Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

UMA Interoperability Testing

We are preparing UMA interoperability and conformance feature tests for the first UMA interop to be held October 1 and November 1, 2013 at MIT in Cambridge, MA, USA. If you would like to be a participant in this process, please register. Attached is a draft set of features and feature tests for review; these will eventually appear on the OSIS interop wiki. Participants so far include:

  • Gluu
  • Cloud Identity UK
  • Criterion Systems
  • Roland Hedberg (test harness)
  • Intel

Following are notes about the construction of features and tests.

  • The feature_id always starts with F-.
  • The feature test identifier always starts with FT-.
  • For features, the feature_type value can be either interop or optional.
  • For feature tests, the testtype value can be either normal or optional.
  • The testedrole can be AM, H, or R.
  • The features and tests relate exclusively to the core protocol spec and to software components that serve as protocol endpoints. None relate to the Binding Obligations document because this document describes expected behaviors of operators and users of these endpoints, which makes them untestable for the purposes of an interop.

Supporting Clauses

Following are notes about the clauses in the core spec that support the creation of tests. (These are now out of date, because the core spec terminology has changed from AM to AS and so on.)

F-am-config:

  • Sec 1.5: "The AM MUST provide configuration data to other entities it interacts with in a JSON [RFC4627] document that resides in an /uma-configuration directory at at its hostmeta [RFC6415] location."
  • Sec 1.5: "AM configuration data MAY contain extension properties that are not defined in this specification."
  • Sec 1.5: "All endpoint URIs supplied SHOULD require the use of a transport-layer security mechanism such as TLS."
  • (Also all the MUSTs and MAYs appearing in Section 1.5 regarding the JSON format for AM configuration data.)
  • Sec 2.1: "From the data provided, discovered, or configured, the host MUST retrieve the AM's configuration data document, as described in Section 2 of hostmeta [RFC6415]."

F-dyn-client-reg:

  • Sec 1.5: "The value, if this property is present, the value MUST be the string "yes" (dynamic registration is supported, using an unspecified method) or "no" (it is not supported; hosts and requesters are required to pre-register)." (The property being dynamic_client_registration_supported.)
  • Sec 2.2: "If the host has not already obtained an OAuth client identifier and optional secret from this AM, in this step it MUST do so in order to engage in OAuth-based interactions with the AM."

F-pat:

  • Sec 1.5: "oauth_token_profiles_supported REQUIRED. …. The AM is REQUIRED to support this profile, and to supply this string value explicitly. The AM MAY declare its support for additional access token profiles by providing a unique absolute URI in a string value in the array for each one." (This profile being the bearer token profile.)
  • Sec 1.5: "oauth_grant_types_supported REQUIRED. …. Each string value MUST be one of the grant_type values defined in [OAuth2], or alternatively an extension grant type indicated by a unique absolute URI."
  • Sec 1.5: "token_endpoint REQUIRED."
  • Sec 1.5: "user_endpoint REQUIRED."
  • Sec 2.3: "The host MUST use OAuth 2.0 [OAuth2] to obtain the protection API token."
  • Sec 1.3: "The AM presents the following endpoints to the host as part of its protection API; these endpoints are OAuth-protected and require a PAT for access, for which the "protection" OAuth scope is required…"
  • Sec 1.5: "resource_set_registration_endpoint REQUIRED. …. A PAT MUST accompany requests to this protected endpoint."
  • Sec 2.4.3: "The host MUST use its valid PAT obtained previously to gain access to this endpoint." (This endpoint being resource_set_registration_endpoint.)
  • Sec 3.2: "The host registers the permission using the POST method at the AM's permission registration endpoint, providing its PAT to get access to this endpoint."

F-aat:

  • Sec 1.3: "The AM presents the following endpoints to the host as part of its protection API; these endpoints are OAuth-protected and require a PAT for access, for which the "protection" OAuth scope is required…"
  • Sec 1.5: "resource_set_registration_endpoint REQUIRED. …. A PAT MUST accompany requests to this protected endpoint."
  • Sec 2.4.3: "The host MUST use its valid PAT obtained previously to gain access to this endpoint." (This endpoint being resource_set_registration_endpoint.)
  • Sec 3.2: "The host registers the permission using the POST method at the AM's permission registration endpoint, providing its PAT to get access to this endpoint."
  • Sec 1.3: "The AM presents the following endpoint to the requester as part of its authorization API; this endpoint is OAuth-protected and requires an AAT for access, for which the "authorization" OAuth scope is required…"
  • Sec 3.4.4: "The requester performs a POST on the RPT endpoint, supplying its own AAT in the header in order to gain access to the RPT endpoint."

F-rset-reg:

  • Sec 2.4 intro: "Once the host has received a PAT, for any of the user's sets of resources that are to be protected by this AM, it MUST register these resource sets at the AM's registration endpoint."
  • Sec 2.4.1: "Scope description documents MUST be accessible to AMs through GET calls made to these URI references" (These being scope URI references.) 
  • Sec 2.4.3: "The AM MUST present an API for registering resource set descriptions at a set of URIs with the structure "{rsreguri}/resource_set/{rsid}", where the PAT provides sufficient context to distinguish between identical resource set identifiers assigned by different hosts."
  • Sec 2.4.3: "Following is a summary of the five registration operations the AM is REQUIRED to support…"
  • Sec 2.4.3: "If the request to the resource set registration endpoint is incorrect, then the AM responds with an error message (see Section 4.2) by including one of the following error codes with the response…"
  • Sec 2.4.3.1: "On successfully registering a resource set, the host MUST use UMA mechanisms to limit access to any resources corresponding to this resource set, relying on the AM to supply currently valid permissions for authorized access."
  • Sec 2.4.3.1: "On successful registration, the AM MAY return a redirect policy URI to the host in a property with the name "policy_uri"."
  • Sec 2.4.3.3: "On successful update, the AM MAY return a redirect policy URI to the host in a property with the name "policy_uri"."
  • Sec 2.4.1: "Scope descriptions MAY contain extension properties that are not defined in this specification."
  • Sec 2.4.1: "A host MUST list a resource set's available scopes using URI references (as defined in Section 2.4.2). The scopes available for use at any one host MUST have unique URI references so that the host's scope descriptions are uniquely distinguishable. A scope URI reference MAY include a fragment identifier. Scope descriptions MAY reside anywhere."
  • Sec 2.4.2: "Resource set descriptions MAY contain extension properties that are not defined in this specification."
  • Sec 2.4.2: "The AM SHOULD use the scope names and any icons defined as part of the referenced scopes in its user interface to assist the user in setting policies for protecting this resource set."
  • Sec 2.4.2: "When a host creates or updates a resource set description (see Section 2.4.3), the AM MUST attempt to retrieve the referenced scope descriptions. It MAY cache such descriptions as long as indicated in the HTTP cache-control header for the scope description resource unless the resource set description is subsequently updated within the validity period. At the beginning of an authorizing user's login session at the AM, the AM MUST attempt to re-retrieve scope descriptions applying to that user whose cached versions have expired."

 

 

 

  • No labels