[Openid-specs-heart] How do you define a resource set?

Debbie Bucci debbucci at gmail.com
Thu Jul 7 19:21:57 UTC 2016

On Thu, Jul 7, 2016 at 2:32 PM, Eve Maler <eve.maler at forgerock.com> wrote:

> The requesting party token (RPT) does indeed have associated with it one
> or more "permissions", which are data structures that look similar to
> resource set descriptions. The relevant section is UMA Core Sec 3.4.2,
> RPT Profile: Bearer
> <https://docs.kantarainitiative.org/uma/rec-uma-core-v1_0_1.html#uma-bearer-token-profile>
> .
> So to correct the syntax a bit, it would look like this:
>    {
>     "active": true,
>     "exp": 1256953732,
>     "iat": 1256912345,
>     "permissions": [
>       {
>         "resource_set_id": "112210f47de98100",
>         "scopes": [
>           "...",
>           "...",
>           "...",
>           "..."
>          ],
>         "exp" : 1256953732
>       }
>     ]
>    }
> Instead of mentioning the resource set name or any such details, it just
> calls out the relevant resource set ID as registered at the AS, and then
> explicitly mentions the particular scopes that are granted. (So the
> resource set with this ID might be of the "virtual clipboard" kind.)

OK that makes sense!   Understood RS registers RSsets but miss the ID piece
on response

> The RPT would have gotten populated this way based on the original
> availability of a registered resource set, as outlined in the previous
> couple of messages (a CREATE of the structure with the fields I described),
> and a requesting party passing muster, such that their client got this RPT.
> Clearly, designing a resource set of a "virtual clipboard" kind would be
> coming from an "Alice shares data before/at a first visit" use case. Note
> that giving a resource set like this scopes such as "
> patient/MedicationDispense*.read" would be a way to enable "positive
> filtering" of content. (I still don't readily understand the FHIR OAuth
> scope syntax -- need to look up how to parse this! What's the English for
> it, again?)

I don't know about the English but I was just looking at the FHIR doc and
OAUTH scope doc to figure out what the syntax information.

Still doesn't answer my question of how to provide additional "claims" info
we may want the RS to be aware of.   Trying to understand John's suggestion
that we use confidentiality codes as a start instead of consent  - where is
sensitivity determined?  Seems that may be on the RS server side.  Is he
suggestion that a consumer/patient could suggest confidentiality settings
for the scopes/resources suggested?   Alternatively - how would consent be
expressed?   Is that outside the RPT?    I understand there may be separate
services but could/should that information be included in the token.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160707/45d9d54c/attachment.html>

More information about the Openid-specs-heart mailing list