New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is the effect of a downscoping request still undefined in oauth-uma-ticket? #306
Comments
The Grant spec actually does mention this concept now; it's needed because, even though clients don't need to know about it, the AS does, for authorization assessment and RPT issuance. Which brings up the idea: We should probably explain why the effect of including a scope parameter on a downscoping request is undefined (it's because the client is unaware of the resource-specific nature of scopes). This subtlety is actually part of the definition of "permission" in Sec 1.3, so it seems like fair game. |
In UMA telecon 2017-05-12 we thought that "undefined" wasn't quite right. This produced recommendations of several edits:
Further discussion on an adjacent topic led us to add the following editorial instructions:
To be implemented in rev 04 for consideration. |
Per UMA telecon 2017-05-12 recommendations.
Per UMA telecon 2017-05-18: The recommendations from the previous week, as implemented in rev 04, are acceptable. |
In the new UMA Grant spec, Sec 3.6, we've still said an attempt to downscope is undefined. But this spec doesn't even mention the concept of resource-specific scopes (though the AS and RS may have the concept behind the scenes). What's the scoop?
The text was updated successfully, but these errors were encountered: