Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission lifecycle is unclear #172

Closed
jricher opened this issue Jul 15, 2015 · 5 comments
Closed

Permission lifecycle is unclear #172

jricher opened this issue Jul 15, 2015 · 5 comments
Labels
core Related to (original UMA1) core spec scope; may use obsolete language critical V1.0.1
Milestone
V1.0.1

Comments

@jricher
Copy link

jricher commented Jul 15, 2015

The whole lifecycle of Permission Ticket objects is unclear. Their creation is detailed, as is their use, but it's not clear whether they should expire either after time or after use. Can a ticket even be re-used? Should it?
@gffletch
Copy link

Good point. If an attempt to get an RPT fails with a retrieved permissions ticket, should it be re-usable to try again later? or should the Client just try and access the resource again at a later time and get a new permissions ticket?

@xmlgrrl
Copy link

xmlgrrl commented Jul 20, 2015

For reference: What is said about permission ticket semantics/structure is in Core Sec 3.2 (https://docs.kantarainitiative.org/uma/rec-uma-core.html#rfc.section.3.2): "The permission ticket is a short-lived opaque structure whose form is determined by the authorization server. The ticket value MUST be securely random (for example, not merely part of a predictable sequential series), to avoid denial-of-service attacks. Since the ticket is an opaque structure from the point of view of the client, the authorization server is free to include information regarding expiration time or any other information within the opaque ticket for its own consumption. When the client subsequently uses the authorization API to ask the authorization server for authorization data to be associated with its RPT, it will submit this ticket to the authorization server."

@xmlgrrl xmlgrrl added the core Related to (original UMA1) core spec scope; may use obsolete language label Jul 20, 2015
@mmachulak
Copy link

Agreed that the permission ticket lifecycle is not defined at all. However, is this something that should be clarified in the spec or should the spec only mention "the issue" and the lifecycle itself could be provided in the implementation guide or similar document?

@xmlgrrl xmlgrrl added this to the V1.0.1 milestone Jul 31, 2015
@xmlgrrl
Copy link

xmlgrrl commented Aug 13, 2015

Per discussion on 2015-08-13: The feedback from the implementation process is that what's in the spec is not enough. The OAuth spec has more guidance on this type of thing. Can we be more specific without saying exactly what the lifecycle is? Can it be forever or not, e.g.? Maciej will propose text.

@xmlgrrl xmlgrrl added the V1.0.1 label Aug 13, 2015
mmachulak added a commit that referenced this issue Aug 20, 2015
@mmachulak
Suggestion for #172
1196c74
@xmlgrrl
Copy link

xmlgrrl commented Aug 28, 2015

As discussed in UMA telecon 2015-08-27: Justin is looking for more implementation guidance, which we're thinking should really go in the UIG rather than here. Should we include a cross-reference out? Let's do it. We will stick to language that supports the RFC 2119 normative assertions in the spec. We can close this, presuming Maciej will implement amendments made on the call.

@xmlgrrl xmlgrrl closed this as completed Aug 28, 2015
xmlgrrl added a commit that referenced this issue Sep 1, 2015
@xmlgrrl
Reorg'd per #179, completed #172 and #161
4cd11a7 
Core has a massive number of structural edits per #179, along with a
variety of small editorial cleanup items and a completion of #161 and
#172 per the final decisions of UMA telecon 2015-08-27. RSR has small
edits and a completion of #161 as well.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core Related to (original UMA1) core spec scope; may use obsolete language critical V1.0.1
Projects
None yet
Milestone
V1.0.1
Development

No branches or pull requests
4 participants
@jricher @xmlgrrl @mmachulak @gffletch