Kantara Initiative

User-Managed Access (UMA) 2.0

Version:2.0
 
Date:2017-4-17
 
Editor:Eve Maler, ForgeRock
 
Authors:Maciej Machulak, Self
Justin Richer, Bespoke Engineering

Abstract

User-Managed Access (UMA) 2.0 makes use of OAuth 2.0 and related standards to enable a resource owner to control protected resource access by requesting parties and their clients in an asynchronous fashion. Resources reside on any number of resource servers and a central authorization server manages the resource owner's access grants over time.

Status of This Document

This document is a draft technical specification produced by the User-Managed Access Work Group. See the Kantara Initiative Operating Procedures for more information.

Copyright Notice

Copyright © 2017 Kantara Initiative and the persons identified as the document authors. All rights reserved.

This document is subject to the Kantara IPR Policy - Option Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND) (HTML version).


Table of Contents


1. Introduction

User-Managed Access (UMA) 2.0 makes use of OAuth 2.0 [RFC6749] and related standards to enable additions to OAuth's abilities as follows:

For example, a bank customer (resource owner) named Alice with a bank account service (resource server) can use a dedicated sharing management service (authorization server) to manage access by a spouse Bob, an accounting professional Charline, and a tax professional David (requesting parties), all using different client applications, to view account data and to give each of them differential access to payment and withdrawal functions. Alice can use the same sharing management service to give out "read", "edit", or "print" access to documents residing in a cloud file system (a different resource server) residing in a different domain to friends Erik and Frances, with whom she is working on a residential community project. (A variety of use cases can be found in [UMA-usecases] and [UMA-casestudies].)

1.1 Roles and High-Level Communications

UMA uses the OAuth roles, enhancing the definitions in some cases, and also defines a new role, the requesting party:

resource owner

An entity capable of granting access to a protected resource, the "user" in User-Managed Access. This is typically an end-user (a natural person) but it can also be non-human entity that is treated as a person for limited legal purposes (a legal person), such as a corporation.
requesting party

A natural or legal person that uses a client to seek access to a protected resource. The requesting party may or may not be the same party as the resource owner.
client

An application that is capable of making requests for protected resources with the resource owner's authorization and on the requesting party's behalf.
resource server

A server that hosts resources on a resource owner's behalf, registers resources for protection at an authorization server, and is capable of accepting and responding to requests for protected resources.
authorization server

A server that protects, on a resource owner's behalf, resources managed at a resource server.

Figure 1 shows the communications among the roles at a high level.

                                        +------------------+
                                        |     resource     |
       +- - manage (out of scope) - - - |       owner      |
       |                                +------------------+
       |                                          |
       |             protection                control
       |             API access            (out of scope)
       |             token (PAT)
       |                                          |
       v                                          v
+------------+               +----------+------------------+
|            |               |protection|                  |
|  resource  |               |   API    |   authorization  |
|   server   |<---protect----| (needs   |      server      |
|            |               |   PAT)   |                  |
+------------+               +----------+------------------+
| protected  |                          |        UMA       |
| resource   |                          |       grant      |
|(needs RPT) |                          |  (PCT optional)  |
+------------+                          +------------------+
       ^             requesting          ^  persisted   ^
       |             party token         |   claims     |
       |               (RPT)             |    token     |
       |                               push   (PCT)     |
       |                              claims       interact
       |                            +--------+        for
       +-------------access---------| client |      claims
                                    +--------+     gathering
                                           +---------------+
                                           |  requesting   |
                                           |     party     |
                                           +---------------+

Figure 1: Roles and Communications

The communications among the roles involve these concepts:

resource
A digital resource available through an HTTP service. See Section 1.3 for information about UMA's relationship with HTTP, and Section 1.3.2 for information about a resource server's responsibility for resource complexity.
protected resource
A resource for which a resource owner is able to control access grants through an authorization server.
scope
A bounded extent of access to a protected resource. Scopes are associated with particular resources; thus scopes are granted only in the context of those resources, as permissions.
permission
Authorized access to a particular resource with one or more scopes. A resource server requests one or more permissions on behalf of a client at an authorization server, receiving a permission ticket representing the entire requested set in return. If an RPT is ultimately issued, it is associated with some number of granted permissions.
policy conditions
Access grant rules configured at an authorization server that achieve resource protection.
protection API access token (PAT)
An OAuth access token with the scope uma_protection, used by the resource server at the authorization server's protection API.
requesting party token (RPT)
An OAuth access token associated with a set of permissions, used by the client to gain access to protected resources at the resource server.
permission ticket
A correlation handle that is conveyed from an authorization server to a resource server, from a resource server to a client, and from a client to an authorization server, to enable the authorization server to obtain an accurate view of requested set of permissions.
claim

A statement of the value or values of one or more attributes of an entity. An authorization server typically needs to collect and assess one or more claims of a requesting party or client against the policy conditions of a resource owner as part of protecting a resource.
claim token
A package of one or more claims provided directly (pushed) by the client to the authorization server as part of its request for the RPT at the token endpoint.
persisted claims token (PCT)
A correlation handle issued by an authorization server that represents a set of claims collected during one authorization process to be used during a future authorization process.

A resource owner manages resources at any number of resource servers, and works with an authorization server to set policy conditions that control access grants.

The authorization server presents a protection API (for more detail see Section 1.4.1) to the resource server to enable resource protection. (Except for taking part in PAT issuance, the resource owner's interactions with each server are out of scope of this specification.)

The authorization server supports the UMA grant type (for more detail see Section 1.4.2) to enable issuing grants to clients based on policy conditions in the form of a requesting party token (RPT).

The resource server presents a protected resource interface to the client (for more detail see Section 1.4.3), which enables for handling both initial resource requests by a client with no RPT and subsequent resource requests with an RPT.

1.2 Notational Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

Unless otherwise noted, all protocol properties and values are case sensitive. JSON [RFC7159] data structures defined by this specification MAY contain extension properties that are not defined in this specification. Any entity receiving or retrieving a JSON data structure SHOULD ignore extension properties it is unable to understand. Extension names that are unprotected from collisions are outside the scope of this specification.

1.3 Federated Authorization

The federation of authorization in UMA results in a conceptual separation of responsibilities:

  • The resource server defines the boundaries of a resource and its possible scopes of access by virtue of being the publisher of the API being protected.
  • The resource owner works with the authorization server to set policy conditions that match up resources and scopes to a protection scheme.
  • The client represents the requesting party in attempting resource access, requesting RPTs, and potentially requesting authorization for specific scopes during the latter activity.
  • The authorization server executes centralized policy conditions when clients attempt protected-resource access on behalf of the requesting party, with an ultimate result of RPT issuance or denial.

Implementers have the opportunity to develop extensions and profiles (see Section 5) that specify and restrict various options, according to deployment and usage conditions.

Practical control of access among loosely coupled parties typically requires more than just messaging protocols. It is out of scope of this specification to define more than the "technical contract" between UMA-conforming entities. The legally responsible parties representing these entities may form contracts for, and laws and regulations may govern, access-granting relationships. Parties that are operating entities claiming to be UMA-conforming should provide documentation of any rights and obligations between and among them; see Section 6.7 for more information.

1.3.1 HTTP Usage

This specification is designed for use with HTTP [RFC2616], and for interoperability and security in the context of loosely coupled services and applications operated by independent parties in multiple domains. The following are REQUIRED:

  • The authorization server MUST expose its endpoints over HTTP.
  • The authorization server MUST use TLS protection over its endpoints, as governed by [BCP195], which discusses deployment and adoption characteristics of different TLS versions.
  • The authorization server MUST use OAuth (or an OAuth-based authentication protocol) to secure its protection API endpoints. For those OAuth protection use cases where an identity token is desired in addition to an access token, it is RECOMMENDED that an OAuth-based authentication protocol such as OpenID Connect [OIDCCore] be used.
  • The resource server MUST expose its protected resources through an HTTP service.

The use of UMA over any protocol other than HTTP is undefined. In such circumstances, it is RECOMMENDED to define profiles or extensions to achieve interoperability among independent implementations (see Section 5).

1.3.2 Resource and Scope Interpretation

The resource server is privy to information about resource semantics and structure, of which it exposes only a subset through resource registration and API documentation. Thus, it is responsible for certain resource and scope interpretation tasks.

The resource server MAY register a single resource for protection that, from its perspective, has multiple parts, or has dynamic elements such as the capacity for querying or filtering, or otherwise has internal complexity. The resource server alone is responsible for maintaining any required mappings between internal representations and the resource identifiers and scopes known to the authorization server.

Because access attempts on resources by clients are unaware of resource identifiers, the process of making a permission request also requires interpretation by the resource server in order to establish a suitable resource identifier, resource owner, and authorization server. Section 1.4 discusses relevant requirements on the protected resources given this resource server task, and Section 3.4 discusses how the resource server should communicate expectations regarding permission requests to the client.

For its part, in order for the client to have a scope considered by the authorization server as part of an authorization assessment calcultion, it MUST pre-register for the scope at the authorization server (at which point the client acts on its own behalf) and also request the scope during an RPT request at the token endpoint (at which point it acts on the requesting party's behalf).

1.3.3 Policy and Time-to-Live Management

A variety of authorization, security, and time-to-live policies could be managed on a per-resource owner basis or a per-authorization server basis, as the entities see fit. Validity periods of PATs, RPTs, refresh tokens, permissions, caching periods for responses, and even OAuth client credentials are all subject to management. Different time-to-live strategies may be suitable for different resources and scopes of access. These options are all outside the scope of this specification; where deployment ecosystems using independent implementations seek a consistent high level of security, profiling is RECOMMENDED (see Section 5).

Note: The resource server generally requires access to the protection API when an end-user resource owner is not available (that is, "offline" access). Thus, the authorization server needs to manage the PAT in a way that ensures this outcome.

1.4 Protocol Flow Summary

Figure 2 shows a sample high-level protocol flow that summarizes messaging options, illustrating success paths with maximum variety. Section 1.4.1, Section 1.4.2, and Section 1.4.3 summarize key requirements of the three interfaces and related entity actions being illustrated. Section 3 provides detailed specifications of messaging flows and options that correspond to all possible success and failure paths.

resource resource        authorization             client requesting
 owner    server             server                   |      party
   |Redir...|1 for PAT issuance|                      |        |
   |<-------|*---------------->|                      |        |
   |        |2 Register resources (w/PAT)             |        |
   |        |*---------------->|                      |        |
   |        |    Attempt resource access w/no token  3|        |
   |        |<---------------------------------------#|        |
   |        |4 Request permission (w/PAT)             |        |
   |        |*---------------->|                      |        |
   |        Permission ticket 5|                      |        |
   |        |<----------------*|                      |        |
   |        |6 Return AS location, permission ticket  |        |
   |        |#--------------------------------------->|        |
   |        |           Request RPT, send permission 7|        |
   |        |                  |   ticket, push claims|        |
   |        |                  |<--------------------=|        |
   |        |   Authorization 8|= - - -+              |        |
   |        |        assessment|< - - -+              |        |
   |        |                  |9 Return need_info w/ |        |
   |        |                  |redirect_user, permission ticket
   |        |                  |=-------------------->|        |
   |        |                  |                      |10      |
   |        |                  |       for interactive|Redir...|
   |        |                  |      claims gathering|        |
   |        |                  |<---------------------|=------>|
   |        |                  |  Request RPT, send 11|        |
   |        |                  |     permission ticket|        |
   |        |                  |<--------------------=|        |
   |        |   Authorization 8|= - - -+              |        |
   |        |        assessment|< - - -+              |        |
   |        |                  |12 Issue RPT w/PCT (opt)       |
   |        |                  |=-------------------->|        |
   |        |         Attempt resource access w/RPT 13|        |
   |        |<---------------------------------------#|        |
   |        |14 Introspect RPT (w/PAT)                |        |
   |        |*---------------->|                      |        |
   |        |   Return token 15|                      |        |
   |       introspection object|                      |        |
   |        |<----------------*|                      |        |
   |+- - - #|16 Permissions    |                      |        |
   |+- - - >|assessment        |                      |        |
   |        |17 Return resource representation        |        |
   |        |#--------------------------------------->|        |

Figure 2: Protocol Flow Summary

Steps 1, 2, 4-5, and 14-15 (arrows with an asterisk (*)) summarize communications between the authorization server and resource server that constitute the protection API and related resource owner actions. Section 1.4.1 provides a high-level definition.

Steps 7-12 (arrows with an equal sign (=); note that steps 7 and 8 are repeated) summarize communications between the authorization server and client that constitute the UMA grant and related authorization server and requesting party actions, Section 1.4.2 provides a high-level definition.

Steps 3, 6, 13, 16, and 17 (arrows with a number sign (#)) summarize communications between the resource server and client that constitute the protected resource interface and related resource server actions. Section 1.4.3 provides a high-level definition.

The authorization server presents a configuration document discovery endpoint used by both the resource server and the client, as defined by Section 2.2. The authorization server MUST declare all of its endpoints, other than the configuration document discovery endpoint itself, in the configuration document (see Section 2).

Note: In step 3, the client attempts access to a protected resource with no token, and in step 4, the resource server requests permissions on behalf of that client at the authorization server. In order for the resource server to know which authorization server to approach and which PAT (representing a resource owner) and resource identifier to supply in that request, the API being accessed by the client needs to be structured in such a way that the resource server can derive this information from the client's token-free access attempt. Commonly, this information can be passed through the URI, headers, or body of the client's request. Alternatively, the entire interface could be dedicated to the use of a single resource owner and protected by a single authorization server.

1.4.1 Protection API and Related Resource Owner Actions

The authorization server's protection API consists of three endpoints:

  • Resource registration endpoint as defined by [OAuth-resource-reg] and profiled by this specification, specifically regarding the mechanism of authentication to the endpoint
  • Permission endpoint as defined by Section 3.4
  • Token introspection endpoint as defined by [RFC7662] and Section 3.8.1

The resource server is the client of this API. As noted in Section 1.3, the authorization server MUST apply TLS and OAuth protection to this API. The authorization server MUST require a PAT for API access. Thus, the resource server is an OAuth client; it MUST have OAuth client credentials from the authorization server and the ability to obtain an OAuth access token with at least the scope uma_protection (that is, a PAT). If a request to a protection API endpoint fails due to an invalid, missing, or expired PAT, or requires higher privileges at this endpoint than provided by the PAT, the authorization server responds with an OAuth error.

The PAT binds the resource owner, the resource server used for resource management, and the authorization server used for protection of those resources. The issuance of the PAT represents the authorization of the resource owner for the resource server to use the authorization server for protecting those resources. A different OAuth authorization grant type for PAT issuance may be appropriate for different types of resource owners; for example, the client credentials grant is useful in the case of an organization acting as a resource owner, whereas an interactive grant type is typically more appropriate for capturing the approval of an end-user resource owner.

The resource server MAY protect any subset of the resource owner's resources using different authorization servers or other means entirely, or to protect some resources and not others. Additionally, the choice of protection regimes MAY be made explicitly by the resource owner or implicitly by the resource server. Any such partitioning by the resource server or owner is out of scope of this specification.

Note: Except for PAT issuance, the resource owner-authorization server and resource owner-resource server interfaces are out of scope of this specification. A variety of flows and user interfaces for policy condition setting involving user agents for both of these servers are possible, each with different privacy consequences for end-user resource owners. Some elements of the resource registration API and its data formats enable the building of user interfaces for policy condition setting.

Note: The resource server is responsible for managing the process and timing of registering resources, maintaining the registration of resources, and deregistering resources at the authorization server. See [UMA-Impl] for a discussion of resource registration options.

1.4.2 UMA Grant and Related Authorization Server and Requesting Party Actions

The UMA grant (defined throughout Section 3.6) consists of the following endpoints:

  • OAuth token endpoint as defined by [RFC6749] and Section 3.6. The token endpoint handles client requests for, and issues, RPTs. The UMA grant type is defined for use on the requesting party's behalf rather than the resource owner's behalf, as in the case of grants defined in [RFC6749].
  • OPTIONAL claims interaction endpoint as defined by Section 3.6.2. This endpoint plays a role in UMA somewhat similar to OAuth's authorization endpoint, but it is defined for use by the requesting party rather than the resource owner. For interactive claims-gathering, the client SHOULD register a claims_redirect_uri with the authorization server (as further defined in Section 3.6.2).

The authorization server's function is to perform authorization on behalf of one or more resource owners. The RPT resulting from successful authorization binds the requesting party, the client, the authorization server, the resource server, and the resource owner.

The authorization process is the process through which the client attempts to obtain an RPT from the authorization server in order to access a protected resource on behalf of a requesting party. The client and resource server both have opportunities to influence the set of permissions ultimately requested as part of the RPT request. The client also has an opportunity to seek upgrading of an existing RPT by providing that RPT on its request.

It is OPTIONAL for the authorization server to issue a persisted claims token (PCT) to the client when issuing an RPT in order to optimize a future RPT request. The PCT represents the set of claims collected by the authorization server during the current authorization process. It is intended to be used at the same authorization server as appropriate when the same client seeks an RPT for the same requesting party in a subsequent authorization process, even if for a different resource or at a different resource server entirely.

The authorization server conducts the authorization process in three phases, with some potential variation in order and looping as follows:

  • A claims collection phase. Two kinds of claims collection involving UMA flows are possible: claims pushing by a client and interactive claims gathering with an end-user requesting party. This phase occurs first in the authorization process in the following circumstances:
    • When the client redirects an end-user requesting party to the authorization server for interactive claims gathering as its first step after receiving a permission ticket. For this to happen, the client needs the authorization server to have statically declared a claims interaction endpoint in its configuration document.
    • When the client requests an RPT at the token endpoint with pushed claims as its first step after receiving a permission ticket.
  • An authorization assessment phase (as defined in Section 3.6.4). This phase involves the authorization server assembling and evaluating policy conditions, scopes, claims, and other relevant information in evidence in order to mitigate access authorization risk. This phase occurs first in the authorization process when the client requests an RPT at the token endpoint as its first step after receiving a permission ticket without pushing any claims.
  • An authorization result phase (as defined in Section 3.6.4). In this phase, the authorization server either returns a success code (as defined in Section 3.6.5), an RPT, and an optional PCT, or an error code (as defined in Section 3.6.6). If the error code is need_info or request_submitted, the authorization server provides a permission ticket, giving the client an opportunity to continue within the same authorization process.

Different choices of phase order, claim collection style, and use of the error_details hints inside need_info might be best suited for different deployment ecosystems. For example, where no pre-established relationship is expected between the resource owner's authorization server and the requesting party, initial requesting party redirection and a redirect_user hint may be a useful pattern, at which point the authorization server might either authenticate the requesting party locally or serve as a relying party for a remote identity provider. Where a common authorization server also functions as an identity provider for all resource owners and requesting parties, having the client push claim tokens sourced from that central server itself with a pre-negotiated format and contents may be an alternate useful pattern.

1.4.3 Protected Resource Interface and Related Resource Server Actions

As noted in Section 1.3, this specification defines flows for protecting resources exposed only in the form of an HTTP service. The digital resources MAY take any form (for example, API endpoints).

Once a resource is registered for protection, and until it has been deregistered, the resource server MUST require the client to present a valid RPT with sufficient permissions before giving access.

Note: The following aspects of the resource server-client relationship are out of scope of this specification:

  • How the client acquired knowledge of the resource server's interface and the specific endpoint of the desired protected resource. For example, the resource server might have a formally documented API or it might serve up a simple web page, and the resource owner might have advertised the endpoint publicly on a blog or other website, listed it in a discovery service, or emailed a link to a particular intended requesting party.
  • The impetus for the client's access attempt. For example, an end-user requesting party might have clicked on a publicly available thumbnail representation of a graphics-based resource to retrieve a protected higher-resolution version.

2. Authorization Server Configuration

The authorization server supplies configuration information in order to document its endpoints and the major conformance options it supports.

Where this specification does not already require optional features to be documented, it is RECOMMENDED that authorization server deployers document any profiled or extended features explicitly, ideally by supplying the URI identifying each UMA profile and extension in its uma_profiles_supported configuration property, and by using extension configuration properties to indicate specific usage details as necessary.

2.1 Configuration Properties

The authorization server has configuration properties as follows.

issuer

REQUIRED. A URI with no query or fragment component that the authorization server asserts as its issuer identifier. This value MUST be identical to the web location of the configuration document minus the .well-known/uma2-configuration path components.
uma_profiles_supported

OPTIONAL. UMA profiles supported by this authorization server. The property value is an array of string values, where each string value is a URI identifying an UMA profile.
registration_endpoint

OPTIONAL. The endpoint to use for performing dynamic client registration in the case of the use of [RFC7591] or [OIDCDynClientReg]. The presence of this property indicates authorization server support for dynamic client registration feature; its absence indicates a lack of support. If the authorization server supports dynamic client registration, it MUST allow client applications to register a claims_redirect_uri metadata field, as defined in Section 3.6.2.
token_endpoint

REQUIRED. The endpoint URI at which the resource server asks the authorization server for a PAT on behalf of the resource owner (by requesting the OAuth scope uma_protection) and at which the client asks the authorization server for an RPT on behalf of the requesting party using the UMA grant.
authorization_endpoint

REQUIRED. The endpoint URI at which the resource server gathers the authorization of an end-user resource owner for PAT issuance. Note that the UMA grant does not involve the client gathering the authorization of an end-user requesting party directly.
claims_interaction_endpoint

OPTIONAL. A static endpoint URI at which the authorization server declares that it interacts with end-user requesting parties to gather claims. If the authorization server also provides a claims interaction endpoint URI as part of its redirect_user hint in a need_info response to a client on authorization failure (see Section 3.6.6), that value overrides the one provided in this configuration property. Providing the static endpoint URI is useful for enabling interactive claims gathering prior to any pushed-claims flows taking place, so that, for example, it is possible to gather requesting party authorization interactively for collecting all other claims in a "silent" fashion.
introspection_endpoint

REQUIRED. The endpoint URI at which the resource server introspects an RPT presented to it by a client. Usage of this endpoint is defined by [RFC7662] and Section 3.8.1. A valid PAT MUST accompany requests to this protected endpoint.
resource_registration_endpoint

REQUIRED. The endpoint URI at which the resource server registers resources to put them under authorization manager protection. Usage of this endpoint is defined by [OAuth-resource-reg] and Section 3.2. A valid PAT MUST accompany requests to this protected endpoint.
permission_endpoint

REQUIRED. The endpoint URI at which the resource server requests permissions on the client's behalf. Usage of this endpoint is defined by Section 3.4. A valid PAT MUST accompany requests to this protected endpoint.

2.2 Configuration Document and Discovery Endpoint

The authorization server MUST make its configuration properties available in a JSON document at a discovery endpoint formed by concatenating the string /.well-known/uma2-configuration to the issuer configuration property value as defined in Section 2.1. The syntax and semantics of /.well-known are defined in [RFC5785] and apply to the issuer value when it contains no path component.

2.3 Requests to Authorization Server for Configuration Document

Any entity, such as a resource server or client, seeking an authorization server configuration document MUST query it using an HTTP GET request.

Example:

GET /.well-known/uma2-configuration HTTP/1.1
Host: example.com

If the issuer value contains a path component, the caller MUST remove any terminating slash before appending /.well-known/uma2-configuration.

For example, the caller would make the following request to the issuer https://example.com/issuer1, since the issuer value contains a path component:

GET /issuer1/.well-known/uma2-configuration HTTP/1.1
Host: example.com

2.4 Authorization Server Response Containing Configuration Document

A successful authorization server response to a configuration document query MUST use the HTTP 200 (OK) status code and return a JSON object using the application/json content type containing the configuration properties as defined in Section 2.1.

Example of a configuration document returned in response to a query (note the use of https: for endpoints throughout):

HTTP/1.1 200 OK
Content-Type: application/json
...

{  
   "issuer":"https://example.com",
   "registration_endpoint":"https://as.example.com/dyn_client_reg",
   "token_endpoint":"https://as.example.com/token",
   "authorization_endpoint":"https://as.example.com/authz",
   "claims_interaction_endpoint":"https://as.example.com/claims",
   "resource_registration_endpoint":"https://as.example.com/rs/rsrc",
   "introspection_endpoint":"https://as.example.com/rs/status",
   "permission_endpoint":"https://as.example.com/rs/perm"
}

Example of a configuration document response containing the uma_profiles_supported configuration property indicating that the authorization server supports an UMA profile related to the OpenID Connect-based claim token format:

HTTP/1.1 200 OK
Content-Type: application/json
...

{  
   "issuer":"https://example.com",
   "uma_profiles_supported":"http://openid.net/specs/openid-connect-core-1_0.html#IDToken",
   "registration_endpoint":"https://as.example.com/dyn_client_reg",
   "token_endpoint":"https://as.example.com/token",
   "authorization_endpoint":"https://as.example.com/authz",
   "claims_interaction_endpoint":"https://as.example.com/claims",
   "resource_registration_endpoint":"https://as.example.com/rs/rsrc",
   "introspection_endpoint":"https://as.example.com/rs/status",
   "permission_endpoint":"https://as.example.com/rs/perm"
}

3. Protocol Flow Details

Throughout this section, non-normative correspondences to the steps in Figure 2 are noted where applicable.

The recipient of each request message SHOULD respond unless it detects a security concern, such as a suspected denial of service attack that can be mitigated by rate limiting.

3.1 Resource Server Obtains PAT

In this process, the resource server obtains a PAT on the resource owner's behalf from the authorization server through an [RFC6749] grant flow.

This process assumes that the authorization server has provided the resource server with OAuth client credentials, either dynamically through [RFC7591] or [OIDCDynClientReg], or alternatively through a static process. This process corresponds to step 1 in Figure 2.

After the resource server obtains a PAT, its next step is defined in Section 3.2.

3.2 Resource Server Registers Resource for Protection

In an ongoing fashion, the resource server registers any resources with the authorization server to put them under protection as required, using the resource registration endpoint of the protection API as defined by [OAuth-resource-reg]. (See that specification for a worked example, and see [UMA-Impl] for a discussion of timing of resource registration.)

This process assumes that the resource server has discovered the authorization server's configuration document and endpoints as needed. This process corresponds to step 2 in Figure 2.

Once the resource server has put a resource under protection, the next option to act is defined in Section 3.3.

3.3 Client Attempts Access to Protected Resource With No Token

In this process, the client attempts access to a resource that the resource server considers protected, without having presented a token for authorized access.

This process corresponds to step 3 in Figure 2. This process assumes that the resource server has already registered any relevant resources for protection prior to the client's tokenless access attempt.

Note: This process does not assume that any policy conditions have already been defined at the authorization server. A variety of combinations of access attempt flows and resource owner policy condition-setting interfaces are possible.

Example of a client request at a protected resource carrying no token:

GET /users/alice/album/photo.jpg HTTP/1.1
Host: photoz.example.com
...

After the client's access attempt, the resource server's next option to act is defined in Section 3.4 (requesting permissions, which involves the authorization server), and its next option to respond to the client is defined in Section 3.5.

3.4 Resource Server Requests Permissions on Client's Behalf With Authorization Server

In this process, the resource server requests one or more permissions on the client's behalf at the authorization server's permission endpoint.

This process assumes that the client's request at the protected resource had no token (or had an invalid RPT or insufficient permissions associated with the RPT). The success path of this process corresponds to steps 4 and 5 in Figure 2.

The resource server requests one or more permissions (resource identifiers and corresponding scopes) with the authorization server on the client's behalf. The process of choosing what permissions to request may require mapping the client's access attempt to its own desired resource identifier(s), and their resource owner and authorization server, before proceeding. The resource server SHOULD request a permission that is appropriate for the client’s access attempt. The resource server MAY request multiple permissions, and any permission MAY have zero scopes associated with it. Requesting multiple permissions may be appropriate, for example, in cases where the resource server expects the requesting party to need access to several related resources if they need access to any one of the resources. Requesting a permission with no scopes may be appropriate, for example, in cases where an access attempt involves an API call that is ambiguous without further context (role-based scopes such as user and admin may have this ambiguous quality, and an explicit client request for a particular scope at the token endpoint later can clarify the desired access). The resource server SHOULD document its intended pattern of permission requests in order to assist the client in pre-registering for and requesting appropriate scopes at the authorization server. See [UMA-Impl] for a discussion of permission request patterns.

The PAT provided in the API request enables the authorization server to map the resource server's request to the appropriate resource owner. It is only possible to request permissions for access to the resources of one resource owner, protected by one authorization server, at a time.

In its response, the authorization server returns a permission ticket for the resource server to give to the client that represents the same permissions that the resource server requested.

After this process, if the resource server was requesting permissions due to a tokenless access attempt, its next option is defined in Section 3.5. (If it was requesting permissions due to an access attempt with an RPT, defined in Section 3.7, its next option is defined in Section 3.9.)

3.4.1 Resource Server Request to Permission Endpoint

The resource server uses the POST method at the permission endpoint. The body of the HTTP request message contains a JSON object (for a request containing a single resource identifier) or array (for a request containing more than one resource identifier) providing the request, using a format derived from the resource description format specified in [OAuth-resource-reg], as follows. The object used in both forms has the following properties:

resource_id
REQUIRED. The identifier for a resource to which the resource server is requesting permission on behalf of the client. The identifier MUST correspond to a resource that was previously registered.
resource_scopes
REQUIRED. An array referencing one or more identifiers of scopes to which the resource server is requesting access for this resource on behalf of the client. Each scope identifier MUST correspond to a scope that was previously registered by this resource server for the referenced resource.

Example of an HTTP request for a single permission at the authorization server's permission endpoint, with a PAT in the header:

POST /host/rsrc HTTP/1.1
Content-Type: application/json
Host: as.example.com
Authorization: Bearer 204c69636b6c69
...

{  
   "resource_id":"112210f47de98100",
   "resource_scopes":[  
      "view",
      "http://photoz.example.com/dev/actions/print"
   ]
}

Example of an HTTP request for multiple permissions at the authorization server's permission endpoint, with a PAT in the header:

POST /host/rsrc HTTP/1.1
Content-Type: application/json
Host: as.example.com
Authorization: Bearer 204c69636b6c69
...

[  
   {  
      "resource_id":"7b727369647d",
      "resource_scopes":[  
         "view",
         "crop",
         "lightbox"
      ]
   },
   {  
      "resource_id":"7b72736964327d",
      "resource_scopes":[  
         "view",
         "layout",
         "print"
      ]
   },
   {  
      "resource_id":"7b72736964337d",
      "resource_scopes":[  
         "http://www.example.com/scopes/all"
      ]
   }
]

3.4.2 Permission Ticket Creation and Management

The authorization server uses a permission ticket to maintain the state of a set of requested permissions, initially conveyed on the client's behalf by the resource server at attempted resource access time, for the period of time that the client continues to seek authorization for that attempted access.

The authorization server MUST make permission ticket values unguessable by resource servers and clients. Within these constraints, however, the authorization server MAY format the ticket however it chooses, for example either as a random string that references data held on the server or by including data within the ticket itself.

Permission tickets MUST be single-use. This prevents susceptibility to a session fixation attack.

The authorization server MUST invalidate a permission ticket when the client presents the permission ticket to either the token endpoint or the interactive claims endpoint; or when the permission ticket expires, whichever occurs first.

3.4.3 Authorization Server Response to Resource Server on Permission Request Success

If the authorization server is successful in creating a permission ticket in response to the resource server's request, it responds with an HTTP 201 (Created) status code and includes the ticket property in the JSON-formatted body.

For example:

HTTP/1.1 201 Created
Content-Type: application/json
...

{  
   "ticket":"016f84e8-f9b9-11e0-bd6f-0021cc6004de"
}

3.4.4 Authorization Server Response to Resource Server on Permission Request Failure

If the resource server's permission registration request is authenticated properly but fails due to other reasons, the authorization server responds with an HTTP 400 (Bad Request) status code and includes one of the following UMA error codes (see Section 4 for more information about error codes and responses):

invalid_resource_id
At least one of the provided resource identifiers was not found at the authorization server.
invalid_scope
At least one of the scopes included in the request was not registered previously by this resource server for the referenced resource.

3.5 Resource Server Responds to Client's Tokenless Access Attempt

In this process, the resource server responds to the client's tokenless access attempt on a protected resource.

This process assumes that the resource server sought a permission ticket from the authorization server after a tokenless access attempt by the client. The success path of this process corresponds to step 6 in Figure 2.

After the resource server responds to the client's access attempt, assuming the client received a permission ticket, the client's next option is defined in Section 3.6.

3.5.1 Resource Server Response to Client on Permission Request Success

If the resource server successfully obtained a permission ticket from the authorization server, it responds to the client by providing a WWW-Authenticate header with the authentication scheme UMA, with the issuer URI from the authorization server's configuration document in an as_uri parameter and the just-received permission ticket in a ticket parameter.

For example:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: UMA realm="example",
  as_uri="https://as.example.com",
  ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de"
...

3.5.2 Resource Server Response to Client on Permission Request Failure

If the resource server received an error of any kind when trying to request permissions such that it did not receive a permission ticket, then it is unable to create a WWW-Authenticate: UMA header and includes a header of the following form in its response to the client: Warning: 199 - "UMA Authorization Server Unreachable".

For example:

HTTP/1.1 403 Forbidden
Warning: 199 - "UMA Authorization Server Unreachable"
...

3.6 Client Seeks Authorization on Requesting Party's Behalf (UMA Grant)

This section defines the extension OAuth grant called the UMA grant. It defines forms of the client request (corresponding to steps 7 and 11 in Figure 2), redirect mechanisms for requesting party interaction (step 10), authorization assessment (step 8), and forms of the authorization server response to the client request (steps 9 and 11). Section 3.6.1 defines the grant_type URI.

The overall process assumes that:

  • The client has obtained a permission ticket and an authorization server location from the resource server.
  • The client has discovered the authorization server's configuration document and endpoints as needed.
  • The client has obtained OAuth client credentials from the authorization server, either dynamically through [RFC7591] or [OIDCDynClientReg], or alternatively through a static process, and is prepared to authenticate itself to the token endpoint.

The client seeks the authorization server's authorization for access to the protected resource on the requesting party's behalf, by requesting an RPT at the authorization server's token endpoint and possibly by redirecting an end-user requesting party to the authorization server's claims interaction endpoint. The authorization process thus begun potentially includes looping through the authorization seeking phase, and subsequent authorization server responses potentially include hints as to what further requests should contain. See Section 1.4.2 for information about the authorization process and the REQUIRED authorization assessment process (corresponding to step 8 in Figure 2).

The client MAY redirect an end-user requesting party for interactive claims gathering prior to requesting an RPT at the token endpoint. An initial client redirect of an end-user requesting party to the claims interaction endpoint assumes, in addition to the assumptions above, that the authorization server has statically declared its claims interaction endpoint in its configuration document.

Unless the authorization server responds with an error, the client's next option to respond is defined in Section 3.7.

3.6.1 Client Request to Authorization Server for RPT

The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" format per [RFC6749] Appendix B with a character encoding of UTF-8 in the HTTP request entity-body:

grant_type
REQUIRED. MUST be the value urn:ietf:params:oauth:grant-type:uma-ticket.
ticket
REQUIRED. The most recent permission ticket received by the client as part of this authorization process.
rpt
OPTIONAL. Supplying an existing RPT gives the authorization server the option of upgrading that RPT instead of issuing a new one (see Section 3.6.4 for more about this option). Note: An RPT is bound to a specific resource owner, but it is out of scope of this specification for a protected resource's location to reveal the resource owner's identity to the client, so the client may not be aware of which RPT it received is bound to which resource owner.
scope
OPTIONAL. A string of space-separated values representing requested scopes. For any requested scope to be considered, the client MUST have pre-registered the same scope with the authorization server. The client should consult the resource server’s API documentation for details about permissions and their scopes expected to be included in permission requests.
pct
OPTIONAL. If the authorization server previously returned a PCT along with an RPT, the client MAY include the PCT in order to optimize the process of seeking a new RPT. Given that some claims represented by a PCT are likely to contain identity information about a requesting party, a client supplying a PCT in its RPT request MUST make a best effort to ensure that the requesting party using the client now is the same as the requesting party that was associated with the PCT when it was issued. See Section 6.1.2 for additional PCT security considerations. See Section 3.6.5 for the form of the authorization server's response with a PCT.
claim_token_format
OPTIONAL. If this parameter is used, it MUST appear together with the claim_token parameter. A string specifying the format of the claim token in which the client is directly pushing claims to the authorization server. The string MAY be a URI.
claim_token
OPTIONAL. If this parameter is used, it MUST appear together with the claim_token_format parameter. A string containing directly pushed claim information in the indicated format, base64url encoded if it is not already so encoded. The client MAY provide this information on a first or subsequent request to this endpoint. The client and authorization should have pre-negotiated any claim token format features that require special interpretation. For example, if the referenced format equates to OpenID Connect ID tokens and the claim token contains audience restrictions, the client and authorization server should together determine the proper audience values that enable successful token consumption (see Section 6.7.1 relevant security considerations).

Example of a request message with no optional parameters (line breaks are shown only for display convenience):

POST /token HTTP/1.1
Host: as.example.com
Authorization: Basic jwfLG53^sad$#f
...
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket
&ticket=016f84e8-f9b9-11e0-bd6f-0021cc6004de

Example of a request message that includes an existing RPT for upgrading, a scope being sought that was previously registered with the authorization server, and a PCT and a claim token for consideration in the authorization process:

POST /token HTTP/1.1
Host: as.example.com
Authorization: Basic jwfLG53^sad$#f
...
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket
&ticket=016f84e8-f9b9-11e0-bd6f-0021cc6004de
&rpt=sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv
&scope=read
&pct=c2F2ZWRjb25zZW50
&claim_token_format=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23IDToken
&claim_token=eyj0...

This specification provides a way to define profiles of claim token formats for use with UMA (see Section 5). The authorization server SHOULD document the profiles it supports in its configuration document.

3.6.2 Client Redirect of Requesting Party to Authorization Server for Interactive Claims-Gathering

The client redirects an end-user requesting party' to the claims interaction endpoint for whatever interactive claims-gathering processes the authorization server requires, such as presenting a questionnaire, a local or federated login form, or an opportunity to authorize persistent storage of claims for use in later authorization processes (the latter potentially being associated with a PCT). One motivation for such redirection could have been receipt of an authorization failure response containing an error_details structure with a redirect_user hint (see Section 3.6.6).

The client constructs the request URI by adding the following parameters to the query component of the claims interaction endpoint URI using the application/x-www-form-urlencoded format:

client_id
REQUIRED. The client's identifier issued by the authorization server.
claims_redirect_uri
OPTIONAL. The URI to which the client wishes the authorization server to direct the requesting party's user agent after completing its interaction. The URI MUST be absolute, MAY contain an application/x-www-form-urlencoded-formatted query parameter component that MUST be retained when adding additional parameters, and MUST NOT contain a fragment component. The authorization server SHOULD require all clients to register their claims redirection endpoint. Claims redirection URIs are different from the redirection URIs defined in [RFC6749] in that they are intended for the exclusive use of requesting parties and not resource owners. Therefore, authorization servers MUST NOT redirect requesting parties to pre-registered redirection URIs defined in [RFC6749] unless such URIs are also pre-registered specifically as claims redirection URIs. If the URI is pre-registered, this URI MUST exactly match one of the pre-registered claims redirection URIs, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison).
ticket
REQUIRED. The most recent permission ticket received by the client as part of this authorization process.
state
RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user agent back to the client. The use of this parameter is for preventing cross-site request forgery.

See Section 3.6.3 for the authorization server's mechanism for redirecting the requesting party back to the client.

Example of a request issued by a client application (line breaks are shown only for display convenience):

GET /rqp_claims?client_id=some_client_id&state=abc
&ticket=016f84e8-f9b9-11e0-bd6f-0021cc6004de
&claims_redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fredirect_claims HTTP/1.1
Host: as.example.com

3.6.3 Authorization Server Redirect of Requesting Party Back to Client After Interactive Claims-Gathering

At the conclusion of a successful interaction with the requesting party, the authorization server returns the requesting party to the client, adding the following parameters to the query component of the claims redirection URI using the application/x-www-form-urlencoded format:

ticket
REQUIRED. A permission ticket that allows the client to make further requests to the authorization server during this authorization process. The value MUST NOT be the same as the one the client used to make its request.
state
OPTIONAL. The same state value that the client provided in the request. It MUST be present if and only if the client provided it.

Note: Interactive claims-gathering processes are out of scope of this specification. The purpose of the interaction is for the authorization server to gather information for its own authorization assessment purposes. This redirection does not involve sending any of the information back to the client.

Prior to its redirecting the end-user requesting party back and preparatory to issuing a PCT, the authorization server MAY use the interactive claims-gathering process to gather authorization for persisting claims across authorization processes.

The client MUST ignore unrecognized response parameters. If the request fails due to a missing, invalid, or mismatching claims redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the requesting party of the error and MUST NOT automatically redirect the user agent to the invalid redirection URI.

If the request fails for reasons other than a missing or invalid claims redirection URI, the authorization server informs the client by adding an error parameter to the query component of the claims redirection URI as defined by Section 4.1.2.1 of [RFC6749].

Example of a response issued by an authorization server (line breaks are shown only for display convenience):

GET /redirect_claims?&state=abc
&ticket=cHJpdmFjeSBpcyBjb250ZXh0LCBjb250cm9s HTTP/1.1
Host: client.example.com

3.6.4 Authorization Assessment and Results Determination

When the authorization server has received a request for an RPT from a client, it assesses whether the client is authorized to receive the requested RPT and determines the results.

The authorization server MUST apply the following conceptual authorization assessment calculation in determining authorization results. Note: As this calculation is internal to authorization server operations, its particulars are out of scope of this specification.

In this assessment calculation, let a set called ClientRegistered stand for the scopes for which the client pre-registered at the authorization server, either dynamically or through some static process. Let a set called ClientRequested stand for the scopes the client most recently requested at the token endpoint. Let a set called PermissionTicket stand for the scopes associated with the most recent permission ticket presented by the client at the token endpoint.

  1. Determine the set of requested scopes as follows: RequestedScopes = PermissionTicket ∪ (ClientRequested ∩ ClientRegistered).
  2. Determine all operative policy conditions, and claims and other relevant information serving as input to them, for each scope assocated with RequestedScopes and evaluate its authorization status. Note: Claims and other information gathered during one authorization process may become out of date in terms of their relevance for future authorization processes. The authorization server is responsible for managing such relevance wherever information associated with a PCT, or other persistently stored information, is used as input to authorization, including policy conditions themselves. Note: Since the authorization server's policy expression and evaluation capabilities are out of scope, any one implementation might take a simple or arbitrarily complex form, with varying abilities to combine or perform calculations over claims and their values. For example, logical operations such as accepting "either claim value A or B" as correct may be possible.
  3. For each scope that passes the evaluation, add it to a set called CandidateGrantedScopes.

In the authorization results phase, the authorization server examines the CandidateGrantedScopes set to determine whether to issue an RPT and what permissions should be associated with it.

  • If the value of CandidateGrantedScopes is null, the result is authorization failure and the authorization server MUST subsequently issue one of the error codes (Section 3.6.6).
  • If the value is non-null and CandidateGrantedScopes = RequestedScopes, then the authorization server MUST subsequently respond with a success code and issue an RPT (upgrading as appropriate; see below).
  • If the value is non-null and CandidateGrantedScopes < RequestedScopes, the authorization server MUST subsequently issue either an RPT containing CandidateGrantedScopes (upgrading as appropriate; see below), or one of the error codes. The reason for the two options is that granting only partial scopes may not be useful for the client's and requesting party's purposes in seeking authorization for access.

The authorization server MAY implement RPT upgrading. It is RECOMMENDED for the authorization server to document its practices regarding RPT upgrades and to act consistently with respect to RPT upgrades so as to enable clients to manage tokens efficiently. If the authorization server has implemented RPT upgrading, the client has submitted an RPT in its request, and the result is success, the authorization server adds the permissions from the client's previous RPT to the RPT it is about to issue, setting the value of the upgraded property in its response containing the upgraded RPT to true (see Section 3.6.5).

The following example illustrates authorization assessment and partial results:

  • Assume a resource server has registered two resources on behalf of a resource owner, photo1 with scopes view, print, and download and photo2 with scopes view, print, download, and link.
  • The resource owner has set policy conditions that allow access to photo1 only by requesting parties that can provide claims proving they are family members, and that allow access to photo2 only by requesting parties that can provide claims saying they agree not to download, sell, or market any photo.
  • The client has pre-registered with the authorization server for download scope (so ClientRegistered contains download).
  • The client attempts what the resource server interprets as view access to photo1.
  • The resource server chooses to request a permission for view and print scopes for photo1 on the client's behalf (so PermissionTicket contains view and print).
  • The client requests download scope on the requesting party's behalf while requesting an RPT from the authorization server (so ClientRequested contains download).
  • The authorization server determines that RequestedScopes contains view, print, and download.
  • Based on the authorization server's evaluation of policy conditions associated with these scopes, CandidateGrantedScopes contains only view and print and not download (the dynamically requested scope), which is less than in RequestedScopes.
  • The authorization server has a choice whether to issue an RPT in this case.

Note: While a reasonable approach for most scenarios is to implement the classic security stance of default-deny ("everything that is not expressly allowed is forbidden"), corner cases can inadvertently result in default-permit behavior. For example, it is insufficient simply to assume that all resources have some non-zero set of claims required for access, and then accept an empty set of supplied claims as sufficient for access.

3.6.5 Authorization Server Response to Client on Authorization Success

If the authorization server's assessment process results in issuance of permissions (see Section 3.6.4), it returns an HTTP 200 (OK) status code with a response body containing the RPT with which it has associated the requested permissions. The authorization server MAY return a refresh token. See Section 3.10 for more information about refreshing an RPT.

The authorization server MAY add the following properties to its response:

pct
OPTIONAL. A correlation handle representing claims and other information collected during this authorization process, which the client is able to present later in order to optimize future authorization processes on behalf of a requesting party. The PCT MUST be unguessable by an attacker. The PCT MUST NOT disclose claims from the requesting party directly to possessors of the PCT. Instead, such claims SHOULD be associated by reference to the PCT or expressed in an encrypted format that can be decrypted only by the authorization server that issued the PCT. See Section 3.6.2 for more information about the end-user requesting party interaction option. See Section 6.1.2 for additional PCT security considerations.
upgraded
OPTIONAL. Boolean value. If the client submits an RPT in the request and the authorization server includes the permissions of the RPT from the request as part of the newly issued RPT, then it MUST set this value to true. If it sets the value to false or the value is absent, the client MUST act as if the newly issued RPT does not include the permissions associated with the RPT from the request.

The authorization server MAY include any of the parameters defined in Section 5.1 of [RFC6749] on its response, except that it is NOT RECOMMENDED to include the scope parameter. This is because RPTs are associated with scopes that are associated with specific resources.

If the authorization server is upgrading an RPT, and the RPT string is new rather than repeating the RPT provided by the client in the request, then the authorization server SHOULD revoke the existing RPT, if possible, and the client MUST discard its previous RPT. If the authorization server does not upgrade the RPT but issues a new RPT, the client MAY retain the existing RPT.

Example:

HTTP/1.1 200 OK
Content-Type: application/json
... 

{  
   "access_token":"sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
   "token_type":"Bearer"
}

Example with a PCT and an upgraded property in the response:

HTTP/1.1 200 OK
Content-Type: application/json
...

{  
   "access_token":"sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
   "token_type":"Bearer",
   "pct":"c2F2ZWRjb25zZW50",
   "upgraded":true
}

3.6.6 Authorization Server Response to Client on Authorization Failure

If the client's request to the token endpoint is not sufficient for granting an RPT, the authorization server responds using an error code and corresponding HTTP status code. Any error code other than need_info ends the current authorization process; the client is free to attempt access to the protected resource another time. The need_info error code begins or continues an authorization process loop that concludes only when the client receives one of the other errors or a success condition (as described in Section 3.6.5).

invalid_grant
If the provided ticket was not found at the authorization server, or the provided ticket has expired, or the client is not authorized to have these permissions added, or any other original reasons to use this error response are found as defined in [RFC6749], the authorization server responds with the HTTP 400 (Bad Request) status code.
invalid_scope
At least one of the scopes included in the request does not match an available scope for any of the resources associated with requested permissions for the permission ticket provided by the client. The authorization server responds with the HTTP 400 (Bad Request) status code.
request_submitted
The authorization server requires intervention by the resource owner to determine whether the client is authorized to have these permissions. The authorization server responds with the HTTP 403 (Forbidden) status code. This error code is unique to the UMA grant. It MUST include a ticket object.
ticket
REQUIRED. A permission ticket that allows the client to make a further request to the authorization server's token endpoint as part of this same authorization process, likely some time later in "polling" fashion, when the resource owner might have completed some approval (or denial) action. The value MUST NOT be the same as the one the client used to make its request.
need_info
The authorization server needs additional information in order to determine whether the client is authorized to have these permissions. The authorization server responds with the HTTP 403 (Forbidden) status code. It MUST include a ticket object, and it MAY also include an error_details object. This error code is unique to the UMA grant.
ticket
REQUIRED. A permission ticket that allows the client to make a further request to the authorization server's token endpoint as part of this same authorization process, potentially immediately. The value MUST NOT be the same as the one the client used to make its request.
error_details
OPTIONAL. Provides hints about information the authorization server needs to perform authorization assessment. On receiving such hints, the client has the opportunity to engage, or engage the requesting party, in claims collection flows. At least one of its two sub-properties MUST be supplied.
required_claims
An array containing objects that describe the required claims, with the following properties:
name
OPTIONAL. A string (which MAY be a URI) representing the name of the claim; the "key" in a key-value pair.
friendly_name
OPTIONAL. A string that provides a more human-readable form of the attribute's name, which may be useful as a "display name" for use in user interfaces in cases where the actual name is complex or opaque, such as an OID or a UUID.
claim_type
OPTIONAL. A string, indicating the expected interpretation of the provided claim value. The string MAY be a URI.
claim_token_format
OPTIONAL. An array of strings specifying a set of acceptable formats for a token pushed by the client containing this claim (see Section 3.6.1). Any one of the referenced formats would satisfy the authorization server's requirements. Each string MAY be a URI.
issuer
OPTIONAL. An array of strings specifying a set of acceptable issuing authorities for the claim. Any one of the referenced authorities would satisfy the authorization server's requirements. Each string MAY be a URI.
redirect_user
The claims interaction endpoint URI to which to redirect the end-user requesting party at the authorization server to continue the process of interactive claims gathering. For example, the authorization server may require the requesting party to fill out a CAPTCHA to help prove humanness. If the requesting party is not an end-user, then no client action would be possible on receiving the hint. If a static claims interaction endpoint was also provided in the authorization server's configuration document, then this value overrides the static value. Providing a value in this response might be appropriate, for example, if the URI needs to be customized per requesting party.

Example when the ticket has expired or the client's request for authorization has failed outright:

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
...

{  
   "error":"invalid_grant"
}

Example of a need_info response with a full set of error_details hints:

HTTP/1.1 403 Forbidden
Content-Type: application/json
Cache-Control: no-store
...

{  
   "error":"need_info",
   "ticket":"ZXJyb3JfZGV0YWlscw==",
   "error_details":{  
      "required_claims":[  
         {  
            "name":"email23423453ou453",
            "friendly_name":"email",
            "claim_type":"urn:oid:0.9.2342.19200300.100.1.3",
            "claim_token_format":[  
               "http://openid.net/specs/openid-connect-core-1_0.html#IDToken"
            ],
            "issuer":[  
               "https://example.com/idp"
            ]
         }
      ],
      "redirect_user":"https://as.example.com/rqp_claims?id=2346576421"
   }
}

3.7 Client Attempts Access to Protected Resource With RPT

In this process, the client attempts to access the protected resource, now in possession of an RPT.

This process assumes that the client has completed an authorization process. This process corresponds to step 12 in Figure 2.

After the client attempts access, the resource server's next option to act is defined in Section 3.8, and its next option to respond to the client is defined in Section 3.9.

Example of a client request at a protected resource carrying an RPT:

GET /users/alice/album/photo.jpg HTTP/1.1
Authorization: Bearer sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv
Host: photoz.example.com
...

3.8 Resource Server Determines RPT Status

In this process, the resource server determines the status of the RPT brought to it by the client in an access attempt.

This process assumes that the client's access attempt bore an RPT. One version of this process corresponds to steps 14-15 in Figure 2.

The resource server determines whether the RPT is active and, if so, its associated permissions. Depending on the nature of the RPT and operative caching parameters, the resource server MAY take any of the following actions as appropriate to determine the RPT's status:

  • Validate the RPT locally if it is self-contained.
  • Introspect the RPT at the authorization server using the OAuth token introspection endpoint (defined by [RFC7662] and this section) that is part of the protection API. The authorization server's response contains an extended version of the OAuth introspection object. A number of security considerations around handling and interpreting the RPT can be found throughout Section 3, and in Section 6.
  • Use a cached copy of the token introspection response if allowed (see Section 4 of [RFC7662]).

After determining the RPT status, the resource server's next option to respond is defined in Section 3.9.

3.8.1 Resource Server Request to Token Introspection Endpoint

The resource server's request for introspection of an RPT MUST use the OAuth token introspection endpoint (defined by [RFC7662]) declared by the authorization server in its configuration document. The authorization server MUST require requests to this endpoint to be accompanied by a PAT. The PAT provides resource-owner context to the authorization server as well as demonstrating authorized access.

Note: The act of using the token introspection endpoint may require the resource server to interpret which authorization server to consult and in the context of which resource owner, in order to select which PAT to use to make the API call.

Example of the resource server's request to the authorization server for introspection of an RPT, with a PAT in the header:

POST /rs/status HTTP/1.1
Host: as.example.com
Authorization: Bearer 204c69636b6c69
...
token=sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv
}

3.8.2 Authorization Server Response to Resource Server on Token Introspection Success

The authorization server's response to the resource server MUST use [RFC7662], responding with a JSON object with the structure dictated by that specification, extended as follows.

If the active property has a Boolean value of true, then the introspection object MUST NOT contain a scope claim, and SHOULD contain an extension property with the name permissions that contains an array of one or more values, each of which is an object consisting of these properties:

resource_id
REQUIRED. A string that uniquely identifies the protected resource, access to which has been granted to this client on behalf of this requesting party. The identifier MUST correspond to a resource that was previously registered as protected.
resource_scopes
REQUIRED. An array referencing one or more strings representing scopes to which access was granted for this resource. Each string MUST correspond to a scope that was registered by this resource server for the referenced resource.
exp
OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission will expire. If the property is absent, the permission does not expire. If the token-level exp value pre-dates a permission-level exp value, the former overrides the latter.
iat
OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued. If the token-level iat value post-dates a permission-level iat value, the former overrides the latter.
nbf
OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating the time before which this permission is not valid. If the token-level nbf value post-dates a permission-level nbf value, the former overrides the latter.

For interoperability, if the introspection object does not contain the permissions property, then an UMA extension SHOULD be defined as appropriate, with supporting authorization servers using the uma_profiles_supported configuration property to advertise their support of any alternative structures (see Section 5 for more information).

Example of a response containing the introspection object with the permissions property:

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
...

{  
   "active":true,
   "exp":1256953732,
   "iat":1256912345,
   "permissions":[  
      {  
         "resource_id":"112210f47de98100",
         "resource_scopes":[  
            "view",
            "http://photoz.example.com/dev/actions/print"
         ],
         "exp":1256953732
      }
   ]
}

3.9 Resource Server Responds to Client’s Access Attempt With RPT

In this process, the resource server responds to the client's access attempt on a protected resource that bore an RPT.

This process assumes that the resource server has determined the status of the RPT. The success path of this process corresponds to steps 16-17 in Figure 2.

The first part of this process is an internal assessment. The second is a response to the client.

This process concludes UMA's protocol flow.

3.9.1 Permissions Assessment

The resource server assesses the permissions associated with the RPT, whether obtained through token introspection or otherwise, and compares them with the RPT-accompanied client's access attempt to a protected resource.

Note: The act of assessment may require the resource server to interpret which resource, resource owner, authorization server, and scope to map to the client's access attempt.

The purpose of this assessment is to determine sufficiency of authorization. The resource server MAY apply additional authorization controls when determining how to respond. For example, even if an RPT provides sufficient permissions for a particular case, the resource server deployer can choose to bar access to certain additional requesting parties.

To ensure the integrity of the ecosystem in which the resource server, authorization server, and resource owner are participating, it is RECOMMENDED for the parties to establish agreements about access rules on a legal or contractual level. See Section 6.7 for more information.

The resource server MUST NOT give access in the case of an invalid RPT or an RPT associated with insufficient authorization.

3.9.2 Resource Server Response to Client on Sufficiency of Authorization

The client's presentation of a valid RPT associated with sufficient permissions indicates that the policy conditions have been met for access to the protected resource.

Example of the resource server's response to the client on sufficiency of authorization:

HTTP/1.1 200 OK
Content-Type: application/json
...

{  
   "f_number":"f/5.6",
   "exposure":"1/320",
   "focal_length_mm":150,
   "iso":400,
   "flash":false
}

3.9.3 Resource Server Response to Client on Insufficiency of Authorization

The client's presentation of an invalid RPT or an RPT associated with insufficient permissions for access indicates that the policy conditions have not been met for access to the protected resource.

In this case, the resource server's next option to act is defined in Section 3.4 (requesting permissions, which involves the authorization server), and its next option to respond to the client is defined in Section 3.5, exactly as if the client had attempted to access the protected resource with no RPT. Because the resource server is responsible for its own resource semantics and structure, it may need to map the client's access attempt to a suitable resource identifier (and thus resource owner and authorization server) before proceeding.

3.10 Authorization Server Refreshes RPT

As noted in Section 3.6.5, when issuing an RPT, the authorization server MAY also issue a refresh token.

In a typical access token refreshing flow, providing the scope parameter in the request has a token downscoping effect. However, if the client includes the scope parameter when providing a refresh token that is associated with an RPT, the effect is undefined.

3.11 Client Requests Token Revocation

If the authorization server presents a token revocation endpoint as defined by [RFC7009], the client MAY use the endpoint to request revocation of an RPT (access token), refresh token, or PCT previously issued to it on behalf of a requesting party. This specification defines the following token type hint value:

pct
Helps the authorization server optimize lookup of a PCT for revocation.

4. Error Responses

If a request triggers no OAuth error, but is invalid for another reason as defined throughout this specification, the authorization server or resource server responds with an UMA error, sometimes along with a specified HTTP status code, by supplying the following properties in a JSON-encoded object in the body of the HTTP response:

error
REQUIRED. A single error code. Values for this property are defined throughout this specification.
error_description
OPTIONAL. Human-readable text providing additional information.
error_uri
OPTIONAL. A URI identifying a human-readable web page with information about the error.

The following is a common error code that applies to several UMA-specified request messages:

invalid_request
The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The authorization server MUST respond with the HTTP 400 (Bad Request) status code.

For example:

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
...

{  
   "error":"invalid_request",
   "error_description":"Request is missing a required parameter.",
   "error_uri":"https://as.example.com/errors/bad_uma_request"
}

5. Specifying Additional Profiles and Extensions

For implementation interoperability and to serve particular deployment scenarios, including sector-specific ones such as healthcare or e-government, third parties may want to define profiles of UMA that restrict its available options.

Further, third parties may want to define profiles of companion technologies to fit interoperably within the UMA framework, for example, claim token formats suitable for claim pushing (see Section 3.6.1) or protocol alternatives to HTTP.

Finally, this specification uses the natural extensibility within its messaging formats, "application/x-www-form-urlencoded" and JSON, to enable third parties to define extensions that serve adjacent use cases. For example, if necessary, it is possible to substitute a different token introspection object structure to change the dividing line between authorization server and resource server responsibilities in controlling access.

It is not practical for this specification to standardize all such variations of UMA. However, to serve overall interoperability goals, this section provides guidelines for third parties that wish to specify UMA-related profiles and extensions.

It is RECOMMENDED that authorization server deployers document any profiled or extended features explicitly (see Section 2 for details).

In all cases, it is RECOMMENDED that profiles and extensions document the following information:


6. Security Considerations

This specification relies mainly on OAuth 2.0 security mechanisms as well as transport-level encryption. Thus, implementers are strongly advised to read [BCP195] and the security considerations in [RFC6749] (Section 10) and [RFC6750] (Section 5) along with the security considerations of any other OAuth token-defining specifications in use, along with the entire [RFC6819] specification, and apply the countermeasures described therein. As well, implementers should take into account the security considerations in all other normatively referenced specifications.

The following sections describe additional security considerations.

6.1 Requesting Party Threats

This section discusses threats related to UMA's nature as a protocol enabling party-to-party sharing of protected resource access; that is, enabling requesting parties who are not the resource owner to gain authorized access to protected resources.

For privacy considerations related to requesting parties, see Section 7.2.

6.1.1 Requesting Party Redirection and Impersonation

Like ordinary OAuth redirection, UMA redirection for the purpose of gathering claims from an end-user requesting party (described in Section 3.6.2) creates the potential for cross-site request forgery (CSRF) through an open redirect if the authorization server does not force the client to pre-register its claims redirection endpoint, and server-side artifact tampering if the client does not avail itself of the state parameter. The client SHOULD check that the ticket value returned by an authorization server after a claims redirect is completed has not been maliciously changed, for example by a man in the browser, by using the state parameter. (See [UMA-Impl] for advice on ways to accomplish this.) Sections 4.4.1.8, 4.4.2.5, and 5.3.5 of [RFC6819] are apropos for the UMA claims-gathering redirection flow as well.

When a client redirects an end-user requesting party to the claims interaction endpoint, the client provides no a priori context to the authorization server about which user is appearing at the endpoint, other than implicitly through the permission ticket. Since the authorization server is free to gather any claims it wishes, the effect is to "late-bind" them to the permission ticket and the state string provided by the client, with the effect of enabling the authorization server not to trust client-asserted claims. This is a desirable result and reflects one reason why the authorization server might choose to demand use of the redirect flow over the push flow. However, the client has the opportunity to switch end-users -- say, enabling malicious end-user Carlos to impersonate the original end-user Bob, who might be represented by a PCT already in that client's possession and might even have authorized the issuance of that PCT -- after the redirect completes and before it returns to the token endpoint to seek permissions.

Another issue concerns the exposure of an RPT to a requesting party, which could maliciously pass the token to an unauthorized party.

To mitigate requesting-party switching and RPT exposure threats, consider the following strategies.

  • Require that the requesting party legitimately represent the wielder of the bearer token on a legal or contractual level. This solution does not reduce the risk from a technical perspective.
  • The authorization server, possibly with input from the resource owner, can implement tighter time-to-live strategies around the permissions in RPTs. This is a classic approach with bearer tokens that helps to limit a malicious party's ability to intercept and use the bearer token. In the same vein, the authorization server could require claims to have a reasonable degree of freshness (which would require a custom claims profile).
  • A stronger strategy is to gather claims interactively from an end-user requesting party that demonstrate that some sufficiently strong level of authentication was performed.

6.1.2 Requesting Party Claims and Persisted Claims Tokens

A PCT is similar to a refresh token in that it carries extra power over the usage of an RPT. The authorization server and client MUST keep PCTs confidential in transit and storage, and MUST NOT share any PCT with any other entity other than the issuer or issued client, respectively. The authorization server MUST maintain the binding between a PCT and the client to which it was issued.

Given that a PCT represents a set of requesting party claims, a client supplying a PCT in its RPT request MUST make a best effort to ensure that the requesting party using the client now is the same as the requesting party that was associated with the PCT when it was issued. Different clients will have different capabilities in this respect; for example, some applications are single-user and perform no local authentication, associating all PCTs with the "current user", while others might have more sophisticated authentication and user mapping capabilities.

6.2 Strengthening RPT Protection Using Proof of Possession

After the client's access attempt on a protected resource, assuming the client sent an RPT of the bearer style such as those defined by [RFC6750], the resource server will have received from the client the entire secret portion of the token. This specification assumes only bearer-type tokens because they are the only type standardized as of this writing. However, to strengthen protection for RPTs using a proof-of-possession approach, the resource server could receive an RPT that consists of only a cryptographically signed token identifier, and then to validate the signature, it could submit the token identifier to the token introspection endpoint to obtain the necessary key information. The details of this usage are out of scope of this specification.

6.3 Strengthening Client Authentication Using OpenID Connect

Along with requiring TLS, UMA requires OAuth, or any OAuth-based authentication protocol, as the security mechanism for its protection API. The resource server thus acts in the role of an OAuth client at the authorization server's protection API. While it is possible to use any profile of OAuth for this protection, it is RECOMMENDED for the authorization server to use OpenID Connect, and to use its mechanisms for stronger client authentication at the token endpoint, in order to strengthen the authentication of OAuth clients. Section 16 of [OIDCCore] provides more information on OpenID Connect security considerations.

6.4 Interacting with Resource Owners and Requesting Parties Using OAuth's Implicit Grant Type

Clients using the OAuth implicit grant type carry particular vulnerabilities in OAuth, and using OpenID Connect is of no help in this circumstance. This is true where a resource server is used as an OAuth client for obtaining a PAT on a resource owner's behalf, and also where an authorization server is gathering claims from a requesting party through OAuth.

For example, an "implicit client" might require the retrieval of PATs more frequently, for each browser on each platform. An attacker can initiate a spear phishing attack on the resource owner with a link to a malicious website, relying on the resource owner to authenticate to the authorization server through an email-based identity provider in order to receive the PAT. The site can impersonate the resource owner using the browser client's client ID in an OpenID Connect implicit request to the authorization server. If the resource owner had previously authorized a PAT to be issued, this attempt will likely succeed. The subsequently issued PAT could be used for resource registration and other protection API tasks.

A number of mitigation strategies are possible.

  • The authorization server could penalize or disallow use of the implicit grant flow. This could be done at a variety of levels:
    • Enabling resource owners to define policies controlling the use of such clients
    • Setting system-default policies controlling their use
    • Participating in mutual agreements with other parties, for example, through the definition and mandated use of profiles, that admit only suitably secure client applications to interact with service operators
  • The authorization server could support dynamic client registration at the client instance level, such that each instance receives a unique client_id and secret. The client can then use the authorization code flow and have at least some form of client authentication. However, this is easier for a mobile app than for a browser-based HTML app.

6.5 Credentials-Guessing

The authorization server MUST prevent attackers from guessing permission tickets and PCTs.

6.6 JSON Usage

This specification defines a number of data formats based on [RFC7159]. As a subset of the JavaScript scripting language, JSON data SHOULD be consumed through a process that does not dynamically execute it as code, to avoid malicious code execution. One way to achieve this is to use a JSON parser rather than the built-in JavaScript eval() function.

6.7 Profiles and Trust Establishment

Parties that are operating and using UMA software entities have opportunities to establish agreements about the parties' rights and responsibilities on a legal or contractual level, along with common interpretations of UMA constructs for consistent and expected software behavior. These agreements can be used to improve the parties' respective security postures, and written profiles are a key mechanism for conveying and enforcing these agreements. Section 5 discusses profiling. See [UMA-legal] to learn about tools to assist in the legal and contractual elements of deploying UMA-enabled services.

6.7.1 Requirements for Trust When Clients Push Claim Tokens

This section discusses the threats surrounding client claim pushing (see Section 3.6.1).

Because claim tokens of any format typically contain audience restrictions and an authorization server would typically not be in the primary audience for a claim token held or generated by a client, it is RECOMMENDED to document how the client, authorization server, and any additional ecosystem entities and parties will establish a trust relationship and communicate any required keying material in a claim token profile, as described in Section 5. Authorization servers are RECOMMENDED not to accept claim tokens pushed by untrusted clients and not to ignore audience restrictions found in claim tokens pushed by clients.

In the special circumstance when an authorization server is colocated with an OpenID Provider for the requesting parties within a deployment ecosystem, then it is able to act as an OpenID Relying Party for itself. This circumstance presents an opportunity for a technical optimization of the requirement for trust because the authorization server itself issued the OAuth client credentials for the client in question, and could reasonably be the singular aud value target in an OpenID Connect ID Token pushed by the client to the token endpoint.


7. Privacy Considerations

UMA has the following privacy considerations.

7.1 Resource Information at the Authorization Server

The authorization server comes to be in possession of resource information that may reveal information about the resource owner, which the authorization server's trust relationship with the resource server is assumed to accommodate. However, the client is a less-trusted party -- in fact, entirely untrustworthy until permissions are associated with its RPT. The more information about a resource that is registered, the more risk of privacy compromise there is through a less-trusted authorization server.

7.2 Requesting Party Information at the Authorization Server

The primary privacy duty of UMA's design is to the resource owner. However, privacy considerations affect the requesting party as well, having to do with the nature of claims. Claims are likely to contain personal, personally identifiable, and sensitive information, particularly in the case of requesting parties who are end-users.

If the authorization server supports persisting claims for any length of time (for example, to support issuance of PCTs), then it SHOULD provide a secure and privacy-protected means of storing claim data. It is also RECOMMENDED for the authorization server to use an interactive claims-gathering flow to ask an end-user requesting party for authorization to persist their claims before issuing a PCT. A requesting party who provides claims to an authorization server once having been redirected there is less susceptible to privacy-destroying behavior. Otherwise, certain flows such as claim pushing and interactive federated sign-in with automatic login will tend to be invisible to the user if they have not consciously authorized the possibility.

7.3 Resource Owner Information at the Resource Server

Since the initial request for a resource is made in an unauthorized and unauthenticated context, such requests are by definition open to all users. The response of that request includes a pointer to the authorization server to query for an access token and present claims. If it is known out of band that authorization server is owned and controlled by a single user, or visiting the authorization server contains other identifying information, then an unauthenticated and unauthorized client would be able to tell which resource owner is associated with a given resource. Other information about the resource owner, such as organizational affiliation or group membership, may be gained from this transaction as well.

7.4 Profiles and Trust Establishment

Parties that are operating and using UMA software entities have opportunities to establish agreements about mutual rights, responsibilities, and common interpretations of UMA constructs for consistent and expected software behavior. These agreements can be used to improve the parties' respective privacy postures. See Section 6.7 for more information. Additional considerations related to Privacy by Design concepts are discussed in [UMA-PbD].


8. IANA Considerations

This document makes the following requests of IANA.

8.1 Well-Known URI Registration

This specification registers the well-known URI defined in Section 2, as required by Section 5.1 of [RFC5785].

8.1.1 Registry Contents

  • URI suffix: uma2-configuration
  • Change controller: Kantara Initiative User-Managed Access Work Group - staff@kantarainitiative.org
  • Specification document: Section 2.2 in this document

8.2 JSON Web Token Claims Registration

This specification registers the claim defined in Section 3.8.2, as required by [OIDCCore].

8.2.1 Registry Contents

  • Claim name: permissions
  • Claim description: Array of objects, each describing a set of scoped, time-limitable entitlements to a resource
  • Change controller: Kantara Initiative User-Managed Access Work Group - wg-uma@kantarainitiative.org
  • Specification document: Section 3.8.2 in this document

8.3 OAuth Token Introspection Response Registration

This specification registers the claim defined in Section 3.8.2, as required by Section 3.1 of [RFC7662].

8.3.1 Registry Contents

  • Claim name: permissions
  • Claim description: array of objects, each describing a set of scoped, time-limitable entitlements to a resource
  • Change controller: Kantara Initiative User-Managed Access Work Group - staff@kantarainitiative.org
  • Specification document: Section 3.8.2 in this document

8.4 OAuth 2.0 Extension Grant Parameters Registration

This specification registers the parameters defined in Section 3.6.1, as required by Section 11.2 of [RFC6749].

8.4.1 Registry Contents

  • Parameter name: ticket
  • Parameter usage location: client request, token endpoint
  • Change controller: Kantara Initiative User-Managed Access Work Group - staff@kantarainitiative.org
  • Specification document: Section 3.6.1 in this document
  • Parameter name: rpt
  • Parameter usage location: client request, token endpoint
  • Change controller: Kantara Initiative User-Managed Access Work Group - staff@kantarainitiative.org
  • Specification document: Section 3.6.1 in this document
  • Parameter name: claim_tokens
  • Parameter usage location: client request, token endpoint
  • Change controller: Kantara Initiative User-Managed Access Work Group - staff@kantarainitiative.org
  • Specification document: Section 3.6.1 in this document
  • Parameter name: pct
  • Parameter usage location: client request, token endpoint
  • Change controller: Kantara Initiative User-Managed Access Work Group - staff@kantarainitiative.org
  • Specification document: Section 3.6.1 in this document
  • Parameter name: pct
  • Parameter usage location: authorization server response, token endpoint
  • Change controller: Kantara Initiative User-Managed Access Work Group - staff@kantarainitiative.org
  • Specification document: Section 3.6.5 in this document
  • Parameter name: upgraded
  • Parameter usage location: authorization server response, token endpoint
  • Change controller: Kantara Initiative User-Managed Access Work Group - staff@kantarainitiative.org
  • Specification document: Section 3.6.5 in this document

8.5 OAuth 2.0 Extensions Error Registration

This specification registers the errors defined in Section 3.6.6, as required by Section 11.4 of [RFC6749].

8.5.1 Registry Contents

  • Error name: request_submitted
  • Change controller: Kantara Initiative User-Managed Access Work Group - staff@kantarainitiative.org
  • Specification document: Section 3.6.1 in this document
  • Error usage location: authorization server response, token endpoint
  • Error name: need_info (and its subsidiary ticket and error_details structures)
  • Change controller: Kantara Initiative User-Managed Access Work Group - staff@kantarainitiative.org
  • Specification document: Section 3.6.1 in this document
  • Error usage location: authorization server response, token endpoint

8.6 OAuth Token Type Hints Registration

This specification registers the errors defined in Section 3.11, as required by Section 4.1.2 of [RFC7009].

8.6.1 Registry Contents

  • Hint value: pct
  • Change controller: Kantara Initiative User-Managed Access Work Group - staff@kantarainitiative.org
  • Specification document: Section 3.11 in this document

9. Acknowledgments

The following people made significant text contributions to the specification:

Additional contributors to this specification include the Kantara UMA Work Group participants, a list of whom can be found at [UMAnitarians].


10. References

10.1 Normative References

[BCP195]Sheffer, Y., “Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)”, May 2015, <https://tools.ietf.org/html/bcp195>.
[OAuth-resource-reg]Maler, E., Ed., “OAuth 2.0 Resource Registration”, March 2017, <https://docs.kantarainitiative.org/uma/wg/oauth-resource-reg-2.0-07.html>.
[OIDCCore]Sakimura, N., “OpenID Connect Core 1.0 incorporating errata set 1”, November 2014, <http://openid.net/specs/openid-connect-core-1_0.html>.
[OIDCDynClientReg]Sakimura, N., “OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1”, November 2014, <http://openid.net/specs/openid-connect-registration-1_0.html>.
[RFC2119]Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels”, BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC3986]Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax”, STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <http://www.rfc-editor.org/info/rfc3986>.
[RFC5785]Nottingham, M. and E. Hammer-Lahav, “Defining Well-Known Uniform Resource Identifiers (URIs)”, RFC 5785, DOI 10.17487/RFC5785, April 2010, <http://www.rfc-editor.org/info/rfc5785>.
[RFC6749]Hardt, D., Ed., “The OAuth 2.0 Authorization Framework”, RFC 6749, DOI 10.17487/RFC6749, October 2012, <http://www.rfc-editor.org/info/rfc6749>.
[RFC6750]Jones, M. and D. Hardt, “The OAuth 2.0 Authorization Framework: Bearer Token Usage”, RFC 6750, DOI 10.17487/RFC6750, October 2012, <http://www.rfc-editor.org/info/rfc6750>.
[RFC6819]Lodderstedt, T., Ed., McGloin, M., and P. Hunt, “OAuth 2.0 Threat Model and Security Considerations”, RFC 6819, DOI 10.17487/RFC6819, January 2013, <http://www.rfc-editor.org/info/rfc6819>.
[RFC7159]Bray, T., Ed., “The JavaScript Object Notation (JSON) Data Interchange Format”, RFC 7159, DOI 10.17487/RFC7159, March 2014, <http://www.rfc-editor.org/info/rfc7159>.
[RFC7591]Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and P. Hunt, “OAuth 2.0 Dynamic Client Registration Protocol”, RFC 7591, DOI 10.17487/RFC7591, July 2015, <http://www.rfc-editor.org/info/rfc7591>.
[RFC7662]Richer, J., Ed., “OAuth 2.0 Token Introspection”, RFC 7662, DOI 10.17487/RFC7662, October 2015, <http://www.rfc-editor.org/info/rfc7662>.
[RFC2616]Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1”, RFC 2616, DOI 10.17487/RFC2616, June 1999, <http://www.rfc-editor.org/info/rfc2616>.
[RFC7009]Lodderstedt, T., Ed., Dronia, S., and M. Scurtescu, “OAuth 2.0 Token Revocation”, RFC 7009, DOI 10.17487/RFC7009, August 2013, <http://www.rfc-editor.org/info/rfc7009>.

10.2 Informative References

[UMA-casestudies]Maler, E., “UMA Case Studies”, 2015, <https://kantarainitiative.org/confluence/display/uma/Case+Studies>.
[UMA-Impl]Maler, E., “UMA Implementer's Guide”, 2017, <https://kantarainitiative.org/confluence/display/uma/UMA+Implementer%27s+Guide>.
[UMA-PbD]Maler, E., “Privacy by Design Implications of UMA”, 2013, <https://kantarainitiative.org/confluence/display/uma/Privacy+by+Design+Implications+of+UMA>.
[UMA-usecases]Maler, E., “UMA Scenarios and Use Cases”, 2010, <https://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases>.
[UMAnitarians]Maler, E., “UMA Participant Roster”, 2017, <https://kantarainitiative.org/confluence/display/uma/Participant+Roster>.
[UMA-legal]Maler, E., “UMA Legal”, 2017, <http://kantarainitiative.org/confluence/display/uma/UMA+Legal>.

Authors' Addresses

Eve Maler (editor)
ForgeRock
EMail: eve.maler@forgerock.com

Maciej Machulak
Self
EMail: maciej.machulak@gmail.com

Justin Richer
Bespoke Engineering
EMail: justin@bspk.io