You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"why is "permissions" not a MUST? if it's an UMA token it'll have it, if it's not, it won't. the hand-wave to an extension feels weird here. an extension could just as easily say "our kind of tokens don't use that object" and so responses won't conform to the base spec but to the extension instead. just like a plain oauth token instead of an uma token."
The specific language in question:
"If the introspection object's active parameter has a Boolean value of true, then the object MUST NOT contain a scope parameter, and SHOULD contain an extension parameter named permissions that contains an array of objects, each one (representing a single permission) containing these parameters:"
The text was updated successfully, but these errors were encountered:
xmlgrrl
changed the title
Should our token introspection object structure be a MUST now?
Should our token introspection object permissions structure be a MUST now?
May 18, 2017
Per UMA telecon 2017-05-18: We made a strong decision to make permissions be a SHOULD for extensibility reasons, in case someone wanted to experiment with the dividing line between AS and RS responsibilities. However, token introspection is already optional in OAuth, and with the spec refactoring, maybe this isn't necessary anymore. And changing from a SHOULD to a MUST is backwards incompatible, whereas the reverse isn't (it would break implementations to change it in this direction). Consensus to change to a MUST.
In FedAuthz Sec 5.1.1, @jricher suggests:
"why is "permissions" not a MUST? if it's an UMA token it'll have it, if it's not, it won't. the hand-wave to an extension feels weird here. an extension could just as easily say "our kind of tokens don't use that object" and so responses won't conform to the base spec but to the extension instead. just like a plain oauth token instead of an uma token."
The specific language in question:
"If the introspection object's active parameter has a Boolean value of true, then the object MUST NOT contain a scope parameter, and SHOULD contain an extension parameter named permissions that contains an array of objects, each one (representing a single permission) containing these parameters:"
The text was updated successfully, but these errors were encountered: