Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Difficult to return public information #163
The response of the protected resource is expected to always direct the client to the AS, but some APIs can return public information in a non-error response. UMA states that non-error responses are "out of scope" which will lead to needlessly incompatible methods of handling this.
Suggested fix: specify precisely how to handle this use case, such as a "200" class response with a special header.
This was referenced
Jul 15, 2015
For reference: This appears in Core Sec 3.1.1 (https://docs.kantarainitiative.org/uma/rec-uma-core.html#rfc.section.3.1.1): "It SHOULD respond with the HTTP 403 (Forbidden) status code, providing the authorization server's URI in an "as_uri" property in the header, along with the just-received permission ticket in the body in a JSON-encoded "ticket" property. Responses that use any code other than 403 are undefined by this specification; any common or best practices for returning other status codes will be documented in the [UMA-Impl]."