User-Managed Access (UMA) 2.0

The authorization server MUST present an HTTP-based protection API, protected by TLS and OAuth (or an OAuth-based authentication protocol), for use by resource servers. The authorization server thus has an OAuth token endpoint and authorization endpoint. The authorization server MUST declare all of its protection API endpoints in its configuration (see Section 1.4).

The protection API consists of three endpoints:

• Resource registration endpoint as defined by [OAuth-resource-reg]
• Permission endpoint as defined by Section 3.2
• Token introspection endpoint as defined by ERROR: Undefined target: RFC7662 (at line 332) and Section 3.4.1

The UMA resource server, which is the entity seeking protection API access, MUST be an OAuth client with client credentials and the ability to get an OAuth access token with at least the scope uma_protection. An access token with at least this scope is called a protection API access token (PAT). If a request to an endpoint fails due to an invalid, missing, or expired PAT, or requires higher privileges at this endpoint than provided by the PAT, the authorization server responds with an OAuth error.

A PAT binds a resource owner, a resource server the owner uses for resource management, and an authorization server the owner uses for protection of resources at this resource server. It is not specific to any client or requesting party. The issuance of a PAT represents the approval of the resource owner for this resource server to use this authorization server for protecting some or all of the resources belonging to this resource owner. Any OAuth authorization grant type might be appropriate depending on circumstances; for example, the client credentials grant is useful in the case of an organization acting as a resource owner, whereas an interactive grant type is typically more appropriate for capturing the approval of an end-user resource owner.

Note: The PAT is used in requesting permission on the client's behalf (as described in Section 3.2). One circumstance precipitating this action is when the client has attempted access without an RPT (as described in Section 3.1.1). In order for the resource server to know which authorization server to approach and which PAT (representing a resource owner) and resource identifier to supply, the resource server's API needs be structured in such a way that it can derive this information from the client's RPT-free access attempt. In practice, this information likely needs to be passed through the URI, headers, or body of the client's request.

The authorization server issues access tokens that enable client access to UMA-protected resources on the requesting party’s behalf using an OAuth extension grant type called the UMA grant type. In this grant type, the client uses the OAuth token endpoint on the requesting party’s behalf. To differentiate access tokens issued through the UMA grant type from other tokens involved in the UMA process, this access token is called the requesting party token (RPT).

In addition to the OAuth token endpoint being used for RPT issuance, the authorization server MAY also provide a claims interaction endpoint for various types of direct interaction with an end-user requesting party, which is somewhat analogous to the redirection URI defined in ERROR: Undefined target: RFC6749 (at line 386) for use by the resource owner; see Section 3.6.2 for more information about this option.

The authorization server MAY choose to issue a persisted claims token (PCT) to the client at the conclusion of the authorization process in order to optimize future RPT requests. The PCT represents the set of claims collected by the authorization server during the authorization process. It is intended to be used when this client obtains a new RPT for this requesting party at this authorization server, for the same or a different resource at the same or a different resource server, available under the same or different policies, controlled by the same or a different resource owner.

An UMA client seeking access to a resource needs OAuth client credentials issued by the UMA authorization server protecting that resource.

The resource server MAY present to clients whatever digital resources it wishes, in the form of an HTTP service (for example, API endpoints). To protect any of its resources available in this fashion using UMA, it MUST require a client to present a valid RPT with sufficient permissions for access.

Note: The first step in the process of gaining access authorization is for a client to attempt access to the resource without an RPT (as described in Section 3.1.1), and the second is for the resource server to request permissions at the authorization server on the client's behalf, which requires a PAT for authorization. In order for the resource server to know which authorization server to approach and which PAT (representing a resource owner) and resource identifier to supply, the resource server's API needs be structured in such a way that it can derive this information from the client's RPT-free access attempt. In practice, this information likely needs to be passed through the URI, headers, or body of the client's request.

The authorization server has the opportunity to manage the validity periods of access tokens that it issues, their corresponding refresh tokens where applicable, the individual permission components associated with RPTs where applicable, caching periods for responses, and even the client credentials that it issues. Different time-to-live strategies may be suitable for different resources and scopes of access, and the authorization server has the opportunity to give the resource owner control over lifetimes of tokens and permissions issued on their behalf through policy. These options are all outside the scope of this specification.

The authorization server has configuration properties as follows.

issuer

REQUIRED. A URI with no query or fragment component that the authorization server asserts as its issuer identifier. This value MUST be identical to the web location of the configuration document minus the .well-known/uma2-configuration path components.

claim_token_profiles_supported

OPTIONAL. Claim token format profiles supported by this authorization server. The property value is an array of string values, where each string value MAY be a URI.

uma_profiles_supported

OPTIONAL. UMA profiles supported by this authorization server. The property value is an array of string values, where each string value is a URI identifying an UMA profile. Examples of UMA profiles are the API extensibility profiles defined in Section 5.

registration_endpoint

OPTIONAL. The endpoint to use for performing dynamic client registration in the case of the use of ERROR: Undefined target: RFC7591 (at line 474) or[OIDCDynClientReg]. The presence of this property indicates authorization server support for dynamic client registration feature; its absence indicates a lack of support. If the authorization server supports dynamic client registration, it MUST allow client applications to register a claims_redirect_uri metadata field, as defined in Section 3.6.2.

token_endpoint

REQUIRED. The endpoint URI at which the resource server is the authorization server for a PAT on behalf of the resource owner (by requesting the OAuth scope uma_protection) and at which the client asks the authorization server for an RPT on behalf of the requesting party using the UMA grant.

authorization_endpoint

REQUIRED. The endpoint URI at which the resource server gathers the authorization of an end-user resource owner for PAT issuance. Note that the UMA grant does not involve the client gathering the authorization of an end-user requesting party directly.

claims_interaction_endpoint

OPTIONAL. A static endpoint URI at which the authorization server declares that it interacts with end-user requesting parties to gather claims. If the authorization server also provides a claims interaction endpoint URI as part of its redirect_user hint in a need_info response to a client on authorization failure (see Section 3.5.4), that value overrides the one provided in this configuration property. Providing the static endpoint URI is useful for enabling interactive claims gathering prior to pushed-claims flows, so that, for example, it is possible to gather requesting party authorization for persisting all claims subsequently collected.

introspection_endpoint

REQUIRED. The endpoint URI at which the resource server introspects an RPT presented to it by a client. Usage of this endpoint is defined by ERROR: Undefined target: RFC7662 (at line 514) and Section 3.4.1. A valid PAT MUST accompany requests to this protected endpoint.

resource_registration_endpoint

REQUIRED. The endpoint URI at which the resource server registers resources to put them under authorization manager protection. Usage of this endpoint is defined by [OAuth-resource-reg] and Section 2. A valid PAT MUST accompany requests to this protected endpoint.

permission_endpoint

REQUIRED. The endpoint URI at which the resource server requests permissions on the client's behalf. Usage of this endpoint is defined by Section 3.2. A valid PAT MUST accompany requests to this protected endpoint.

The authorization server MUST make its configuration properties available in a JSON document at the path formed by concatenating the string /.well-known/uma2-configuration to the issuer configuration property value as defined in Section 1.4.1. The syntax and semantics of /.well-known are defined in ERROR: Undefined target: RFC5785 (at line 541) and apply to the issuer value when it contains no path component.

Any entity, such as a resource server or client, seeking an authorization server configuration document MUST query it using an HTTP GET request.

Example:

GET /.well-known/uma2-configuration HTTP/1.1
Host: example.com
}

If the issuer value contains a path component, the caller MUST remove any terminating slash before appending /.well-known/uma2-configuration.

For example, the caller would make the following request to the issuer https://example.com/issuer1, since the issuer value contains a path component:

GET /issuer1/.well-known/uma2-configuration HTTP/1.1
Host: example.com
}

A successful authorization server response to a configuration document query MUST use the HTTP 200 (OK) status code and return a JSON object using the application/json content type containing the configuration properties as defined in Section 1.4.1.

Example (note the use of https: for endpoints throughout):

HTTP/1.1 200 OK
Content-Type: application/json
...

{  
   "issuer":"https://example.com",
   "claim_token_profiles_supported":[  
      "https://example.com/claims/formats/token1"
   ],
   "registration_endpoint":"https://as.example.com/dyn_client_reg_uri",
   "token_endpoint":"https://as.example.com/token_uri",
   "authorization_endpoint":"https://as.example.com/authz_uri",
   "claims_interaction_endpoint":"https://as.example.com/claims_uri",
   "resource_registration_endpoint":"https://as.example.com/rs/rsrc_uri",
   "introspection_endpoint":"https://as.example.com/rs/status_uri",
   "permission_endpoint":"https://as.example.com/rs/perm_uri"
}

Example of a client request at a protected resource carrying no RPT:

GET /users/alice/album/photo.jpg HTTP/1.1
Host: photoz.example.com
...

If the resource server chooses to respond, it next requests one or more permissions on the client's behalf (see Section 3.2).

Example of a client request at a protected resource carrying an RPT using the UMA Bearer RPT profile:

GET /users/alice/album/photo.jpg HTTP/1.1
Authorization: Bearer vF9dft4qmT
Host: photoz.example.com
...

If the resource server chooses to respond, it next determines the RPT's status (see Section 3.4).

The resource server uses the POST method at the permission endpoint. The body of the HTTP request message contains a JSON object (for a request containing a single resource identifier) or array (for a request containing more than one resource identifier) providing the request, using a format derived from the resource description format specified in [OAuth-resource-reg], as follows. The object used in both forms has the following properties:

resource_id

REQUIRED. The identifier for a resource to which the resource server is requesting permission on behalf of the client. The identifier MUST correspond to a resource that was previously registered.

resource_scopes

REQUIRED. An array referencing one or more identifiers of scopes to which the resource server is requesting access for this resource on behalf of the client. Each scope identifier MUST correspond to a scope that was previously registered by this resource server for the referenced resource.

Example of an HTTP request for a single-resource-set permission at the authorization server's permission endpoint, with a PAT in the header:

POST /host/rsrc_uri HTTP/1.1
Content-Type: application/json
Host: as.example.com
Authorization: Bearer 204c69636b6c69
...

{  
   "resource_id":"112210f47de98100",
   "resource_scopes":[  
      "view",
      "http://photoz.example.com/dev/actions/print"
   ]
}

Example of an HTTP request for a multiple-resource-set permission at the authorization server's permission endpoint, with a PAT in the header:

POST /host/rsrc_uri HTTP/1.1
Content-Type: application/json
Host: as.example.com
Authorization: Bearer 204c69636b6c69
...

[  
   {  
      "resource_id":"7b727369647d",
      "scopes":[  
         "view",
         "crop",
         "lightbox"
      ]
   },
   {  
      "resource_id":"7b72736964327d",
      "scopes":[  
         "view",
         "layout",
         "print"
      ]
   },
   {  
      "resource_id":"7b72736964337d",
      "scopes":[  
         "http://www.example.com/scopes/all"
      ]
   }
]

The authorization server uses a permission ticket to maintain the state of a set of requested permissions, initially conveyed on the client's behalf by the resource server at attempted resource access time, for the period of time that the client continues to seek authorization for that attempted access.

The authorization server MUST make permission ticket values unguessable by resource servers and clients. Within these constraints, however, the authorization server MAY format the ticket however it chooses, for example either as a random string that references data held on the server or by including data within the ticket itself.

Permission tickets MUST be single-use.

The authorization server MUST invalidate a permission ticket when the client presents the permission ticket either to the token endpoint or interactive claims endpoint; or when the permission ticket expires, whichever occurs first.

See [UMA-Impl] for more information about permission ticket management.

If the authorization server is successful in creating a permission ticket in response to the resource server's request, it responds with an HTTP 201 (Created) status code and includes the ticket property in the JSON-formatted body.

For example:

HTTP/1.1 201 Created
Content-Type: application/json
...

{  
   "ticket":"016f84e8-f9b9-11e0-bd6f-0021cc6004de"
}

If the resource server's permission registration request is authenticated properly but fails due to other reasons, the authorization server responds with an HTTP 400 (Bad Request) status code and includes one of the following UMA error codes (see Section 4.2 for more information about error codes and responses):

invalid_resource_id

At least one of the provided resource identifiers was not found at the authorization server.

invalid_scope

At least one of the scopes included in the request was not registered previously by this resource server for the referenced resource.

If the client's request at a protected resource has no RPT, or has an invalid RPT or insufficient permissions associated with the RPT as determined through RPT status checking (see Section 3.4), and the resource server successfully requested one or more permissions and received a permission ticket (see Section 3.2), then assuming the resource server chooses to respond to the client with an UMA response, it MUST provide a WWW-Authenticate header with the authentication scheme UMA, with the issuer URI from the authorization server's configuration document in an as_uri parameter and the just-received permission ticket in a ticket parameter.

Example of the resource server's response to a client after having requested one or more permissions and received a permission ticket:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: UMA realm="example",
  as_uri="https://as.example.com",
  ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de"
...

On receiving a response from the resource server with permission ticket and authorization server location information, the client next seeks authorization (see Section 3.5).

If the client's request at the protected resource has no RPT, or has an invalid RPT or insufficient permissions associated with the RPT as determined through RPT status checking (see Section 3.4), and the resource server received an error of any kind from the authorization server when trying to request permissions such that it did not receive a permission ticket, then assuming the resource server chooses to respond to the client, it is unable to create a WWW-Authenticate: UMA header and MUST include a header of the following form in its response to the client: Warning: 199 - "UMA Authorization Server Unreachable".

For example:

HTTP/1.1 403 Forbidden
Warning: 199 - "UMA Authorization Server Unreachable"
...

The client's presentation of a valid RPT associated with sufficient permissions as determined through RPT status checking (see Section 3.4) indicates that the resource owner's policies have been met for access to the protected resource. The resource server MAY apply additional authorization controls when determining how to respond.

Example of the resource server's response to the client:

HTTP/1.1 200 OK
Content-Type: application/json
...

{  
   "f_number":"f/5.6",
   "exposure":"1/320",
   "focal_length_mm":150,
   "iso":400,
   "flash":false
}

The resource server MUST NOT give access in the case of an invalid RPT or an RPT associated with insufficient authorization. To ensure the integrity of the ecosystem in which the resource server, authorization server, and resource owner are participating, it is RECOMMENDED for the parties to establish agreements about access rules in this case on a legal or contractual level. See Section 7.5 for more information.

The resource server's request for introspection of an RPT MUST use the OAuth token introspection endpoint (defined by ERROR: Undefined target: RFC7662 (at line 1100)) declared by the authorization server in its configuration document. The authorization server MUST require requests to this endpoint to be accompanied by a PAT. The PAT provides resource-owner context to the authorization server as well as demonstrating authorized access.

Example of the resource server's request to the authorization server for introspection of an RPT, with a PAT in the header:

POST /rs/status_uri HTTP/1.1
Host: as.example.com
Authorization: Bearer 204c69636b6c69
...
token=sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv
}

The authorization server's response to the resource server MUST use ERROR: Undefined target: RFC7662 (at line 1124), responding with a JSON object with the structure dictated by that specification, extended as follows.

If the active property has a Boolean value of true, then the JSON object MUST NOT contain a scope claim, and MUST contain an extension property with the name permissions that contains an array of zero or more values, each of which is an object consisting of these properties:

resource_id

REQUIRED. A string that uniquely identifies the protected resource, access to which has been granted to this client on behalf of this requesting party. The identifier MUST correspond to a resource that was previously registered as protected.

resource_scopes

REQUIRED. An array referencing one or more strings representing scopes to which access was granted for this resource. Each string MUST correspond to a scope that was registered by this resource server for the referenced resource.

exp

OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission will expire. If the property is absent, the permission does not expire. If the token-level exp value pre-dates a permission-level exp value, the former overrides the latter.

iat

OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued. If the token-level iat value post-dates a permission-level iat value, the former overrides the latter.

nbf

OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating the time before which this permission is not valid. If the token-level nbf value post-dates a permission-level nbf value, the former overrides the latter.

Example:

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
...

{  
   "active":true,
   "exp":1256953732,
   "iat":1256912345,
   "permissions":[  
      {  
         "resource_id":"112210f47de98100",
         "resource_scopes":[  
            "view",
            "http://photoz.example.com/dev/actions/print"
         ],
         "exp":1256953732
      }
   ]
}

The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" format per ERROR: Undefined target: RFC6749 (at line 1236) Appendix B with a character encoding of UTF-8 in the HTTP request entity-body:

grant_type

REQUIRED. MUST be the value urn:ietf:params:oauth:grant-type:uma-ticket.

ticket

REQUIRED. The permission ticket.

rpt

OPTIONAL. If the client had included an RPT in its failed access attempt to the resource, it MAY include the same RPT here.

scope

OPTIONAL. A string of space-separated values representing the scopes that the client is requesting. [ISSUE: What is the relationship between these scopes and multiple resources, if the permission ticket maps to such? ISSUE: Provide one or more examples of requesting scopes?]

claim_tokens

OPTIONAL. Claims pushed directly from the client to the authorization server. See Section 3.6.1 for more information.

pct

OPTIONAL. If the authorization server previously returned a PCT along with an RPT, the client MAY include the PCT in order to optimize the process of seeking a new RPT. Given that some claims represented by a PCT are likely to contain identity information about a requesting party, a client supplying a PCT in its RPT request MUST make a best effort to ensure that the requesting party using the client now is the same as the requesting party that was associated with the PCT when it was issued. See Section 7.1.2 for additional PCT security considerations.

Example of a request message containing a permission ticket:

POST /token HTTP/1.1
Host: as.example.com
Authorization: Bearer jwfLG53^sad$#f
...
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&
ticket=016f84e8-f9b9-11e0-bd6f-0021cc6004de
&rpt=sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv

The authorization server uses the permission ticket to look up the details of the previously requested set of permissions, maps the permissions to operative resource owner policies based on the resource identifier and scopes associated with it, potentially requests and receives claims, and ultimately responds positively or negatively to the request for permissions.

The authorization server bases the issuance of permissions on resource owner policies. Thus, these policies function as authorization that has been granted ahead of time. The authorization server is also free to enable the resource owner to set policies that require the owner to interact with the server to authorize an access attempt in near-real time, or to help the resource owner field access requests as acts of post hoc authorization. Thus, authorization by UMA methods constitutes an asynchronous authorization grant. All such processes are outside the scope of this specification.

The authorization server evaluates the policies in light of claims and any other information in evidence. The claims MAY have come from one or more of three sources: pushed directly by the client using the claim_tokens parameter during the just-previous authorization process, gathered interactively at the claims interaction endpoint during the just-previous authorization process, or represented by the PCT presented by the client in the pct parameter. The authorization server could have collected the additional information by performing out-of-band client or requesting party claim lookups in external repositories, or checking a variety of other factors that are either dependent on client or requesting party context (such as apparent IP address) or independent of them (such as time of day).

Since policies are out of band for UMA and the authorization server's policy expression and evaluation capabilities might take a simple or arbitrarily complex form, its corresponding abilities to combine or perform calculations over claim values might also vary.

Note: If the client incompletely satisfies any policy criteria, the authorization server is free either to partially fulfill the elements of that request, for example, granting authorization to some scopes associated with a requested permission but not all, or to reject the request.

The authorization server MUST use a default-deny authorization assessment model in adding permissions to RPTs, that is, "everything that is not expressly allowed is forbidden" for resources for which resource servers have requested access permission on behalf of clients. Exercise caution in implementing default-deny because corner cases can inadvertently result in default-permit behavior. For example, it is insufficient simply to assume that all resources have some non-zero set of claims required for access, and then accept an empty set of supplied claims as sufficient for access. See [UMA-Impl] for further discussion.

If the authorization server's assessment process results in issuance of permissions (see Section 3.5.2), it returns an HTTP 200 (OK) status code with a response body containing the RPT with which it has associated the requested permissions.

Note: The authorization server is free to choose to return either the same RPT that appeared in the request or a new RPT, and it is also free to choose to invalidate or retain the validity of the original RPT or any permission that was previously added to that RPT. To assist in client interoperability and token caching expectations, it is RECOMMENDED that authorization servers document their practices. [UMA-Impl] discusses the implications.

Example:

HTTP/1.1 200 OK
Content-Type: application/json
... 

{  
   "access_token":"sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
   "token_type":"Bearer"
}

The authorization server MAY include an OAuth refresh token with the RPT.

3.5.3.1 Authorization Server Response to Client on Authorization Success with Persisted Claims Token

HTTP/1.1 200 OK
Content-Type: application/json
...

{  
   "access_token":"sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
   "token_type":"Bearer",
   "pct":"c2F2ZWRjb25zZW50"
}

If the client's request to the token endpoint is not sufficient for granting an RPT, the authorization server responds using one of the following UMA error codes and corresponding HTTP status codes (see Section 4.2 for more information about error codes and responses):

invalid_ticket

The provided ticket was not found at the authorization server. The authorization server responds with the HTTP 400 (Bad Request) status code.

expired_ticket

The provided ticket has expired. The authorization server responds with the HTTP 400 (Bad Request) status code.

not_authorized

The client is not authorized to have these permissions added. The authorization server responds with the HTTP 403 (Forbidden) status code.

invalid_scope

At least one of the scopes included in the request does not match an available scope for any of the resources associated with requested permissions for the permission ticket provided by the client. The authorization server responds with the HTTP 400 (Bad Request) status code.

request_submitted

The authorization server requires intervention by the resource owner to determine whether the client is authorized to have these permissions. The authorization server responds with the HTTP 403 (Forbidden) status code.

need_info

The authorization server needs additional information in order to determine whether the client is authorized to have these permissions. The authorization server responds with the HTTP 403 (Forbidden) status code. It MAY also respond with an error_details object that contains one or more sub-properties with hints about the nature of further required information. The client then has the opportunity to engage in follow-on flows to continue seeking authorization (see Section 3.6).

The first five error responses conclude the authorization server's interaction with the client, and the client is free to attempt access to the protected resource another time. The sixth error response, need_info, begins or continues an authorization process loop that concludes only when the client receives one of the other five errors or a success condition (as described in Section 3.5.3).

Example when the ticket has expired:

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
...

{  
   "error":"expired_ticket"
}

Example of a need_info response with a full set of error_details hints:

HTTP/1.1 403 Forbidden
Content-Type: application/json
Cache-Control: no-store
...

{  
   "error":"need_info",
   "error_details":{  
      "required_claims":[  
         {  
            "name":"email23423453ou453",
            "friendly_name":"email",
            "claim_type":"urn:oid:0.9.2342.19200300.100.1.3",
            "claim_token_format":[  
               "http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken"
            ],
            "issuer":[  
               "https://example.com/idp"
            ]
         }
      ],
      "redirect_user":"https://as.example.com/rqp_claims_uri?id=2346576421"
   }
}

The error_details object is OPTIONAL for the authorization server to provide. It provides hints about additional requirements regarding information the authorization server needs about the requesting party. On receiving such hints, the client has the opportunity to engage, or engage the requesting party, with the authorization server in claims collection flows of various types. The error_details sub-property MAY contain the following parameters, where at least one of required_claims or redirect_user MUST be supplied.

required_claims

An array containing objects that describe characteristics of the required claims, with the following properties:

name

OPTIONAL. A string (which MAY be a URI) representing the name of the claim; the "key" in a key-value pair.

friendly_name

OPTIONAL. A string that provides a more human-readable form of the attribute's name, which may be useful as a "display name" for use in user interfaces in cases where the actual name is complex or opaque, such as an OID or a UUID.

claim_type

OPTIONAL. A string, indicating the expected interpretation of the provided claim value. The string MAY be a URI.

claim_token_format

OPTIONAL. An array of strings specifying a set of acceptable formats for a token pushed by the client containing this claim (see Section 3.6.1). Any one of the referenced formats would satisfy the authorization server's requirements. Each string MAY be a URI.

issuer

OPTIONAL. An array of strings specifying a set of acceptable issuing authorities for the claim. Any one of the referenced authorities would satisfy the authorization server's requirements. Each string MAY be a URI.

redirect_user

OPTIONAL. The claims interaction endpoint URI to which to redirect the end-user requesting party at the authorization server to continue the process of interactive claims gathering. For example, the authorization server may require the requesting party to fill out a CAPTCHA to help prove humanness. If the requesting party is not an end-user, then no client action would be possible on receiving the hint. If a static claims interaction endpoint was also provided in the authorization server's configuration document, then this value overrides the static value. Providing a value in this response might be appropriate, for example, if the URI needs to be customized per requesting party.

ticket

A permission ticket that allows the client to make further requests to the authorization server during this attempted authorization. The value of this permission ticket MUST NOT be the same as the one the client used to make its request.

The authorization server has two options for collecting claims through UMA mechanisms: accepting client-pushed claims (see Section 3.6.1) and interacting with an end-user requesting party to gather claims (see Section 3.6.2). See Section 7 for important security considerations regarding claims collection.

If the authorization server can accept pushed claims (for example, as it might have indicated by providing requesting_party_claims hints illustrated in Section 3.5.4), the client has the option to push claim tokens to the token endpoint. The claim token can reflect the client's role as a federated identity provider, a federated relying party, or an application integrated with a native identity repository.

If the client is aware of the authorization server's requirements for claims through an out-of-band relationship, the client MAY push claim tokens in an initial interaction with the token endpoint.

The client supplies claim tokens in the body of the request message by providing, in addition to the rpt and ticket properties, the following property:

claim_tokens

REQUIRED. An array of objects with the following properties:

format

REQUIRED. A string specifying the format of the accompanying claim tokens. The string MAY be a URI.

token

REQUIRED. A string containing the claim information in the indicated format, base64url encoded if it is not already so encoded. If claim token format features are included that require special interpretation, the client and authorization server are assumed to have a prior relationship that establishes how to interpret these features. For example, if the referenced format equates to SAML 2.0 assertions and the claim token contains audience restrictions, it is the joint responsibility of the client and authorization server to determine the proper audience values that enable successful token consumption (see for Section 7.5.1 relevant security considerations).

Example:

POST /token HTTP/1.1
Host: www.example.com
Authorization: Bearer jwfLG53^sad$#f
...

{  
   "rpt":"sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
   "ticket":"016f84e8-f9b9-11e0-bd6f-0021cc6004de",
   "claim_tokens":[  
      {  
         "format":"http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken",
         "token":"..."
      }
   ]
}

This specification provides a framework for extensibility through claim token format profiling. The authorization server MAY support any number of claim token profiles, and SHOULD document the claim token profiles it supports in its configuration document.

If the authorization server has declared a claims interaction endpoint in its configuration document, or if the authorization server requires direct interaction with the requesting party as part of its claims collection process (for example, as it might have indicated through the redirect_user hint illustrated in Section 3.5.4), the client has the option to redirect an end-user requesting party to the claims interaction endpoint. In this case, the authorization server might be a relying party in a federated identity interaction, or it might connect to a directory or other user repository, or even interact with the user in other ways, such as presenting a questionnaire in a web form. After this process completes, the authorization server redirects the end-user requesting party back to the client.

The client constructs the request URI by adding the following parameters to the query component of the claims interaction endpoint URI using the application/x-www-form-urlencoded format:

client_id

REQUIRED. The client's identifier issued by the authorization server.

claims_redirect_uri

OPTIONAL. The URI to which the client wishes the authorization server to direct the requesting party's user agent after completing its interaction. The URI MUST be absolute, MAY contain an application/x-www-form-urlencoded-formatted query parameter component that MUST be retained when adding additional parameters, and MUST NOT contain a fragment component. The authorization server SHOULD require all clients to register their redirection endpoint prior to utilizing the authorization endpoint (either using a static process or through ERROR: Undefined target: RFC7591 (at line 1694) or [OIDCDynClientReg]). Claims redirection URIs are different from the redirection URIs defined in ERROR: Undefined target: RFC6749 (at line 1697) in that they are intended for the exclusive use of requesting parties and not resource owners. Therefore, authorization servers MUST NOT redirect requesting parties to pre-registered redirection URIs defined in ERROR: Undefined target: RFC6749 (at line 1701) unless such URIs are also pre-registered specifically as claims redirection URIs. If the URI is pre-registered, this URI MUST exactly match one of the pre-registered claims redirection URIs, with the matching performed as described in Section 6.2.1 of ERROR: Undefined target: RFC3986 (at line 1706) (Simple String Comparison).

ticket

REQUIRED. The latest permission ticket associated with the client's current request an RPT for this requesting party.

state

RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user agent back to the client. The use of this parameter is for preventing cross-site request forgery.

Example of a request issued by a client application (line breaks are shown only for display convenience):

GET /rqp_claims?client_id=some_client_id&state=abc
&ticket=016f84e8-f9b9-11e0-bd6f-0021cc6004de
&claims_redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fredirect_claims HTTP/1.1
Host: as.example.com

At the conclusion of its interaction with the requesting party, the authorization server returns the user agent to the client adding the following parameters to the query component of the claims redirection URI using the application/x-www-form-urlencoded format:

authorization_state

REQUIRED. Indicates that the authorization server completed its claims-gathering interaction with the requesting party with the indicated state:

claims_submitted

The client is free to return to the token endpoint to seek permissions once again.

not_authorized

The client is not authorized to have the desired permissions added.

need_info

The authorization server needs additional information in order to determine whether the client is authorized to have these permissions. This response directs the client to return to the token endpoint, where it might be provided with error_details hints about additional information needed.

request_submitted

The authorization server requires intervention by the resource owner to determine whether permissions can be added. Further immediate interaction between the client, requesting party, and authorization server is out of scope of this specification.

ticket

OPTIONAL. A permission ticket that allows the client to make further requests to the authorization server during this attempted authorization. The value of this permission ticket MUST NOT be the same as the one the client used to make its request.

state

OPTIONAL. The same state value that the client provided in the request. It MUST be present if and only if the client provided it.

The client MUST ignore unrecognized response parameters. If the request fails due to a missing, invalid, or mismatching claims redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user agent to the invalid redirection URI. If the request fails for reasons other than a missing or invalid claims redirection URI, the authorization server informs the client by adding an error parameter to the query component of the claims redirection URI using the application/x-www-form-urlencoded format, containing one of the following ASCII error codes:

invalid_request

The request is missing a required parameter, includes an invalid parameter value (such as an invalid or expired ticket), includes a parameter more than once, or is otherwise malformed.

server_error

The authorization server encountered an unexpected condition that prevented it from fulfilling the request. (This error code is needed because an HTTP 500 (Internal Server Error) status code cannot be returned to the client via an HTTP redirect.)

temporarily_unavailable

The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (This error code is needed because an HTTP 503 (Service Unavailable) status code cannot be returned to the client via an HTTP redirect.)

Example of a response issued by an authorization server (line breaks are shown only for display convenience):

GET /redirect_claims?&state=abc
&authorization_state=claims_submitted HTTP/1.1
Host: client.example.com

3.6.2.1 Authorization Server Gathers Requesting Party Authorization for Trust Elevation by Client: Persisted Claims

Like ordinary OAuth redirection, UMA redirection for the purpose of gathering claims from an end-user requesting party (described in Section 3.6.2) creates the potential for cross-site request forgery (CSRF) through an open redirect if the authorization server does not force the client to pre-register its claims redirection endpoint, and server-side artifact tampering if the client does not avail itself of the state parameter. The client SHOULD check that the ticket value returned by an authorization server after a claims redirect is completed has not been maliciously changed, for example by a man in the browser, by using the state parameter. (See [UMA-Impl] for advice on ways to accomplish this.) Sections 4.4.1.8, 4.4.2.5, and 5.3.5 of ERROR: Undefined target: RFC6819 (at line 2215) are apropos for the UMA claims-gathering redirection flow as well.

When a client redirects an end-user requesting party to the claims interaction endpoint, the client provides no a priori context to the authorization server about which user is appearing at the endpoint, other than implicitly through the permission ticket. Since the authorization server is free to gather any claims it wishes, the effect is to "late-bind" them to the permission ticket and the state string provided by the client, with the effect of enabling the authorization server not to trust client-asserted claims. This is a desirable result and reflects one reason why the authorization server might choose to demand use of the redirect flow over the push flow. However, the client has the opportunity to switch end-users -- say, enabling malicious end-user Carlos to impersonate the original end-user Bob, who might be represented by a PCT already in that client's possession and might even have authorized the issuance of that PCT -- after the redirect completes and before it returns to the token endpoint to seek permissions.

Another issue concerns the exposure of a Bearer-type RPT to a requesting party, which could maliciously pass the token to an unauthorized party.

To mitigate requesting-party switching and RPT exposure threats, consider the following strategies.

• Require that the requesting party legitimately represent the wielder of the bearer token on a legal or contractual level. This solution does not reduce the risk from a technical perspective.
• The authorization server, possibly with input from the resource owner, can implement tighter time-to-live strategies around the permissions in RPTs. This is a classic approach with bearer tokens that helps to limit a malicious party's ability to intercept and use the bearer token. In the same vein, the authorization server could require claims to have a reasonable degree of freshness (which would require a custom claims profile).
• A stronger strategy is to gather claims interactively from an end-user requesting party that demonstrate that some sufficiently strong level authentication was performed.
• The strongest strategy is to disallow Bearer-type RPTs within the UMA profile being deployed, by providing or requiring an RPT profile that requires use of a holder-of-key approach. In this way, the wielder of the token must engage in a live session for proof-of-possession.

A PCT is similar to a refresh token in that it carries extra power over the usage of an RPT. The authorization server and client MUST keep PCTs confidential in transit and storage, and MUST NOT share any PCT with any other entity other than the issuer or issued client, respectively. The authorization server MUST maintain the binding between a PCT and the client to which it was issued.

Given that a PCT represents a set of requesting party claims, a client supplying a PCT in its RPT request MUST make a best effort to ensure that the requesting party using the client now is the same as the requesting party that was associated with the PCT when it was issued. Different clients will have different capabilities in this respect; for example, some applications are single-user and perform no local authentication, associating all PCTs with the "current user", while others might have more sophisticated authentication and user mapping capabilities.

Along with requiring TLS, UMA requires OAuth, or any OAuth-based authentication protocol, as the security mechanism for its protection API. The UMA resource server thus acts in the role of an OAuth client at the authorization server's protection API. While it is possible to use any profile of OAuth for this protection, it is RECOMMENDED for the authorization server to use OpenID Connect, and to use its mechanisms for stronger client authentication at the token endpoint, in order to strengthen the authentication of OAuth clients. Section 16 of [OIDCCore] provides more information on OpenID Connect security considerations.

Clients using the OAuth implicit grant type carry particular vulnerabilities in OAuth, and using OpenID Connect is of no help in this circumstance. This is true where an UMA resource server is used as an OAuth client for obtaining a PAT on a resource owner's behalf, and also where an authorization server is gathering claims from a requesting party through OAuth.

For example, an "implicit client" might require the retrieval of PATs more frequently, for each browser on each platform. An attacker can initiate a spear phishing attack on the resource owner with a link to a malicious website, relying on the resource owner to authenticate to the authorization server through an email-based identity provider in order to receive the PAT. The site can impersonate the resource owner using the browser client's client ID in an OpenID Connect implicit request to the UMA authorization server. If the resource owner had previously authorized a PAT to be issued, this attempt will likely succeed. The subsequently issued PAT could be used for resource registration and other protection API tasks.

A number of mitigation strategies are possible.

• The authorization server could penalize or disallow use of the implicit grant flow. This could be done at a variety of levels:
  • Enabling resource owners to define policies controlling the use of such clients
  • Setting system-default policies controlling their use
  • Participating in mutual agreements with other parties, for example, through the definition and mandated use of profiles, that admit only suitably secure client applications to interact with service operators
• The authorization server could support dynamic client registration at the client instance level, such that each instance receives a unique client_id and secret. The client can then use the authorization code flow and have at least some form of client authentication. However, this is easier for a mobile app than for a browser-based HTML app.

This section discusses the threats surrounding client claim pushing (see Section 3.6.1).

Because claim tokens of any format typically contain audience restrictions and an authorization server would typically not be in the primary audience for a claim token held or generated by a client, it is RECOMMENDED to document how the client, authorization server, and any additional ecosystem entities and parties will establish a trust relationship and communicate any required keying material in a claim token format profile, as described in Section 6 and Section 6.3. Authorization servers are RECOMMENDED not to accept claim tokens pushed by untrusted clients and not to ignore audience restrictions found in claim tokens pushed by clients.

In the special circumstance when an authorization server is colocated with an OpenID Provider for the requesting parties within a deployment ecosystem, then it is able to act as an OpenID Relying Party for itself. This circumstance presents an opportunity for a technical optimization of the requirement for trust because the authorization server itself issued the client credentials for the client in question, and could reasonably be the singular aud value target in an OpenID Connect ID Token pushed by the client to the token endpoint.

• Claim name: permissions
• Claim description: Array of objects, each describing a set of scoped, time-limitable entitlements to a resource
• Change controller: Kantara Initiative User-Managed Access Work Group - wg-uma@kantarainitiative.org
• Specification document: Section 3.4.2 in this document

• Name: permissions
• Description: Array of objects, each describing a set of scoped, time-limitable entitlements to a resource
• Change controller: Kantara Initiative User-Managed Access Work Group - wg-uma@kantarainitiative.org
• Specification document: Section 3.4.2 in this document

• URI suffix: uma2-configuration
• Change controller: Kantara Initiative User-Managed Access Work Group - wg-uma@kantarainitiative.org
• Specification document: Section 1.4 in this document