Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Difficult to return public information #163

Closed
jricher opened this issue Jul 15, 2015 · 3 comments

Comments

Projects
None yet
2 participants
@jricher
Copy link

commented Jul 15, 2015

The response of the protected resource is expected to always direct the client to the AS, but some APIs can return public information in a non-error response. UMA states that non-error responses are "out of scope" which will lead to needlessly incompatible methods of handling this.

Suggested fix: specify precisely how to handle this use case, such as a "200" class response with a special header.

@xmlgrrl

This comment has been minimized.

Copy link

commented Jul 20, 2015

For reference: This appears in Core Sec 3.1.1 (https://docs.kantarainitiative.org/uma/rec-uma-core.html#rfc.section.3.1.1): "It SHOULD respond with the HTTP 403 (Forbidden) status code, providing the authorization server's URI in an "as_uri" property in the header, along with the just-received permission ticket in the body in a JSON-encoded "ticket" property. Responses that use any code other than 403 are undefined by this specification; any common or best practices for returning other status codes will be documented in the [UMA-Impl]."

@xmlgrrl xmlgrrl added the core label Jul 22, 2015

@xmlgrrl xmlgrrl added the critical label Jul 30, 2015

@xmlgrrl xmlgrrl added this to the V1.0.1 milestone Jul 31, 2015

@xmlgrrl

This comment has been minimized.

Copy link

commented Aug 15, 2015

Discussion on 2015-08-13: Since 200-class with a special header was suggested in the issue, the presence of the WWW-Authenticate: UMA header would do the job.

@xmlgrrl xmlgrrl added the V1.0.1 label Aug 15, 2015

xmlgrrl added a commit that referenced this issue Aug 20, 2015

Completed #163
Added a mention of requiring the WWW-Authenticate header to a success
response in Sec 3.3.1. Also consistently cleaned up mentions of
“200-class” responses throughout, and added textual mentions (vs. just
example code) of the header and “UMA” authentication scheme.

@xmlgrrl xmlgrrl closed this Aug 20, 2015

xmlgrrl added a commit that referenced this issue Aug 20, 2015

Tweaks based on 2015-08-13 consensus
The WG reviewed proposed wording and decided on changes to several
stretches of text from the last week’s worth of issue closures. Text
related to #163 is just newly proposed, and affects #164 as well.

xmlgrrl added a commit that referenced this issue Aug 23, 2015

New proposal for #163
This is an aggressive proposal for the WWW-Authenticate header and the
ticket property, with associated examples and “prefiguring” text for
future version changes. We’ll need to make a new issue to go back and
change the text in a later version.

@xmlgrrl xmlgrrl reopened this Aug 23, 2015

mmachulak added a commit that referenced this issue Aug 27, 2015

@xmlgrrl

This comment has been minimized.

Copy link

commented Aug 28, 2015

Proposed, discussed, and reviewed in UMA telecon 2015-08-27. We can close this, presuming Maciej has already implemented amendments made on the call.

@xmlgrrl xmlgrrl closed this Aug 28, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.