<div dir="ltr"><div><div>I think you're right, that the core UMA specs are about real time access to an API using a deferred consent action by a human. However, I think this side spec might be close to what you're attempting to do: <a href="https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg.html">https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg.html</a><br><br></div>(From this list here: <span class=""><a href="https://kantarainitiative.org/confluence/display/uma/Specifications+and+Auxiliary+Documents?src=breadcrumbs-parent">Specifications and Auxiliary Documents</a></span>)<br><br></div>I still need to take the time to thoroughly study this, but the Introduction seems right up your alley.<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><br>---------------------------------------------------------------<br>Cal Heldenbrand<br> Web Operations at FBS<br> Creators of <a href="http://flexmls.com" target="_blank">flexmls</a>® and <a href="http://sparkplatform.com" target="_blank">Spark Platform</a><br> <a href="mailto:cal@fbsdata.com" target="_blank">cal@fbsdata.com</a></div></div>
<br><div class="gmail_quote">On Mon, Dec 7, 2015 at 11:15 PM, Steve Garing <span dir="ltr"><<a href="mailto:steve.garing@guvera.com" target="_blank">steve.garing@guvera.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Cal.<div><br></div><div>Isn’t UMA an interface for allowing the Resource Owner to grant permissions to resources without the owners need to be present at the time of request?</div><div>Good old wikipedia explains is better than I can with my limited understanding <a href="https://en.wikipedia.org/wiki/User-Managed_Access" target="_blank">UMA</a>. So this wouldn’t actually let the clients know if the user has ROLE_USER or ROLE_ADMIN etc from what I understand.</div><div><br></div><div>Adding a custom claim seems to be the way to go I think</div><div><br></div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Tue, Dec 8, 2015 at 12:43 AM, Cal Heldenbrand <span dir="ltr"><<a href="mailto:cal@fbsdata.com" target="_blank">cal@fbsdata.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>I'll take a crack at this, even though I'm probably not the most qualified to do so. OAuth2 scopes are outside the specification scope of OpenID Connect.<br><br></div>However, section <a href="http://openid.net/specs/openid-connect-core-1_0.html#AdditionalClaims" target="_blank">5.1.2</a> states that you can add any custom claims that you'd like. Pick a unique name like "mitre_scopes" and add it to your <a href="http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata" target="_blank">discovery document's</a> <span style="font-family:monospace,monospace">claims_supported</span> property. Then expose that claim as an array over ID Tokens/UserInfo as normal.<br><br></div>This is non-standard though, so it doesn't fully answer your question. You might want to take a look at User-Managed Access (UMA) which is a standard way of conveying authorization / access control between many parties. I'm in my beginning phases of researching UMA, so don't take my advice too heavily. ;-)<br><div><div><div><div><div class="gmail_extra"><br clear="all"><div><div>Good luck!<br><br></div><div>--Cal<br><br></div><div>---------------------------------------------------------------<br>Cal Heldenbrand<br> Web Operations at FBS<br> Creators of <a href="http://flexmls.com" target="_blank">flexmls</a>® and <a href="http://sparkplatform.com" target="_blank">Spark Platform</a><br> <a href="mailto:cal@fbsdata.com" target="_blank">cal@fbsdata.com</a></div></div>
<br><div class="gmail_quote"><div><div>On Mon, Dec 7, 2015 at 4:42 AM, Steve Garing <span dir="ltr"><<a href="mailto:steve.garing@guvera.com" target="_blank">steve.garing@guvera.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr"><div><div dir="ltr"><div style="font-size:13px">Hi,</div><div style="font-size:13px"><br></div><div style="font-size:13px">Is there a standard way to return the authorities to a client? I haven’t been able to get the authorities returned via standard functionality in the MITREid Connect project and we’d like the clients to have visibility of a users role to determine some client side functionality.</div><div style="font-size:13px"><br></div><div style="font-size:13px">Would it correct to think that the clients can request and extra scope like ‘authorities’ and then provide the authorities in the id_token and from the userinfo endpoint?</div><div style="font-size:13px"><br></div><div style="font-size:13px">Thanks,</div><div style="font-size:13px">Steve</div></div></div>
</div>
<br></div></div>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br></blockquote></div><br></div></div></div></div></div></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div>-- <br><div><div dir="ltr"><table style="color:rgb(0,0,0);font-family:Times" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding:0px" align="left" valign="top"><table cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding:10px 0px 0px;font-family:Helvetica,Arial,sans-serif;font-size:10px;color:rgb(119,119,119)" align="left" valign="top" width="100%"><b>Steve Garing</b><br>Senior Software Engineer<br></td></tr><tr><td style="padding:10px 0px 0px;font-family:Helvetica,Arial,sans-serif;font-size:10px;color:rgb(119,119,119)" align="left" valign="top" width="100%"><strong>Guvera Australia Pty Ltd.</strong><br>Suite 903, Level 9, The Rocket<br>203 Robina Town Centre Drive<br>Robina, QLD, 4226<br>Australia<br>PO Box 4232 Robina TC QLD 4230<br></td></tr><tr><td style="padding:10px 0px 0px;font-family:Helvetica,Arial,sans-serif;font-size:10px;color:rgb(119,119,119)" align="left" valign="top" width="100%"><strong style="padding:10px 0px 0px">Phone </strong><span style="padding:10px 0px 0px"><a href="tel:%2B61%20%280%29%207%205578%208987" value="+61755788987" target="_blank">+61 (0) 7 5578 8987</a></span><br><strong style="padding:10px 0px 0px"><br>Email </strong><span style="padding:10px 0px 0px"><a href="mailto:kim.bennett@guvera.com" style="padding:10px 0px 0px;color:rgb(119,119,119)" target="_blank">s</a><a href="mailto:teve.garing@guvera.com" target="_blank">teve.garing@guvera.com</a></span><br><strong style="padding:10px 0px 0px">Web </strong><span style="padding:10px 0px 0px"></span><a href="https://www.guvera.com/" style="padding:10px 0px 0px;color:rgb(119,119,119)" target="_blank">www.guvera.com</a><br><br><br><br></td></tr></tbody></table></td></tr></tbody></table><span style="color:rgb(0,0,0);font-family:Times;font-size:medium"><img src="https://www.guvera.com/d1/images/email-logo.png" height="120" width="120"></span><br></div></div>
</div>
</blockquote></div><br></div>