UMA telecon 2012-03-08

Date and Time

WG telecon on Thursday, 8 Mar 2012, at 9am PT (time chart)
- Skype: +99051000000481
- US: +1-805-309-2350 (other international dial-in lines available) | Room Code: 178-2540

Agenda

Roll call
Approve minutes of 2012-02-23 meeting
Tweet chat planning
Interop planning
Work through issues
- Issue 49 (ad hoc meeting report, discussion, resolution, editor instructions)
Review any additional open action items
AOB

Minutes

New AI summary

Eve and Thomas: Edit the spec and add swimlane diagrams showing flow options. (Meet on Friday.)

Roll call

Quorum was reached.

Approve minutes of 2012-02-23 meeting

Minutes of 2012-02-23 meeting APPROVED.

Issue 49

See relevant information:

Notes from yesterday's ad hoc meeting
Lukasz's description of the current spec vs. a proposed solution: email
Jacek's description of SMART's authz code-based solution for the requester side, and George's proposal for a solution: email thread
Domenico's diagram of the human parties: email
George's final post-meeting diagram

In George's initial diagram, the "Access Alice's calendar with no token" means "with no RPT". His flow imagines that there is a new separate step where an empty RPT is issued, which would then require the requester to go back a bunch of times to get a RAT, get an RPT, start filling it with permissions, etc. This doesn't seem right, since the host shouldn't care whether the requester has a RAT or even an RPT yet when it tells the requester that it needs an UMA permission to get to this resource.

What if MyCalendar gets and conveys a permission ticket in all circumstances where there's insufficient permission (no token, invalid token, token with insufficient permission)? Then TripFollwr would be sent to the AM to rectify the situation regardless. Is there any danger in the permission ticket getting out into the wild? We can't see any, just as we couldn't before. It's a permission request ticket, not a permission ticket per se. Currently the host doesn't include anything identifying the requesting side in its permission registration process at the AM anyway (Section 3.4).

Once Roger/TripFollwr is told by MyCalendar that it needs to go to CopMonkey to get an RPT, TripFollwr could independently recognize the fact that it doesn't have a RAT yet for Roger with CopMonkey, and request it directly. So even though it has a permission ticket, it can't quite use it until it has a RAT in hand, and then it can go about trying to win the permissions it needs.

It seems very logical to get MyCalendar entirely out of the job of handling or caring about RATs, since it's not a party to that token (so to speak). So it's not just syntactic sugar/optimization to embed RAT issuance in the process of permission requests; it's an appropriate time and place with the appropriate parties at the table. Would it be possible for the permission request process to leverage any claims CopMonkey happened to collect while issuing the RAT, so that Roger isn't unnecessarily inconvenienced? We think so.

We really like the full separation of authentication and authorization. We have now fully mirrored an OAuth flow on the authorizing and requesting sides.

We edited George's diagram dynamically on the call; the result is here. We achieved consensus on this new approach, which will require a fair amount of spec work:

Terminology distinctions between tokens
- Instead of HAT and RAT, let's use "protection API token" and "authorization API token"
Terminology cleanup around permission registration
- What's being registered is a pending permission request, not an entitlement/permission per se
Authorization code (or other "three-legged") flow for the AAT instead of client credentials
Flow changes in Section 3 to reflect:
- The issuance of a permission request ticket in all cases where the RPT won't suffice for resource access
- The embedding of the step where an AAT gets provisioned if it didn't yet exist

Let's close issue 49.

Next Meetings

WG telecon on Thursday, 15 Mar 2012, at 9am PT (time chart)
WG telecon on Thursday, 22 Mar 2012, at 9am PT (time chart)
WG telecon on Thursday, 29 Mar 2012, at 9am PT (time chart)

Attendees

As of 28 Feb 2012, quorum is 6 of 11.

Catalano, Domenico
D'Agostino, Salvatore
Fletcher, George
Hardjono, Thomas
Machulak, Maciej
Maler, Eve
Szpot, Jacek

Non-voting participants:

Cox, Kevin

Regrets:

Koot, Andre

Browser not supported