[Openid-specs-heart] HEART Profiles - Authorization Server OAuth / UMA Clarification
Justin Richer
jricher at mit.edu
Thu Dec 3 14:14:32 UTC 2015
Your three points below aren't related to each other -- specifically,
the middle one about resource registration isn't related to key
publication, at all.
To the middle point: We state that the AS needs to support dynamic
resource registration (and client registration, which is a prerequisite)
and must allow the issuance of the corresponding PAT through a normal
OAuth flow (as opposed to the magical "you get a token somehow we don't
care" method in Core UMA). Such OAuth behavior is already profiled in
the OAuth profile which profiles OAuth. If you think this can be
clearer, please submit text making it so.
To the first and third points: It's stated in the OAuth profile that the
AS's JWK Set must be able to be fetched over HTTPS and may be cached.
It's up to the other side to do the fetching and caching, including any
RS that needs to register sets. I don't believe that needs to be spelled
out separately, but if you think it does, please submit text.
Thanks,
-- Justin
On 12/3/2015 4:35 AM, Adrian Gropper wrote:
> In section 4.1 Discovery of
> http://openid.bitbucket.org/HEART/openid-heart-oauth2.html, we have
> the requirement for each AS to have a public key ( jwks_uri The fully
> qualified URI of the server's public key in JWK Set
> <http://openid.bitbucket.org/HEART/openid-heart-oauth2.html#RFC7517>
> [RFC7517] format ) This is good and clear.
>
> Correspondingly, in the UMA profile
> http://openid.bitbucket.org/HEART/openid-heart-uma.html I might expect
> a clearer reference to the resource registration aspects of UMA. As
> far as I can tell, this is mentioned in Section 2. Tokens as "It is
> RECOMMENDED that the PAT use a user-delegated mechanism for issuance
> and the AAT use a non-delegated method for issuance."
>
> Does the HEART UMA profile require that a Resource Server MUST be
> capable of storing a separate AS public key (presumably the jwks_uri
> in OAuth 4.1) for every registered resource? If so, where is this
> stated and could it be made clearer?
>
> Adrian
>
> --
>
> Adrian Gropper MD
>
> PROTECT YOUR FUTURE - RESTORE Health Privacy!
> HELP us fight for the right to control personal health data.
> DONATE: http://patientprivacyrights.org/donate-2/
>
>
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20151203/071a25b4/attachment.html>
More information about the Openid-specs-heart
mailing list