UMA1 Interop Features and Feature Tests
Main UMA1 Interop Testing page | Participants and Solutions | Results | uma-dev list
The features and tests relate exclusively to the core protocol spec, any other normatively referenced specs, and software components that serve as protocol endpoints. None relate to the Binding Obligations specification because it describes expected behaviors of operators and users of these endpoints, which makes them untestable for the purposes of an interop.
The type values for a test are minimally one of:
- "req" (required)
- "opt" (optional)
A test may additionally be of these types:
- "rpt-bearer" (specific to the mandatory-to-implement "bearer" RPT profile)
- "claim-oidc" (specific to the optional OpenID Connect claim profile)
- "optim-asc" (specific to the forthcoming optional AS=C optimization profile)
- "humanrqp" (specific to the claims-gathering flow for clients operated by end-users)
Tests could be added to cover additional UMA WG-specified or third-party profiles, in which case the possible type values will expand. Generic high-level features of the protocol have an ID in the form "F-", and they group feature tests that have an ID in the form "FT-".
Where spec text is quoted, be aware that it may be out of date. In cases of discrepancy, please alert the UMA leadership team or the WG list; the real spec is always normative.
1. F-as-config: AS makes available its configuration data in the correct form at the correct location
The feature tests in this section have been reviewed.
This feature is about machine-readability of capabilities and constraints.
Supporting clauses
- Core 1.4: "The authorization server MUST provide configuration data in a JSON [RFC4627] document that resides in an /uma-configuration directory at at its hostmeta [hostmeta] location."
- Core 1.4: "Authorization server configuration data MAY contain extension properties that are not defined in this specification."
- Core 1.4: "All endpoint URIs SHOULD require the use of a transport-layer security mechanism such as TLS. The authorization server MUST declare all of its endpoints in its configuration data."
- (Also all the REQUIREDs/MUSTs and MAYs appearing in Core Sec 1.4 regarding the JSON format for AM configuration data.)
- Core 2: "The resource owner, resource server, and authorization server perform the following actions to put resources under protection. This list assumes that the resource server has discovered the authorization server's configuration data and endpoints as needed." (non-normative)
- RSR 1.3: "If the authorization server declares its endpoints and any other configuration data in a machine-readable form, for example [OAuth-linktypes] or [OAuth-meta], it SHOULD convey its resource set registration endpoint in this fashion as well."
| Test ID | Type | Role | Description | Success |
|---|---|---|---|---|
| FT-as-config-data | req | AS | AS provides configuration data that conforms to specified format | Data conforms to format requirements |
| FT-as-config-endpts | req | AS | AS makes config data available through https://\{as_uri}/.well-known/uma-configuration | AS config data endpoint uses https: scheme with specific URL form, with a valid certificate |
| FT-rs-get-config-data | opt | RS | RS successfully accesses and parses AS config data properties it needs at https://\{as_uri}/.well-known/uma-configuration, including all endpoint-related properties not specific to the RS and including handling of non-understood extension properties | RS successfully accesses and parses AS config data |
| FT-c-get-config-data | opt | C | Client successfully accesses and parses AS config data properties it needs at http://\{as_uri}/.well-known/uma-configuration or https://{as_uri}/.well-known/uma-configuration, including all endpoint-related properties not specific to the client and including handling of non-understood extension properties | Client successfully accesses and parses AS config data |
2. F-dyn-client-reg: AS supports generating dynamic client credentials and RS and client support getting them
The feature tests in this section have been reviewed.
This feature is about client registration of resource servers (which are clients of the AS's protection API) and clients of resource servers (which are also clients of the AS's authorization API) at run time when services have not "met" before a resource owner or requesting party forces the issue.
Supporting clauses
- Core 1.4: "dynamic_client_endpoint - OPTIONAL. The endpoint to use for performing dynamic client registration. Usage is defined by [DynClientReg]. The presence of this property indicates authorization server support for the dynamic client registration feature and its absent indicates a lack of support."
- Core 2: "It is OPTIONAL for the client credentials to be provided dynamically through [DynClientReg]); alternatively, they MAY use a static process."
Issues
- Typo in Core Sec 1.4: s/absent/absence/
| Test ID | Type | Role | Description | Success |
|---|---|---|---|---|
| FT-as-dyn-client-reg | opt | AS | AS config data "dynamic_client_endpoint" property is non-null | AS config data "dynamic_client_endpoint" property has a valid URL value for a DynClientReg endpoint |
| FT-rs-get-dyn-client-creds | opt | RS | RS interacts with AS to request and receive client credentials dynamically | RS gets client credentials dynamically |
| FT-c-get-dyn-client-creds | opt | C | C interacts with AS to request and receive client credentials dynamically | C gets client credentials dynamically |
3. F-pat: AS successfully issues PAT to RS for use at AS's protection API
The feature tests in this section have been reviewed.
This feature is about "protection of the protection API" at the authorization server, and the association made between the authorization server, resource server, and resource owner as a result of protection API token (PAT) issuance.
Supporting clauses
- Core 1: "To accomplish this protection, the authorization server presents a protection API ("C") to the resource server. This API is OAuth-protected and requires a protection API token (PAT) for access." (non-normative)
- Core 1.3.1: "The authorization server presents a protection API to the resource server and an authorization API to the client. These APIs MUST be OAuth-protected; thus, the authorization server has an OAuth token endpoint and user authorization endpoint, and has the option to issue an OAuth refresh token along with any access tokens issued for these APIs."
- Core 1.3.1: "An entity seeking protection API access MUST request the scope "http://docs.kantarainitiative.org/uma/scopes/prot.json", and an access token with at least this scope is called a protection API token (PAT). ... The same entity can serve in both roles, so that an OAuth access token might be considered both a PAT and an AAT if it has both scopes. If a request to an endpoint fails due to an invalid, missing, or expired PAT or AAT, or requires higher privileges at this endpoint than provided by the PAT or AAT, the authorization server responds with an OAuth error."
- Core 1.3.1: "The authorization server is REQUIRED to support the OAuth bearer token profile for PAT and AAT issuance, and MAY support other OAuth token profiles for these purposes. It MUST declare all supported token profiles for PAT and AAT issuance in its configuration data."
- Core 1.3.1: "The authorization server MAY support the use of any OAuth grant type for PAT and AAT issuance, but MUST support the authorization_code grant type, and SHOULD support the SAML bearer token grant type [OAuth-SAML] (urn:ietf:params:oauth:grant-type:saml2-bearer) if it anticipates working with entities that are operating in environments where the use of SAML is prevalent. It MUST declare its supported grant types for PAT and AAT issuance in its configuration data."
- Core 1.4: "pat_profiles_supported - REQUIRED."
- Core 1.4: "pat_grant_types_supported - REQUIRED."
- Core 1.4 : "token_endpoint - REQUIRED."
- Core 1.4 : "user_endpoint - REQUIRED."
- Core 1.4 : "A valid PAT MUST accompany requests to this (introspection_endpoint) protected endpoint."
- Core 1.4 : "A valid PAT MUST accompany requests to this (resource_set_registration_endpoint) protected endpoint."
- Core 1.4 : "A valid PAT MUST accompany requests to this (permission_registration_endpoint) protected endpoint."
- Core 3.2: "The resource server MUST provide its valid PAT in order to get access to (permission_registration_endpoint) endpoint."
- Core 3.3.1: "The authorization server MUST OAuth-protect this (introspection_endpoint) endpoint and require a PAT from the resource server for access to it."
| Test | Type | Role | Description | Success |
|---|---|---|---|---|
| FT-rs-get-pat | req | AS | AS issues PAT to RS given correct OAuth authorization_code grant flow (required by the spec) and request for protection API | AS issues PAT to RS IFF RS engages correctly and with correct scope |
| FT-as-pat-saml | opt | AS | AS issues PAT to RS given correct OAuth SAML (urn:ietf:params:oauth:grant-type:saml2-bearer) bearer token grant type and request for protection API | AS issues PAT to RS IFF RS engages correctly and with correct scope |
| FT-as-pat-config | req | AS | AS supports PAT grant types as declared in configuration data | AS configuration data contains at least authorization_code grant type and optionally SAML bearer token grant type for PATs |
| FT-as-require-pat | req | AS | AS requires OAuth clients of protection API (definitionally, RSs) to present valid OAuth access tokens with protection API scope in order to use endpoints | AS allows RSs to make protection API calls IFF they present protection API scope |
| FT-rs-use-pat | req | RS | RS presents valid OAuth access token with protection API scope when making calls to all protection API endpoints | RS presents PAT to all protection API endpoints |
4. F-aat: AS successfully issues AAT to Client for use at AS's authorization API
The feature tests in this section have been reviewed.
This feature is about "protection of the authorization API" at the authorization server, and the association made between the authorization server, client, and requesting party as a result of authorization API token (AAT) issuance.
Supporting clauses
Core 1: "The (authorization) API is OAuth-protected and requires an authorization API token (AAT) for access." (non-normative)
- Core 1.3.1: "The authorization server presents a protection API to the resource server and an authorization API to the client. These APIs MUST be OAuth-protected; thus, the authorization server has an OAuth token endpoint and user authorization endpoint, and has the option to issue an OAuth refresh token along with any access tokens issued for these APIs."
- Core 1.3.1: "An entity seeking authorization API access MUST request the scope "http://docs.kantarainitiative.org/uma/scopes/authz.json", and an access token with at least this scope is called an authorization API token (AAT). The same entity can serve in both roles, so that an OAuth access token might be considered both a PAT and an AAT if it has both scopes. If a request to an endpoint fails due to an invalid, missing, or expired PAT or AAT, or requires higher privileges at this endpoint than provided by the PAT or AAT, the authorization server responds with an OAuth error."
- Core 1.3.1: "The authorization server is REQUIRED to support the OAuth bearer token profile for PAT and AAT issuance, and MAY support other OAuth token profiles for these purposes. It MUST declare all supported token profiles for PAT and AAT issuance in its configuration data."
- Core 1.3.1: "The authorization server MAY support the use of any OAuth grant type for PAT and AAT issuance, but MUST support the authorization_code grant type, and SHOULD support the SAML bearer token grant type [OAuth-SAML] (urn:ietf:params:oauth:grant-type:saml2-bearer) if it anticipates working with entities that are operating in environments where the use of SAML is prevalent. It MUST declare its supported grant types for PAT and AAT issuance in its configuration data."
- Core 1.4: "aat_profiles_supported - REQUIRED."
- Core 1.4: "aat_grant_types_supported - REQUIRED."
- Core 1.4 : "token_endpoint - REQUIRED."
- Core 1.4 : "user_endpoint - REQUIRED."
- Core 1.4 : "A valid PAT MUST accompany requests to this (rpt_endpoint) protected endpoint."
- Core 1.4 : "A valid PAT MUST accompany requests to this (authorization_request_endpoint) protected endpoint."
- Core 3: "If the client does not already have an AAT at the appropriate authorization server to be able to use its authorization API, it first obtains one." (non-normative)
- Core 3.4: "2. The client acquires an AAT. This enables it to use authorization API endpoints." (non-normative)
- Core 3.4.1: "It (client) obtains an RPT by performing a POST on the RPT endpoint. It MUST provide its own valid AAT in the header."
- Core 3.4.2: "It (client) performs a POST on the authorization request endpoint, supplying its own AAT in the header and its RPT and the permission ticket in a JSON object with properties "rpt" and ticket", respectively."
| Test | Type | Role | Description | Success |
|---|---|---|---|---|
| FT-c-get-aat | req | AS | AS issues AAT to Client given correct OAuth authorization_code grant flow (required by the spec) and request for authorization | AS issues AAT to client IFF client engages correctly and with correct scope |
| FT-as-aat-saml | opt | AS | AS issues AAT to Client given correct OAuth SAML (urn:ietf:params:oauth:grant-type:saml2-bearer) bearer token grant type and request for authorization | AS issues AAT to client IFF client engages correctly and with correct scope |
| FT-as-aat-config | req | AS | AS supports AAT grant types as declared in configuration data | AS configuration data contains at least authorization_code grant type and optionally SAML bearer token grant type for AATs |
| FT-as-require-aat | req | AS | AS requires OAuth clients of authorization API (definitionally, Clients) to present valid OAuth access tokens with authorization API scope in order to use endpoints | AS allows Client to make authorization API calls IFF they present authorization API scope |
| FT-c-use-aat | req | C | Client presents valid OAuth access token with authorization API scope when making calls to all authorization API endpoints | Client presents AAT to all authorization API endpoints |
5. F-rsr: RS registers resource sets at AS in order to put them under AS protection
The feature tests in this section have been reviewed.
This feature is about putting resources under protection by a third party.
Supporting clauses
- Core 2: "In an ongoing fashion, the resource server registers any resource sets with the authorization server for which it intends to outsource protection, using the process defined by [OAuth-resource-reg]." (non-normative)
- RSR 2.1: "Scope descriptions MAY contain extension properties that are not defined in this specification."
- RSR 2.2: "When a resource server creates or updates a resource set description (see Section 2.3), the authorization server MUST attempt to retrieve the referenced scope descriptions so that it can present fresh data in any resource owner interactions."
- RSR 2.3: "Following is a summary of the five registration operations the authorization server is REQUIRED to support. Each is defined in its own section below. All other methods are unsupported." (see all RSR 2.3 subsections)
- RSR 2.3: "If the request to the resource set registration endpoint is incorrect, then the authorization server responds with an error message by including one of the following error codes with the response..."
| Test | Type | Role | Description | Success |
|---|---|---|---|---|
| FT-as-rsr | req | AS | AS successfully presents all of the following methods at a resource set registration endpoint of form {rsreguri}/resource_set/{rsid}, and treats others as unsupported: PUT with unique ID to register new resource set description; GET with unique ID to read already-registered resource set description, handling the presence of any policy_uri property in AS's response; PUT with If-Match and unique ID to update already-registered resource set description, handling the presence of any policy_uri property in AS's response; DELETE with a unique ID to delete an already-registered resource set description; and GET on resource_set path to read list of already-registered resource set descriptions. | AS presents all elements of resource set registration API correctly |
| FT-rs-rsr | req | RS | RS successfully uses: PUT with unique ID to register new resource set description; GET with unique ID to read already-registered resource set description, handling the presence of any policy_uri property in AS's response; PUT with If-Match and unique ID to update already-registered resource set description, handling the presence of any policy_uri property in AS's response; DELETE with a unique ID to delete an already-registered resource set description; and GET on resource_set path to read list of already-registered resource set descriptions. RS links to well-formed scope descriptions and provides well-formed resource set descriptions. | RS uses all elements of resource set registration API and scope and resource set description formats correctly |
| FT-as-rsr-error | req | AS | AS issues errors for error conditions, including unsupported_method_type, not_found, and precondition_failed. | AS issues resource set registration API errors for error conditions |
| FT-as-rsr-scope-ext | req | AS | If a scope description contains extension properties, the AS proceeds normally in handling the scope description | AS does not produce an error on encountering extension properties in scope description |
6. F-protect-rsrc: RS, AS, and client interact to enable authorized access to protected resources and block unauthorized access
The feature tests in this section have not yet been reviewed.
This feature is about protecting resources in practice, at run time. This involves a successive series of "gates": having a valid RPT, supplying any claims needed to assess against policy, having valid authorization data that matches the type of access sought, etc.
Supporting clauses
- Core 1.3.2: "The resource server presents one or more protected resource endpoints to the client; these endpoints are protected by the UMA profile of OAuth and require a requesting party token (RPT) with sufficient authorization data for access." (non-normative)
- Core 1.3.2: "This specification defines one RPT profile, call "bearer" (see Section 3.3.2), which is REQUIRED for the authorization server to support."
- Core 2: "Once a resource set has been placed under authorization server protection through the registration of a resource set description for it, and until such a description's deletion by the resource server, the resource server MUST limit access to corresponding resources, respecting authorization data associated with client-presented RPTs by the authorization server as appropriate."
- Core 3: "Each interaction (as part of getting authorization and access a resource) MAY be the last, if the client chooses not to continue pursuing the access attempt or the resource server chooses not to continue facilitating it."
- Core 3.1.1: "If the client does not present an RPT with the request, the resource server MUST return an HTTP 401 (Unauthorized) status code, along with providing the authorization server's URI in an "as_uri" property to facilitate authorization server configuration data discovery, including discovery of the endpoint where the client can request an RPT."
- Core 3.1.2: "If the client presents an RPT with its request, the resource server MUST determine the RPT's status (see Section 3.3) before responding. If the RPT is invalid, the resource server MUST return an HTTP 401 (Unauthorized) status code, along with providing the authorization server's URI in an "as_uri" property in the header, similarly to the case where no RPT was presented."
- Core 3.1.2: "If the RPT is valid but has insufficient authorization data for the type of access sought, the resource server SHOULD register a requested permission with the authorization server that would suffice for that scope of access (see Section 3.2), and then respond with the HTTP 403 (Forbidden) status code, along with providing the authorization server's URI in an "as_uri" property in the header, and the permission ticket it just received from the AM in the body in a JSON-encoded "ticket" property."
- Core 3.1.2: "If the RPT's status is associated with authorization data that is consistent with authorized access of the scope sought by the client, the resource server MUST give access to the desired resource."
- Core 3.1.2: "The resource server MUST NOT give access where the token's status is not associated with sufficient authorization data for the attempted scope of access."
- Core 3.2: "The (permission) ticket value MUST be securely random (for example, not merely part of a predictable sequential series), to avoid denial-of-service attacks."
- Core 3.2: "If the registration request is successful, the authorization server responds with an HTTP 201 (Created) status code and includes the Location header in its response as well as the "ticket" property in the JSON-formatted body."
- Core 3.2: "If the registration request is authenticated properly but fails due to other reasons, the authorization server responds with an HTTP 400 (Bad Request) status code and includes one of the following UMA error codes..."
- Core 3.3.2: "On receiving an RPT of the "Bearer" type in an authorization header from a client making an access attempt, the resource server MUST introspect the token by using the authorization server's token introspection endpoint. ... The authorization server responds with a JSON object with the structure dictated by [OAuth-introspection]."
- Core 3.4.1: "It (client) obtains an RPT by performing a POST on the RPT endpoint. ... The authorization server responds with an HTTP 201 (Created) status code and provides a new RPT."
- Core 3.4.1: "If the AAT provided in the header is the same as one provided for a previously issued still-valid RPT by this authorization server, the authorization server invalidates the old RPT and issues a new one."
- Core 3.4.2: "It (client) performs a POST on the authorization request endpoint, supplying its own AAT in the header and its RPT and the permission ticket in a JSON object with properties "rpt" and ticket", respectively."
- Core 3.4.2: "The authorization server MUST base the addition of authorization data to RPTs on user policies."
Issues
- Break down these feature tests into smaller chunks? What makes sense? The list of supporting clauses will be huge once we fill it in. Some candidates: MTI "bearer" RPT support vs. other profiles.
- "User policies" isn't testable; how do we shore up this wording in FT-as-give-authz-data?
- Need more rptbearer-specific tests?
- Add claimoidc-specific tests?
- Add optasc-specific tests?
- Regarding FT-rs-respect-authz-data: Is this truly a testable assertion, or is it in the realm of Binding Obs? Doublecheck what language we really have in the current spec about this need for "respecting" permissions. See Section 2 of the Core spec.
- Regarding FT-as-issue-rpt: Is it too implementation-specific that the spec says that "If the AAT provided in the header is the same as one provided for a previously issued still-valid RPT by this authorization server, the authorization server invalidates the old RPT and issues a new one." in Section 3.4.1? The AS could instead have refreshed the same RPT that had expired and give it back.
- Regarding FT-rs-introspect-rpt: The client currently has no way of knowing if the RPT is about to expire, and it could be more efficient if it could look this up through token introspection. Should we consider this for the spec?
- Regarding FT-rs-register-permission and FT-as-permission-ticket: Can the RS register a whole bunch of permissions at the same time?
- Regarding FT-as-oidc-client: This is sort of an implicit callout to the OpenID Connect interop tests. Do we even need this? Is anyone planning to test this for UMA1? See Section 3.5.1.1 for the list of things an AS has to do to conform to this claim profile.
- We have a new philosophical question: Even if the AS=C optimization profile is in use, is it mandatory-to-implement for the AS to present real and functional HTTPS endpoints for clients that "aren't it" (the same system entity) to use? If so, our various "req" feature tests below are true. If not, do we make them "opt" and "non-optim-asc" (the inverse of "optim-asc")? In any case, we should be sure to explicitly list the MUSTs that get turned off in this profile (and other such profiles). Maciej is thinking we may, after all, want to put health warnings next to each MUST – it might not be that onerous, and we will have done all the work anyway! Spec readers would otherwise be challenged.
| Test ID | Type | Role | Description | Success |
|---|---|---|---|---|
| FT-unprotected-resource | req | RS | RS responds to access request for unprotected or otherwise non-UMA-protected resource without including anything UMA-specific in the response | RS responds in non-UMA fashion |
| FT-rs-no-rpt | req | RS | RS responds to client not bearing an RPT with HTTP 401 and correct as_uri corresponding to AS protecting the resource to which access was attempted | RS responds with HTTP 401 and as_uri |
| FT-c-get-rpt | req | C | Client presents valid AAT at AS's RPT endpoint to get RPT | Client qualifies for and gets new or refreshed RPT |
| FT-as-issue-rpt | req | AS | AS issues RPT in response to client's request for an RPT at the correct endpoint with a valid AAT; if an existing RPT associated with this AAT was still valid, it is invalidated when the new RPT is issued (see above for issue) | AS issues RPT |
| FT-c-rpt | req | C | C requests access to a resource with an RPT | |
| FT-rs-introspect-rpt | req, rpt-bearer | RS | RS presents a valid RPT at AS's token introspection endpoint to get token's status (see above for issue) | RS gets well-formed RPT status |
| FT-as-introspect-rpt | req | AS | AS returns RPT's status in response to RS request | AS returns well-formed RPT status |
| FT-rs-invalid-rpt | req | RS | RS responds to client bearing an invalid RPT with HTTP 401 and correct as_uri corresponding to AS protecting the resource to which access was attempted | RS responds with HTTP 401 and as_uri |
| FT-rs-register-permission | req | RS | RS presents a valid PAT at AS's permission registration endpoint to register a requested permission that is relevant for the type of access attempted by client (see above issue) | RS registers requested permission |
| FT-as-permission-ticket | req | AS | AS registers permission associated with correct resource owner and resource set and returns securely random permission ticket in response to RS registration of requested permission (see above issue) | AS returns permission ticket that is securely random |
| FT-rs-insufficient-perms | req, rpt-bearer | RS | RS responds to client bearing a valid "bearer" profile RPT that has insufficient permissions with HTTP 403, as_uri, and permission ticket corresponding to resource for which access was attempted | RS responds with HTTP 403, as_uri, and permission ticket |
| FT-c-add-authz-data | req | C | Client presents valid AAT, valid RPT, and permission ticket at AS's authorization endpoint to POST request that authorization data be associated with RPT | Client receives back normal success or error message |
| FT-as-deny-authz-data | req | AS | AS determines that the client should not get authorization data, and returns either an invalid_ticket error, an expired_ticket error, or a not_authorized_permission error | AS returns one of the errors |
| FT-as-give-authz-data | req | AS | AS associates new authorization data with the RPT that the client presented and responds with success | AS adds authorization data and responds with success |
| FT-as-need-claims | req, rptbearer | AS | AS indicates it needs requesting party claims to considering adding permission to "bearer" profile RPT | AS responds to the client with a need_claims error |
| FT-c-claims-redirect | req, humanrqp | C | Client redirects human requesting party to AS to provide claims, providing whatever data is required by the selected claim profile | AS redirects requesting party to AS |
| FT-as-oidc-client | opt, claim-oidc | AS | AS correctly acts as OpenID Connect relying party as defined by the OpenID Connect claim profile | AS acts correctly? |
| FT-rs-respect-authz-data | req | RS | RS limits access to resource that is currently under protection at an AS for which a valid RPT with valid authorization data has not been presented by a client | RS blocks and grants client's access according to RPT's current status |