[Openid-specs-heart] UMA Profile Skeleton

[Justin Richer]

An updated skeleton of the UMA profile has been uploaded into the repository. This is still very thin and short, and presently example-free, but it basically does a few things to UMA to bring it inline with the OAuth and OIDC specs:

 - Inherit everything from the OAuth and OIDC profiles (this helps keep everything short)
 - All tokens (AAT, PAT, RPT) are JWTs and are introspectable, with a required set of claims pointing to specific values
 - All tokens are the bearer profile defined in UMA
 - Two claims-gathering flows are defined, both are MTI
    - Client presents an OIDC ID token directly to the RPT endpoint
    - Client sends the requesting party to an endpoint on the AS where the requesting party logs in with OIDC to provide claims directly

There are placeholders for token lifetimes, but no values yet. The OAuth token lifetimes are based on my personal deployment experience and some previous profiling work (RHEx), but I don’t have a similar feel for the UMA tokens. Should these be specific to the type of client as well?

Another question, should we have classes of protected resources? Since they’re OAuth clients as well, but they’re always a web API of some type, perhaps there’s less specificity needed here.

I’m still working with the OIDF folks to have a place to publish the rendered HTML versions of the specs, but I’m hoping to have that up in the next couple weeks timeframe.

 — Justin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150423/5b336be7/attachment.asc>