2. Resource Set Registration (go)
2. Resource Set Registration (go)
2.1. Scope Descriptions (go)
2.1.1 Scope Descriptions (go)
n/a
2.1.2 Scope Interpretation (go)
2.2. Resource Set Descriptions (go)
2.1 Resource Set Descriptions (go)
2.3. Resource Set Registration API (go)
2.3.1. Create Resource Set Description
2.3.2. Read Resource Set Description
2.3.3. Update Resource Set Description
2.3.4. Delete Resource Set Description
2.3.5. List Resource Set Descriptions
2.2 Resource Set Registration API (go)
2.2.1 Create Resource Set Description
2.2.2 Read Resource Set Description
2.2.3 Update Resource Set Description
2.2.4 Delete Resource Set Description
2.2.5 List Resource Set Descriptions
3. Error Messages (go)
4. Security Considerations
5. Privacy Considerations
6. IANA Considerations
7. Example of Registering Resource Sets
8. Acknowledgments
9. References
9.1. Normative References
9.2. Informative References
3. Error Messages (go)
4. Security Considerations
5. Privacy Considerations
6. IANA Considerations
7. Example of Registering Resource Sets
8. Acknowledgments
9. References
9.1 Normative References
9.2 Informative References
...
| Anchor | ||||
|---|---|---|---|---|
|
Following is a catalog of notable changes to the specifications in the pre-V1.0 timeframe.
Core Changes
Internet-Draft Rev 11 to Rev 12
...