Versions Compared

Old Version 5

changes.mady.by.user Former user

Saved on

compared with

New Version 6

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
xml
xml
<!-- Applies to both hosts and requesters -->
<Property 
    type="http://kantarainitiative.org/confluence/display/uma/token_formats">
       saml
</Property>
<Property 
    type="http://kantarainitiative.org/confluence/display/uma/claim_formats">
       json
</Property>

<!-- Host "authorization API" -->
<Link rel="http://kantarainitiative.org/confluence/display/uma/host_token_uri"
      href="https://am.example.com/host/token_uri"></Link>
<Link rel="http://kantarainitiative.org/confluence/display/uma/host_user_uri"
      href="https://am.example.com/host/user_uri"></Link>
<Link rel="http://kantarainitiative.org/confluence/display/uma/host_token_validation_uri"
      href="https://am.example.com/host/token_validation_uri"></Link>

<!-- Requester token-getting endpoints -->
<Link rel="http://kantarainitiative.org/confluence/display/uma/req_token_uri"
      href="https://am.example.com/requester/token_uri"></Link>
<Link rel="http://kantarainitiative.org/confluence/display/uma/req_user_uri"
      href="https://am.example.com/requester/user_uri"></Link>

...

The host obtains OAuth client credentials and the location of the resource registration API from the authorization manager

The goal of this sub step is to provide the host with a client id, optionally a client secret and the URL of the resource registration API of the AM.

There are two ways to provide this:

  1. The host has to pre-register with the AM in order to use it. In this case all of this information is provided in a way which is beyond the scope of this specification. The most widespread method with OAuth is to enter it manually.
  2. The host is not pre-registered and a dynamic association needs to be created between host and AM. In this case the information is obtained with the process described below.

It is up to the AM to decide whether it allows only pre-registered hosts, only dynamic associated ones or both.

If the association needs to be done dynamically, the following process is used which is similar to the one used in OpenIDConnect (http://openidconnect.com/#associations).

If the client does not have a valid client identifier and secret, it shall make the following HTTPS "POST" request to the server's host token endpoint URL (see metadata lookup) with the following REQUIRED parameters:

type - "client_associate"
redirect_uri - The URI the host wishes to register with the server for receiving OpenID responses.

The host gets a host access token from the AM that represents the approval of the authorizing user for the host to trust this AM for protecting the resources it manages for this user.

...