Knowledge on Web Scale

Authorization for Data Spaces

Living Document,

Abstract

Authorization for Data Spaces (A4DS) is a profile for the User-Managed Access (UMA) specifications ...

1. Introduction

This section is non-normative.

User-Managed Access (UMA) is a pair of complementary extensions to The OAuth 2.0 Authorization Framework [OAuth20], published by the Kantara Initiative. It comprises the following specifications:

This document introduces a profile for the combined UMA specifications, called Authorization for Data Spaces (A4DS, read as 'affords').

...

2. Definitions

Refer to OAuth 2.1 only, as soon as it is out of draft.

Specify resource owner and relying parties to be natural or legal persons or groups of people.

Agent

A party consisting of on or more (natural and/or legal) persons/entities performs a certain (active) role in – or with respect to – the A4DS authorization process.

Resource

A resource on the resource server, as defined by [OAuth20]. Within the A4DS specification, protected are resources protected using the specified UMA profile (cf. asset).

NOTE: Resources are not limited to 'data', 'documents', or 'endpoints' in the classical use of those terms. They can be any identifiable entity, e.g., abstract concepts, future data points, unavailable content, applications, services, physical artefacts etc.

Scope

A modal slice of functionality on resources, represented by an opaque identifier, understood only by the resource server.

The resource server uses scopes to delineate specific privileges towards resources, that might require separate policy management: separable parts of information, different actions or operations, specific relations (roles) with the requesting party etc. By distinguishing the multiple scopes that are applicable to one or more resources, the resource server allows the resource owner a more fine-grained control.

NOTE: This specification holds the terms 'scope', 'mode', 'action', 'operation', and 'role' to be interchangeable. Unless a specific alternative proves more adequate, the terms 'scope' and 'action' will be preferred.

Resource owner (RO)

An agent who is capable of granting access to a protected resource, as defined by [OAuth20] and refined by [UMA-Grant] (cf. resource owner).

Resource server (RS)

The server hosting the protected resources, as defined by [OAuth20] and refined by [UMA-Grant] (cf. resource server).

Requesting party (RP)

An agent who seeks access to a protected resource, which may also be the resource owner itself, as defined by [UMA-Grant] (cf. requesting party).

Client

An application making protected resource requests on behalf of the requesting party, as defined by [OAuth20] and refined by [UMA-Grant] (cf. client).

Authorization server (AS)

The server issuing access tokens to the client, as defined by [OAuth20] and refined by [UMA-Grant] (cf. authorization server).

Protection API

The OAuth-protected API presented by the authorization server to the resource server, as defined by [UMA-Fed] (cf. protection API).

Protection API access token (PAT)

The access token used by the resource server to access the protection API of the resource owner’s authorization server, as defined by [UMA-Fed] (cf. protection API access token).

Resource description (RD)

A description of the characteristics of a resource, sufficiently for an authorization server to protect it. Resource descriptions are typically serialised as a JSON document, as defined by [UMA-Fed] (cf. resource description).

An updated resource description is a resource description interpreted as an update to the knowledge base of the authorization server. Likewise resource descriptions stored within that knowledge base are called stored resource descriptions.

Scope description (SD)

JSON document that describes the characteristics of a resource scope sufficiently for an authorization server to protect the resource under this available scope, as defined by [UMA-Fed] (cf. resource description).

An updated scope description is a scope description interpreted as an update to the knowledge base of the authorization server. Likewise scope descriptions stored within that knowledge base are called stored scope descriptions.

Asset

A protected resource, as viewed from the perspective of the authorization server protecting it, i.e., the resource as target of policies. Although these terms might thus be used interchangeably, within this document they are used separately to provided added clarity regarding the context.

Asset collection

A virtual asset, representing the (unique, complete) set of resources that are related to one other specific resource in a specific way. The common relation is called the determinant relation of the collection; (the asset representing) the common target is called the source.

Asset collections allow the resource owner to defined default policies over sets of similar resources: when a policy is defined on a collection, it will automatically apply to all its members, unless a more specific policy is set on the member itself. An asset collection can therefore also be interpreted as the prototype asset for all (current and future) assets in that set.

Claim

A statement about an entity, presented by the requesting party – via the client application – and collected by the authorization server, during the authentication process. Policies protecting a resource can be conditional upon claims: authorization is only provided when specific claims are available and the conditions on them fulfilled. The totality of claims involved in an authorization process forms the agreement under which the authorization holds.

UMA provides two mechanisms for requesting partys to provide claims to the authorization server:

  • Claims pushing: ... (Section 3.3.1)

  • Interactive claims gathering: ... (Section 3.3.2)

todo

Claim token

A serialised form of one or more claims, encoded according to a specific claim token format, to exchange them in a verifiable manner.

Permission

The (requested or granted) access to a particular resource within one or more scopes bound to that resource, i.e., the privilege to exercise one or more actions over an asset if all constraints are satisfied and all duties fulfilled.

A Permission description ...

todo

Permission ticket

A correlation handle representing one or more requested permissions. It is an opaque identifier, understood only by the authorization server, used to track the set of requested permissions between the different steps of the authorization process.

Authorization process

The process through which the authorization server determines whether it should issue an RPT to the client on the requesting party’s behalf, based on a variety of inputs. A key component of the process is authorization assessment. (See Section 1.3.1.)

Access request

...

todo

Requesting party token (RPT)

An [OAuth20] access token, associated with the UMA authorization grant, which represents one or more permissions granted as a result of an authorization process. It uniquely identifies the requesting party, client, authorization server, resource server, and resource owner involved in the authorization process.

3. Public metadata

To inform other parties about their API endpoints and capabilities, clients, resource servers and authorization servers declare this metadata in discovery documents that are publically readable.

3.1. Client metadata

Clients must be identifiable with an HTTPS URL, which must dereference to a JSON document containing the metadata of the client, in accordance with [Client-Meta].

Identifier URLs therefore may contain a port number, must contain a path component, and must not contain single- or double-dot path segments, a fragment or query component, or a username or password.

In particular, the following client metadata properties are relevant for this specification.

client_id, of type string

required. The client’s identifier URL. The value of this property must be identical to the URL on which the document is served. [Client-ID]

redirect_uris, of type string

required. An array of redirection URLs to use in redirect-based flows. [Client-Meta]

token_endpoint_auth_method, of type string

optional. For confidential clients, this property is required, and must be set to private_key_jwt. [Client-Meta]

jwks_uri, of type string

optional. For confidential clients, exactly one of these properties is required. Either jwks must contain the JSON JWK Set of the client, or jwks_uri must be set to the HTTPS URI of a JSON document containing this JWK Set. [Client-Meta]

dictionary ClientMetadata {
  string client_id;
  string jwks;
  string jwks_uri;
  string redirect_uris;
  string token_endpoint_auth_method;
};

Should we also allow (dynamic) registration? E.g. for clients that cannot host anything?

Look into extending this to DIDs + DID Documents (using a limited list of DID methods, or the universal resolver).

3.2. Authorization server metadata

authorization servers must publish Authorization Server Metadata in a discovery document that is publically readable on the Well-Known URI formed by appending the string /.well-known/uma2-configuration to the root URI of the authorization server. The document must be formatted as JSON and adhere to [AS-Meta], as specified by [UMA-Grant], § 2, and [UMA-Fed], § 2. The following metadata parameters are of special concern to this specification.

uma_profiles_supported, of type string

required. UMA profiles and extensions supported by this authorization server. Its value must be a JSON array containing the URI ... as a JSON string value, to identify the profile specified in this document. [UMA-Grant]

decide on profile URI

client_id_metadata_document_supported, of type string

required. This property must be set to true, indicating that the authorization server supports retrieving client metadata from a client_id URL. [Client-ID]

issuer, of type string

required. The authorization server’s identifier. [AS-Meta]

resource_registration_endpoint, of type string

required. The URI at which the resource server registers resources to put them under protection of the authorization server, as defined by [UMA-Fed] (cf. resource registration endpoint).

permission_endpoint, of type string

required. The URI at which the resource server requests permission from the authorization server on the client’s behalf, as defined by [UMA-Fed] (cf. permission endpoint).

token_endpoint, of type string

required. The URL at which the client requests an access token from the authorization server, as defined by [OAuth20] and refined by [UMA-Grant] (cf. token endpoint).

introspection_endpoint, of type string

required. The URL at which the resource server can retrieve information about a token, including whether this token is currently active, as defined by [RFC7662] and refined by [UMA-Fed] (cf. introspection endpoint).

claims_interaction_endpoint, of type string

optional. The URI at which the authorization server can interact with requesting partys to gather claims, as defined by [UMA-Grant] (cf. claims interaction endpoint).

Should be RECOMMENDED, or even REQUIRED instead

jwks_uri, of type string

optional. The URL at which the authorization server serves its JWK Set (cf. [JWK]), which contains the public key(s) used to validate signatures from the authorization server. [AS-Meta]

Should be RECOMMENDED, or even REQUIRED instead

dictionary AuthorizationServerMetadata {
  string uma_profiles_supported;
  string client_id_metadata_document_supported;
  string issuer;
  string resource_registration_endpoint;
  string permission_endpoint;
  string token_endpoint;
  string introspection_endpoint;
  string claims_interaction_endpoint;
  string jwks_uri;
};

3.3. Resource server metadata

To be securely identifiable, the resource server must declare a JSON Web Key Set [JWK] on the Well-Known URI /.well-known/jwks.json.

loosen required url (since ref in discovery anyway)

use [Resource-Meta] (instead of "storage description"), and possibly also [Client-Meta]

4. Security

4.1. Channel security

As specified by [UMA-Fed], § 1.3, all interactions via the protection API must happen over an HTTP/1.1 channel (or higher) protected by TLS 1.3 (or higher), and in accordance with the recommendations formulated in [RFC9325].

Require key exhange algorithms based on ephemeral Diffie–Hellman ciphers (TLS_DHE and TLS_ECDHE) to ensure forward secrecy.

Require HTTP/2, which includes the requirements above, and patches some vulnerabilities in (m)TLS negotiation.

In the long-term, abstract from HTTP towards any SASL-aware application layer (cf. draft-vanrein-httpauth-sasl-06) . Conversely, enable HTTP-delivered OAuth tokens to be presented to SASL resource servers with rfc7628.

In the long-term, add support for DTLS & QUIC.

4.2. Message security

Messages from the resource server to the authorization server must be protected with a protection API access token, as defined in [UMA-Fed], § 1.3.

This is a deviation from the Level 0 specification, to realign with classic UMA.

Subsitute with

  • HTTP Message Signatures + Well-Known JWK Set (cf. L0, but loosen fixed URL, since pointer in config)

  • mutual TLS (with OAuth mTLS grant ?)

  • password-based challenge–response authentication (e.g., SCRAM over TLS/SASL)

  • (augmented) password-only authentication and key exchange (e.g., CPake or OPAQUE)

Messages from the authorization server to the resource server should be protected with a HTTP Message Signature [RFC9421] using one of the keys present in the JWK Set refered to in the authorization server’s metadata.

decide on minimal headers/components to sign

4.3. Application security

The authorization server preferably interacts with resource owners and other agents through a (web) application, providing them with a graphical user interface. Since this broadens the attack surface for malicious actors, the authorization server must protect the security of its applications adequately by modern standards.

In particular, web applications for interaction with the requesting party, e.g., during claims gathering (cf. claims interaction endpoint), or with the resource owner, e.g., for policy management, must implement Cross Origin and Content Security policies, and SHOULD take into account the sources bundled in [CRE-636-347].

Moreover, in interactive flows that make use of redirection of the user agent (browser), e.g., claims gathering at the claims interaction endpoint, the authorization server should allow requests to include a state parameter, and clients should employ this parameter to track the valid state of the interaction. The value of the state parameter should be unguessable and opaque to any agent but the client itself, and [SHOULD NOT] include (unencrypted) sensitive information. If such a state parameter is used, clients must check the value after the authorization server redirects back to them, and must invalidate any message containing an invalid state parameter.

make accepting state param a must for AS: the authorization server must include it unaltered in the redirection to the client

The resource owner links a resource server to their authorization server by providing the former with the root URI of the latter, i.e., the authorization server’s issuer value (cf. § 3.2 Authorization server metadata). How this information is provided, is out of the scope of this specification.

Presuming most ASs will come with some kind of native app, a QR-based flow would be handy. We could specify how, after scanning an RS’s QR code, the AS (app) would contact that RS on a Well-Known URI to initiate contact, either through a redirect URI or by specifying a code to be checked/entered.

As soon as resource server and authorization server are known to each other, the former can request a protection API access token from the latter. This must happen via an [OAuth20] flow that both servers support. In most cases, this should include interaction of the resource owner, e.g., via the authorization code flow using redirects of the resource owner’s user-agent, but other [OAuth20] flows may be employed.

To prevent the resource owner from having to confirm the authorization every time a token expires, the authorization server should inlcude a refresh token in each successful token response.

5. Asset management

The authorization server must provide a protection API, as defined by [UMA-Fed], to govern its interactions with one or more resource servers. This API consists of three endpoints, listed in the authorization server’s metadata: the resource registration endpoint, the permission endpoint, and the introspection endpoint.

5.1. Creating an asset

In order to protect resources with A4DS, the resource server needs to register them at the authorization server. [UMA-Fed], § 3, specifies how to manage these resource descriptions using CRUD operations within the namespace of the resource registration endpoint.

New resources are registered through a registration request, which is a `POST` request to the resource registration endpoint, with an application/json body containing a resource description object. The A4DS profile also allows the request to contain a JSON array of one or more resource description objects.

Each resource description object consists of the following fields:

resource_scopes, of type sequence<ScopeDescription>

required. An array of scope descriptions or scope identifiers, representing the scopes available for the resource.

Scope descriptions are JSON objects containing the following fields:

_id, of type string

recommended. A URI identifying the scope.
Within the context of a registration request, this field is required.

name, of type string

optional. A human-readable string naming the scope.

description, of type string

optional. A human-readable string describing the scope at length.

icon_uri, of type string

optional. A URI for a graphic icon representing the scope.

dictionary ScopeDescription {
  string _id;
  string name;
  string description;
  string icon_uri;
};

scope identifier (_id) URIs can also be added directly as a string to the resource_scopes array. In that case, the resource server must make sure the resource description is publicly accessible at that URI.

The resource server should not register scope identifiers that are not URIs. In case such identifiers are present in the resource_scopes array, the authorization server should interpret them as a scope without scope description, uniquely identified by the comination of its string value and the identifier of the resource server.

For example, the following resource_scopes array expresses that the resource being registered can be read from and written to.

"resource_scopes": [
  {
    "_id": "https://example.org/modes/read",
    "name": "read",
    "description": "read the resource",
    "icon_uri": "http://example.org/icons/magnifiying_glass"
  },
 "https://example.org/modes/write"
]

A request of the form GET https://example.org/modes/write HTTP/1.1 could then return the following.

HTTP/1.1 200 OK
Content-Type: application/json
...
{
  "_id": "https://example.org/modes/write",
  "name": "write",
  "description": "write to the resource",
  "icon_uri": "http://example.org/icons/pen"
}
resource_relations, of type string

optional. A JSON object representing the structural relations the resource has towards other resources that are already registered.

Keys of the object represent relations from the resource being registered to the already existing resources. Values are strings, or arrays of strings, which must be valid identifiers of already registered resources.

Although the authorization server should not interpret the keys of the resource_relations object, and the resource server is thus free to mint its own inverse relations for relations that are conventionally expressed in the other direction – from the existing resource to the resource being registered – the resource server may alternatively express such relations by nesting them in a @reverse object.

For example, the following resource_relations object describe the resource being registered as derived from resources A and B, and contained in resource C – i.e., reading in reverse, resource C contains the the resource being registered.

"resource_relations": {
 "urn:example:relation:derivedFrom": [
  "urn:example:assets:A",
  "urn:example:assets:B"
 ],
 "@reverse": {
  "urn:example:relation:contains": "urn:example:assets:C",
 }
}
resource_defaults, of type string

optional. A JSON object representing the possible relations that future resources might have towards the newly registered resource, as well as the default/inherited scopes the newly registered resource can infer onto those future resources.

Keys of the object represent relations from potential future resources to the resource being registeredthis is the opposite of the direction in resource_relations. Values are objects interpreted as blueprints for future resources having the corresponding relation to the newly registered resource.

Just like with resource_relations, the authorization server should not interpret the keys of the registered resource_defaults object, and the resource server may express inverse relations – from the resource being registered to potential future resources – by nesting them in a @reverse object.

Currently, the blueprints support the following fields:

resource_scopes, of type string

optional. An array of scope identifiers or scope descriptions, similar to the top-level resource_scopes field, representing the minimal set of scopes available for future resources that have the corresponding relation to the newly registered resource.

dictionary DefaultDescription {
  string resource_scopes;
};

go into inheritance of these scopes from the newly registered resource in future resources!

Note that the resource_defaults object defines the complete set of relations that can be declared from future resources to the resource being registered. If at some point other relations need to be declared, the resource server should therefore update the resource registration in which the resource_defaults are defined. Moreover, to allow a relation to be declared towards the resource being registered, without specifying any bleuprint defaults for it, the resource server should add the relation to the resource_defaults with an empty object as corresponding value.

For example:

"resource_defaults": {
  "urn:example:relation:rel_with_no_defaults": {},
  "urn:example:relation:rel_from_readable_resources": {
    "scope": [ "https://example.org/modes/read" ]
  },
  "@reverse": {  
    "urn:example:relation:inverse_rel": {
      "scope": [
        "https://example.org/modes/read", 
        "https://example.org/modes/write" 
      ]
    }
  }
}
type

recommended. A string identifying the semantics of the resource. The A4DS profile adds the restriction that this value should be a URI.

name

recommended. A human-readable string naming the resource.

description

recommended. A human-readable string describing the resource at length.

icon_uri

recommended. A URI for a graphic icon representing the resource.

dictionary ResourceDescription {
  sequence<ScopeDescription> resource_scopes;
  string resource_relations;
  string resource_defaults;
  string type;
  string name;
  string description;
  string icon_uri;
};

A full registration request could then look as follows:

POST /assets/ HTTP/1.1 Content-Type: application/json
Authorization: Bearer MHg3OUZEQkZBMjcx
...
{  
  "resource_scopes": [
    "read-public",
    "post-updates",
    "read-private",
    "http://www.example.com/scopes/all"
  ],
  "icon_uri": "http://www.example.com/icons/sharesocial.png",
  "name": "Tweedl Social Service",
  "type": "http://www.example.com/rsrcs/socialstream/140-compatible"
}

5.1.1. Interpreting a registration request

The complete semantics of registration requests, as specified above, is given by the following JSON-LD context. .

{
  "@context": {
    "@version": 1.1,
    "@protected": true,
    "xml": "http://www.w3.org/2001/XMLSchema#",
    "name": { "@type": "xml:string" },  
    "description": { "@type": "xml:string" },
    "icon_uri": { "@type": "@id" },
    "resource_relations": "@nest",
    "resource_defaults": { "@type": "@vocab" },
    "scope": { "@type": "@vocab" }
  }
}

resource servers should include this context explicitly in their registration requests. If they do not, authorization servers may implicitly assume it to be present anyway

5.1.2. Processing a registration request

Upon receiving a valid registration request, the authorization server should process each resource description it contains according to the algorithm presented in § 5.1.2.1 Processing a resource description.

5.1.2.1. Processing a resource description

The following algoritm describes how an authorization server should process a resource description.

  1. Create a new asset, with an identifier that is unique within the context formed by the resource server and the authorization server itself.

  2. Store the metadata about the resource’s type, name, description, and icon.

  3. For each element in the resource_scopes of the resource:

    1. Process the scope description (cf. § 5.1.2.2 Processing a scope description).

    2. Link the scope description to the new asset.

  4. For each element of the resource_relations of the resource, and each related asset listed for that relation:

    1. Retrieve the metadata of the related asset.

    2. Search for an asset collection that has the related asset is the source, and whose determinant relation is the relation in question.

  5. For each element of the resource_defaults of the resource:

    1. Create a new asset collection, with an identifier that is unique within the context formed by the resource server and the authorization server itself.

    2. Set the newly created asset as the source of the asset collection, and the resource relation as determinant relation.

    3. For each element of resource_scopes listed for this element of resource_defaults:

      1. Process the scope description (cf. § 5.1.2.2 Processing a scope description).

      2. Link the scope to the newly created asset collection.

5.1.2.2. Processing a scope description

The following algoritm describes how an authorization server should process a scope description

  1. (Re)construct the URI of the scope:

  2. Retrieve the updated scope description:

  3. Update or create the stored scope description:

    Importantly, the authorization server may keep previous metadata about assets that are still registered. This allows the authorization server to inform an resource owner’s of changes at the resource server’s side.

5.1.3. Response to a registration request

After processing a successful registration request, the authorization server responds to the resource server with status code `201`, referring to the URI of the newly created asset in the `Location` header, and a JSON body consisting of an object with the following fields.

_id, of type string

required. A string containing the identifier of the newly created asset, which is unique within the context of the authorization server and resource server. The value should be a URI equivalent to the one in the `Location` header.

user_access_policy_uri, of type string

recommended. A string containing the URI of a (graphical) user interface, provided by the authorization server, to which the resource server can redirect an end-user resource owner to immediately manage the [policies] related to the newly created asset.

dictionary RegistrationResponse {
  string _id;
  string user_access_policy_uri;
};

For example:

HTTP/1.1 201 Created
Content-Type: application/json
Location: /assets/asset1234
...
{
  "_id": "asset1234",
  "user_access_policy_uri": "http://as.example.com/rs/222/resource/KX3A-39WE/policy"
}

In contrast, when the processing of the registration request – according to the algorithm presented in – results in an error, the authorization server must instead respond with an error message containing the status code and error description resulting from the algorithm (cf. § 11 Error messages).

5.2. Inspecting an asset

5.2.1. Asset overview

A resource server can retrieve the list of resources it registered at a specific authorization server by sending a `GET` request to the resource registration endpoint. This allows the resource server to ensure a correct synchronisation between the state of its (protected) resources and that of the the assets known by the authorization server.

For example:

GET /assets/ HTTP/1.1
Authorization: Bearer 204c69636b6c69
...

Upon receiving such a request, the authorization server must respond with status code `200`, and a JSON body consisting of an array containing the identifiers of all the assets registered at the authorization server by that particular resource server.

For example:

HTTP/1.1 200 OK
Content-Type: application/json
...
[  
  "KX3A-39WE",
  "9UQU-DUWW"
]

5.2.2. Asset details

More details on a specific asset can be requested by sending a `GET` request to the URI formed by concatenating the URI of the resource registration endpoint with the identifier of the asset in question.

For example:

GET /assets/KX3A-39WE HTTP/1.1
Authorization: Bearer MHg3OUZEQkZBMjcx
...

Upon receiving such a request, the authorization server must respond with status code `200`, and a JSON body consisting of the referenced resource description, complemented with an _id parameter containing the asset’s identifier.

5.3. Modifying an asset

5.3.1. Asset updates

resource servers can update the resource description of existing assets by sending a `PUT` request to the URI formed by concatenating the URI of the resource registration endpoint with the identifier of the asset in question. The JSON body of the request must consist of the resource description with which the resource server wants the previously registered resource description to be replaced. The syntax of the request is thus identical to the one of a new resource registration request.

Upon receiving such a request, the authorization server must perform an operation equivalent to the complete replacement of the information it has stored concerning the asset in question with the information it extracts from the updated resource description by processing it according to the algorithm presented in § 5.1.2 Processing a registration request. In particular, this entails the following:

A.

  • Update the metadata about the resource’s type, name, description, and icon.

    Importantly, the authorization server may keep previous metadata about assets that are still registered. This allows the authorization server to inform an resource owner’s of changes at the resource server’s side.

  • Update the resource scopes:

    1. Process the scope descriptions in the update request (cf. § 5.1.2.2 Processing a scope description).

    2. For each resource scope related to the asset or present in the update request:

      • If the scope is linked to the asset, but not present in the update request: remove the scope from the asset.

        Importantly, the authorization server may keep the scope descriptions of scopes that are no longer linked to any asset; MAY keep track of which scopes where linked to which asset in the past; and may save policies that pertain these scopes. This allows the authorization server to maintain an resource owner’s preferences over changes at the resource server’s side.

      • If the scope is present in the update request, but not linked to the asset: Link the scope to the asset.

  • Update the resource relations:

    1. Record all asset collections the asset is currently part of.

    2. For each element of the resource_relations of the update, and each related asset listed for that relation:

      1. Retrieve the metadata of the related asset.

      2. Search for an asset collection that has the related asset is the source, and whose determinant relation is the relation in question.

  • Update the resource defaults:

    1. Record the determinant relations of each collection that has the asset as its source.

    2. For each element of the resource_defaults of the resource:

      • If the recorded list of relations already contains the resource relation being processed:

        1. Record all current scopes listed for the corresponding collection.

        2. Record the updated scopes in the update to it.

      • If not: process it according to the algorithm in § 5.1.2.1 Processing a resource description.

B. Assess the difference between the current and updated resource relations, and between the current and updated resource defaults.

  • If they are both identical, perform the update.

    If the update was successful, the authorization server must respond with status code `200`, and a body consisting of a JSON object with an _id parameter containing the asset’s identifier. The authorization server should also include a user_access_policy_uri

    For example:

    HTTP/1.1 200 OK
...
{  
  "_id": "9UQU-DUWW",
  "user_access_policy_uri": "http://as.example.com/rs/222/resource/9UQU-DUWW/policy"
}

    Importantly: During an update, the authorization server may change the identifier of an asset, e.g., to maintain an immutable state. If it does so, the authorization server should change the identifier in its entire knowledge base. If the response contains a different identifier than the target of the request, the resource server should update its own mapping accordingly.

  • If they one of them is not identical:

    • The authorization server may perform the update, as in the previous point.

    • Alternatively, the authorization server may instead respond with status code `424`, and a body consisting of a JSON object with a redirect_user parameter containing the URI at which the resource owner can intervene in the process.

      For example:

      HTTP/1.1 424 Failed Dependency
...
{  
  "redirect_user": "http://as.example.com/rs/222/resource/9UQU-DUWW/update"
}

5.3.2. Asset deletion

Resources can be removed from the protection domain of the authorization server by deleting their corresponding assets on the authorization server. The resource server does this by sending a `DELETE` request to the URI formed by concatenating the URI of the resource registration endpoint with the identifier of the asset in question.

For example:

DELETE /assets/9UQU-DUWW
Authorization: Bearer 204c69636b6c69
...

When the authorization server receives such a request, the authorization server must remove all the information it has stored pertaining the asset in question. In particular, this includes:

  1. Remove all collections that have the asset as source (i.e., its resource defaults); for each collection:

    1. If the collection still has assets that are part of it: repeat this algorithm for each of those assets.

      The authorization server may instead respond to the resource server with an error message containing status code `409` and error description non_empty_collections (cf. § 11 Error messages). If an resource server receives an error response with this error code, and still wants to continue with the deletion, it should send an expanded version of the deletion, that includes the asset identifiers of all resources related to this one.

      Importantly, if deletion is successful resource server should consider all resources that were previously related to this asset to be no longer protected by the authorization server.

    2. Delete the collection.

  2. Remove the asset from all collections (.i.e., resource relations) it is part of.

  3. Delete the asset itself, including its current metadata (type, name, description, and icon), any previous metadata that authorization server has still stored, and its links to resource scopes, both current and any previous ones.

    Importantly, the authorization server may keep the scope descriptions of scopes that are no longer linked to any asset.

If the deletion was sucessful, the authorization server must respond with status codes `200`, `204` or `205`.

For example:

HTTP/1.1 204 No content
...

Importantly, even in case of a deletion, the authorization server may include a body with a JSON object containing a user_access_policy_uri. This can, for example, allow the resource owner to immediately access the policy configurations for an higher-level asset or more general interface.

For example:

HTTP/1.1 205 Reset content
...
{  
  "user_access_policy_uri": "http://as.example.com/rs/222/resource/9UQU-DUWW/policy"
}

6. Policy management

Based on the resource descriptions provided by the resource server, the authorization server enables the resource owner to manage policies that govern the authorization on interaction with those resources. The specific user interface(s) through which the resource owner can exert this control is out of the scope of this specification. This section only specifies the conformance with respect to the affordances such an interface must provide to the resource owner.

For each asset in the authorization server’s knowledge base, the authorization server must provide the resource owner with the following affordances.

clarify what 'policies'/'criteria' are, and whether each AS is obliged to support them all, or urged to provide a certain minimum set ....

In providing these affordances to the resource owner, the authorization server should take into account each asset’s metadata: the type, name, description and icon from the resource description, and the name, description and icon from the scope description. These metadata should be used to maximize the potential for the resource owner to make an informed policy decision.

7. Accessing resources at the resource server

7.1. Attempting access with a token

When the client attempting to access resources presents the resource server with an access token, e.g., a Bearer token passed in the `Authorization` header of the request (cf. [RFC6750]), the resource server must determine whether the token is valid and covers the resources and scopes being accessed, as specified in [UMA-Grant], § 3.5 and [UMA-Fed], § 5, using token introspection if necessary (cf. [RFC7662]).

7.2. Attempting access without a token

When the client attempting to access resources has no token authorizing the access, the resource server must request a permission ticket from the authorization server, as specified in [UMA-Grant], § 3.2, and described in § 7.3 Requesting a Ticket.

For example:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: UMA
  as_uri="https://as.example.com",
  ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de"
...

look into particular use of realm parameter (vs scope) to limit protection space for user/ticket/type

7.3. Requesting a Ticket

When a client application makes an unauthorized attempt to access resources on an resource server – with an invalid access token, or none at all – the resource server can request a permission ticket from the relevant authorization server, and provide the ticket to the client as an indication of the scope of the attempted access, while pointing the client to the authorization server, as described in [UMA-Fed], § 4.

As specified in [UMA-Fed], § 4.1, the ticket is requested by sending a `POST` request to the permission_endpoint, with an application/json body containing a permission description object, or an array of such ojects.

Each permission description consists of the following fields.

resource_id, of type string

required. A string indicating the resource in question, as known to the authorization server. (Note that this identifier might differ from any related URI at the side of the resource server).

resource_scopes, of type string

required. An array of strings representing the scopes requested for the resource in question.

dictionary PermissionDescription {
  string resource_id;
  string resource_scopes;
};

Upon receiving a permission request, the authorization server must process it according to the following algorithm.

  1. Create a new ticket, with an identifier that is unique within the context formed by the resource server and the authorization server itself.

  2. For each permission description in the permission request:

    1. Check the validity of the resource identifier and scope identifiers.

    2. Add the details of the permission description to the newly created ticket.

According to [UMA-Fed], § 4.2, a successful permission request results in a `201` response containing the ticket parameter in an application/json body.

A4DS extends the possible responses of the authorization server to a permission request, to enable better integration with public resources. When the authorization server can detect within reasonable time that the resources in question are publically accessible, it should signal this to the resource server by sending a `200` response without a body instead. This way, the resource server can allow the client to access public resources without a round-trip to the authorization server, thus increasing performance and making public resources accessible for clients that are not aware of the UMA protocol.

8. Requesting access at the authorization server

In order to access protected resources at the resource server, clients request permission to do so at the authorization server by sending an access request: a `POST` request to the authorization server’s token endpoint.

It is recommended that the body of the access request is encoded as application/json; the client may alternatively send it in application/x-www-form-urlencoded form, as specified in [OAuth20], § 4.1.3 and exemplified in [UMA-Grant], § 3.3.1. The following common parameters are supported, complemented by the ones listed in § 8.1 Requesting access with a permission ticket or § 8.2 Requesting access without a permission ticket, depending on the use case.

Go into the combination of permissions and ticket.

add support for Rich Authorization Requests and/or JWT-Secured Authorization Requests and/or Pushed Authorization Requests.

grant_type, of type string

required when presenting a ticket. The type of the [OAuth20] grant presented at the token endpoint. Within the context of UMA, the value must be urn:ietf:params:oauth:grant-type:uma-ticket.

claim_token, of type string

optional. Directly pushed claim information, provided either on the first or on subsequent requests in the authorization flow. The value is a string, formatted as indicated by the claim_token_format parameter. Unless explicitly specified by the indicated format, the string is base64url encoded [RFC4648].

claim_token_format, of type string

required if the claim_token parameter is present. A string specifying the format of the directly pushed claim token. The value should be a URI, e.g., http://openid.net/specs/openid-connect-core-1_0.html#IDToken.

If claim_token parameter is not present, the client [SHOULD NOT] include the claim_token_format parameter either. If it is present in an access request without a claim_token parameter anyway, the authorization server must ignore it.

add usage of Persistent Claims Tokens and upgrading of RPTs

8.1. Requesting access with a permission ticket

Having received a permission ticket from the resource server, the client can turn to the authorization server to request access for the resource(s) and scope(s) represented by the ticket. In addition to the common parameters listed above (cf. § 8 Requesting access at the authorization server), such a request must contain the following parameters.

ticket, of type string

required when presenting a ticket. The identifier of the permission ticket that the client received from the resource server.

For example:

POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/json
...

{
  "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
  "ticket": "016f84e8-f9b9-11e0-bd6f-0021cc6004de",
  "claim_token_format": "http://openid.net/specs/openid-connect-core-1_0.html#IDToken",
  "claim_token": "eyj0..."
}

8.2. Requesting access without a permission ticket

For clients that know the resource(s) and scope(s) they want to access, the A4DS profile adds a shortcut that saves them the initial request to the resource server. Instead, those clients may address the authorization server directly, and include the resource(s) and scope(s) directly under the permissions parameter.

permissions, of type string

required when requesting permissions directly. The resource(s) and scope(s) the client requests access to. The format of this field is identical to that of the permission request described in § 7.3 Requesting a Ticket: a permission description object or an array of such objects.

NOTE: Keycloak employs a similar approach, but restricts the value of their permission parameter to a single string encoding of JSON data. Keycloak also allows such requests to target specific resource URIs, so their AS knows more than a standard UMA server.

For example:

POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/json
...

{
  "permissions": {
    "resource_id": "KX3A-39WE",
    "resource_scopes": [ 
    "post-updates",
    "http://photoz.example.com/dev/scopes/print"
    ]
  },
  "claim_token_format": "http://openid.net/specs/openid-connect-core-1_0.html#IDToken",
  "claim_token": "eyj0..."
}

8.3. Requesting extra 'global scopes'

The UMA specification allows the traditional [OAuth20] scope parameter to be added to an access request, regardless of the scopes present in the ticket or in the permissions parameter. Each scope requested in this way applies to all resources to which the access request pertains. Clients can only request such 'global scopes' if they have been pre-registered for those scopes through a static or dynamic registration client registration mechanism.

scope, of type string

not recommended A string of space-separated scope identifiers, requesting extra scopes, for which the client has been pre-registered, that apply to all requested resources.

The A4DS profile discourages access requests for such global scopes. To request resource-specific scopes that are not included in a ticket from the resource server, it is preferable to use the permissions parameter specified in § 8.2 Requesting access without a permission ticket.

consider simply disallowing this, and letting 'scope' double as 'permissions', with permission descriptions without a resource id functioning as 'global scopes' (and similar without scope ids functioning as all scopes on one resource).

dictionary AccessRequest {
  string grant_type;
  string claim_token;
  string claim_token_format;
  string ticket;
  string permissions;
  string scope;
};

9. Claims

Claims are the units of authentication required and provided during the authorization process. They are statements encoded in claim tokens: exchangeable – and typically verifiable – serialisations of one or more claims, according to a claim token format.

9.1. Claim descriptions

Metadata about a claim, that is relevant for processing it or presenting it to an agent, can be expressed in a claim description, containing the following parameters.

claim_token_format, of type string

optional. A string, or array of strings, indicating the (acceptable) token formats of a claim. The values should be URIs.

claim_type, of type string

optional. A string, or array of strings, indicating the (expected) semantic type/interpretation of a claim value. The values should be URIs.

issuer, of type string

optional. A string, or array of strings, indicating the (acceptable) authorities issuing the claim. The values should be URIs.

name, of type string

optional. A string that uniquely identifies the claim within context in which the claim description is used. The value should be a URI.

friendly_name, of type string

optional. A short human-readable string, which can be uses to display the claim in user interfaces.

dictionary ClaimDescription {
  string claim_token_format;
  string claim_type;
  string issuer;
  string name;
  string friendly_name;
};

NOTE: Parameters taking an array as value are to be interpreted as the union/disjunction of its elements, i.e., they are to be read as "one of ..."

9.2. Claim token formats

clarify claim token formats, and discuss advertising them with a parameter separate from uma profiles

9.3. Providing claims

UMA provides two mechanisms for requesting partys to provide claims to the authorization server:

  • Claims pushing: ... (Section 3.3.1)

  • Interactive claims gathering: ... (Section 3.3.2)

TODO

9.3.1. Claims pushing

TODO

9.3.2. Interactive claims gathering

TODO

10. Processing an access request

10.1. Completing the permission ticket

Upon receiving an access request, the authorization server should process it according to the following algorithm.

Go into the combination of permissions and scope (and possibly ticket).

  1. If the access request contains a ticket parameter, the authorization server looks up the corresponding ticket in its knowledge base.

    • If the value of the ticket parameter is a valid ticket identifier, the corresponding ticket is used as target of the request.

    • If no ticket with the corresponding identifier is found, the authorization server should respond with error code invalid_grant (cf. [UMA-Fed], § 6).

  2. If the access request contains a permissions parameter, the authorization server should create a new ticket, following the steps described in § 7.3 Requesting a Ticket. This ticket is then used as target of the request.

  3. If the access request contains a scope parameter:

    1. Look up the metadata of the client, in particular the list of scopes for which it is pre-registered.

    2. Split the string value of the scope parameter on space characters.

    3. For each element of the split string:

      • If the string is a scope identifier (_id) present in the list of pre-registered scopes of the client: add the scope to the list of requested scopes for each of the permission descriptions in the target ticket.

        NOTE: the UMA algorithm keeps these separate, possibly allowing the extra scopes to vary between different messages in the authorization flow/negotiation... again, this seems to parallel the permissions object.

      • If not, the authorization server may disregard the element, or send an error response with error code invalid_scope (cf. [UMA-Fed], § 6).

10.2. Determining the policy decision

After having completed the information in the permission ticket, it is time for the authorization server to determine the authorization decision as a result of the resource owner’s policies, applied to the available information.

Just like UMA, the A4DS profile does not specify the mechanism by which this decision is to be made. On top of UMA, however, this specification adds an interface through which an authorization server may communicate with any interoperable policy engine, thereby clearly separating the domain of exchange and negotiation – between the client and the authorization server – from the domain of decision-making.

A4DS therefore defines a policy engine as any (implementation of an) algorithm that, given a complete permission ticket – including all requested permissions and all currently provided claims – can determine all active/operative policy conditions (and other relevant information, serving as state of the world), and evaluate their authorization status (i.e., compliance).

10.3. Granting an access token

When the authorization server concludes that the provided claims are sufficient to grant the client access to the requested resources, it responds with an access token and `Authorization` scheme, as specified in [UMA-Grant], § 3.3.5 (see also [RFC9110], § 11.6.2)).

For example:

HTTP/1.1 200 OK
Content-Type: application/json
... 

{ 
  "access_token": "sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
  "token_type": "Bearer"
}

The client can then use this access token to access the required resources at the resource server (cf. § 7.1 Attempting access with a token).

11. Error messages

If any interaction with the authorization server fails, the latter must respond with an error message, to inform the other party of the error. An error message is a HTTP response message with a status code in the ranges 4xx or 5xx. An error message may contain an error description, which is a JSON object with the following parameters, as defined by [OAuth20], [UMA-Grant], and [UMA-Fed].

error, of type string

required. A string containing an error code.

error_description, of type string

optional. A string containing human-readable information about the error.

error_uri, of type string

optional. A string containing the URI reference of a web page with human-readable information about the error.

state, of type string

required if a state parameter was present in the request that triggered the error. The value must be the unaltered value of the state parameter in that request.

dictionary ErrorDescription {
  string error;
  string error_description;
  string error_uri;
  string state;
};

The possible error codes defined by [UMA-Grant] and [UMA-Fed] are the following.

invalid_resource_id

Status code `400`. At least one of the provided resource identifiers was not found at the authorization server.

need_info

Status code `403`. The authorization server needs additional information in order for a request to succeed, for example, a provided claim token was invalid or expired, or had an incorrect format, or additional claims are needed to complete the authorization assessment.

Error descriptions with this error code must additionally include the following parameters:

ticket, of type string

required. A permission ticket that allows the client to make a further request to the authorization server’s token endpoint as part of this same authorization process, potentially immediately. The value MUST NOT be the same as the one the client used to make its request.

required_claims, of type string

required if redirect_user not present, optional otherwise. An array of objects that describe the required claims.

redirect_user, of type string

required if required_claims not present, optional otherwise. The claims interaction endpoint URI to which to redirect the end-user requesting party at the authorization server to continue the process of interactive claims gathering. If the requesting party is not an end-user, then no client action is possible on receiving the hint.

dictionary NeedInfoError : ErrorDescription {
  required string ticket;
  string required_claims;
  string redirect_user;
};
request_denied

Status code `403`. The client is not authorized to have these permissions.

request_submitted

Status code `403`. The authorization server requires intervention by the resource owner to determine whether the client is authorized to have these permissions.

Error descriptions with this error code must additionally include the following parameters:

ticket, of type string

required. A permission ticket that allows the client to make one or more later polling requests to the token endpoint as part of this same authorization process, when the resource owner might have completed some approval (or denial) action. The value MUST NOT be the same as the one the client used to make its request.

interval, of type string

optional. The minimum amount of time in seconds that the client SHOULD wait between polling requests to the token endpoint. See Section 5.5 for security considerations in scenarios involving polling and consequences for permission ticket lifetimes.

dictionary RequestSubmittedError : ErrorDescription {
  string ticket;
  string interval;
};
not_found

Status code `404`. The authorization server cannot find the referenced resource.

unsupported_method_type

Status code `405`. The request used an unsupported HTTP method.

The A4DS profile adds the following error codes.

non_empty_collections

Status code `409`. The authorization server does not support deletion of assets that are the source of non-empty collections.

need_interaction

Status code `424`. To continue processing the request, the authorization server needs to interact with the resource owner.

Error descriptions with this error code must additionally include the following parameters:

redirect_user, of type string

optional. The interaction endpoint URI to which to redirect the end-user requesting party at the authorization server to continue the process of asset management. If the requesting party is not an end-user, then no client action is possible on receiving the hint.

dictionary NeedInteractionError : ErrorDescription {
  string redirect_user;
};

Additionally, if no more specific error code can describe the error better, the authorization server may respond with the following error codes defined by [OAuth20]:

unsupported_grant_type

Status code `400`. The provided grant type is not supported by the authorization server.

unsupported_response_type

Status code `400`. The requested response type is not supported by the authorization server.

invalid_request

Status code `400`. The request is invalid, e.g., it has missing or invalid parameters.

invalid_scope

Status code `400`. The requested scope is invalid or not known to the authorization server. At least one of the scopes included in the request does not match an available scope for any of the resources associated with requested permissions for the permission ticket provided by the client. The authorization server MAY also return this error when at least one of the scopes included in the request does not match a scope for which the client is pre-registered with the authorization server.

invalid_grant

Status code `400`. The provided grant is expired, revoked, or otherwise invalid.

invalid_client

Status code `400`, or `401` with `WWW-Authenticate` header. Client authentication failed, e.g., the client is unknown, did not provide authentication, or attempted an unsupported authentication method).

unauthorized_client

Status code `400`, or `403`. The client is successfully authenticated but not authorized to use this grant type.

access_denied

Status code `400`, or `403`. The access request is denied.

temporarily_unavailable

Status code `400`. The authorization server is temporarily unable to process the request.

server_error

Status code `400`. The authorization server could not process the request due to unforeseen circumstances.

enum ErrorCode {
  "access_denied",
  "invalid_client",
  "invalid_grant",
  "invalid_request",
  "invalid_resource_id",
  "invalid_scope",
  "need_info",
  "not_found",
  "request_denied",
  "request_submitted",
  "server_error",
  "temporarily_unavailable",
  "unauthorized_client",
  "unsupported_grant_type",
  "unsupported_method_type",
  "unsupported_response_type"
};

Conformance

Conformance requirements are expressed in the normative parts of this document, using a combination of descriptive assertions and Key words for use in RFCs to Indicate Requirement Levels. All the text of this specification is normative, except for sections starting with the declaration "This section is non-normative.", and the specific informative parts mentioned below.

The key words "must", "must not", "required", "shall", "shall not", "should", "should not", "recommended", "may", and "optional" are to be interpreted as described in [RFC2119]. For readability, in styled versions of this document these key words will be styled to stand out from the text.

Apart from sections explicitly declaring themselves to be non-normative, the informative parts of this document include examples, notes, assertions, advisements, and issues. These parts are either explicitly introduced, e.g., "For example", "Note that" – in which case they are typically limited to the end of the section or paragraph in which they occur – or they are set apart from the normative text by assigning them a markup class, .e.g, class="advisement", class="issue". In the latter case, styled versions of this document will display them as blocks standing out from the text.

For example:
This is an advisement.
This is an assertion.
This is a note.
This is an example.
This is an issue.

Index

Terms defined by this specification

Terms defined by reference

References

Normative References

[AS-Meta]
M. Jones; N. Sakimura; J. Bradley. OAuth 2.0 Authorization Server Metadata. June 2018. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc8414
[Client-ID]
Aaron Parecki; Emelia Smith. OAuth Client ID Metadata Document. 10 January 2025. Active Internet-Draft. URL: https://datatracker.ietf.org/doc/draft-parecki-oauth-client-id-metadata-document/
[Client-Meta]
J. Richer, Ed.; et al. OAuth 2.0 Dynamic Client Registration Protocol. July 2015. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc7591
[CSP3]
Mike West; Antonio Sartori. Content Security Policy Level 3. URL: https://w3c.github.io/webappsec-csp/
[CSS2]
Bert Bos; et al. Cascading Style Sheets Level 2 Revision 1 (CSS 2.1) Specification. URL: https://drafts.csswg.org/css2/
[HTML]
Anne van Kesteren; et al. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
[I18N-GLOSSARY]
Richard Ishida; Addison Phillips. Internationalization Glossary. URL: https://w3c.github.io/i18n-glossary/
[JSON-LD11]
Gregg Kellogg; Pierre-Antoine Champin; Dave Longley. JSON-LD 1.1. URL: https://w3c.github.io/json-ld-syntax/
[OAuth20]
D. Hardt, Ed.. The OAuth 2.0 Authorization Framework. October 2012. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc6749
[RFC2119]
S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://datatracker.ietf.org/doc/html/rfc2119
[RFC3986]
T. Berners-Lee; R. Fielding; L. Masinter. Uniform Resource Identifier (URI): Generic Syntax. January 2005. Internet Standard. URL: https://www.rfc-editor.org/rfc/rfc3986
[RFC4648]
S. Josefsson. The Base16, Base32, and Base64 Data Encodings. October 2006. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc4648
[RFC7662]
J. Richer, Ed.. OAuth 2.0 Token Introspection. October 2015. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc7662
[RFC8259]
T. Bray, Ed.. The JavaScript Object Notation (JSON) Data Interchange Format. December 2017. Internet Standard. URL: https://www.rfc-editor.org/rfc/rfc8259
[RFC8446]
E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. August 2018. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc8446
[RFC8615]
M. Nottingham. Well-Known Uniform Resource Identifiers (URIs). May 2019. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc8615
[RFC9110]
R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. HTTP Semantics. June 2022. Internet Standard. URL: https://httpwg.org/specs/rfc9110.html
[RFC9112]
R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. HTTP/1.1. June 2022. Internet Standard. URL: https://httpwg.org/specs/rfc9112.html
[RFC9325]
Y. Sheffer; P. Saint-Andre; T. Fossati. Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). November 2022. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc9325
[UMA-Fed]
Maciej Machulak; Justin Richer; Eve Maler, Ed.. Federated Authorization for User-Managed Access (UMA) 2.0. 7 January 2018. Recommendation. URL: https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2.0.html
[UMA-Grant]
Maciej Machulak; Justin Richer; Eve Maler, Ed.. User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization. 7 January 2018. Recommendation. URL: https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html
[WEBIDL]
Edgar Chen; Timothy Gu. Web IDL Standard. Living Standard. URL: https://webidl.spec.whatwg.org/

Informative References

[CRE-636-347]
OWASP. CRE 636-347: HTTP security headers. n.d.. URL: https://opencre.org/cre/636-347
[JWK]
M. Jones. JSON Web Key (JWK). May 2015. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc7517
[Resource-Meta]
Michael B. Jones; Phil Hunt; Aaron Parecki. OAuth 2.0 Protected Resource Metadata. 10 January 2025. Active Internet-Draft. URL: https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/
[RFC6750]
M. Jones; D. Hardt. The OAuth 2.0 Authorization Framework: Bearer Token Usage. October 2012. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc6750
[RFC9421]
A. Backman, Ed.; J. Richer, Ed.; M. Sporny. HTTP Message Signatures. February 2024. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc9421
[UMA-Trust]
Wouter Termont; et al. From Resource Control to Digital Trust with User-Managed Access. 5 November 2024. URL: https://arxiv.org/abs/2411.05622

IDL Index

dictionary ClientMetadata {
  string client_id;
  string jwks;
  string jwks_uri;
  string redirect_uris;
  string token_endpoint_auth_method;
};

dictionary AuthorizationServerMetadata {
  string uma_profiles_supported;
  string client_id_metadata_document_supported;
  string issuer;
  string resource_registration_endpoint;
  string permission_endpoint;
  string token_endpoint;
  string introspection_endpoint;
  string claims_interaction_endpoint;
  string jwks_uri;
};

dictionary ScopeDescription {
  string _id;
  string name;
  string description;
  string icon_uri;
};

dictionary DefaultDescription {
  string resource_scopes;
};

dictionary ResourceDescription {
  sequence<ScopeDescription> resource_scopes;
  string resource_relations;
  string resource_defaults;
  string type;
  string name;
  string description;
  string icon_uri;
};

dictionary RegistrationResponse {
  string _id;
  string user_access_policy_uri;
};

dictionary PermissionDescription {
  string resource_id;
  string resource_scopes;
};

dictionary AccessRequest {
  string grant_type;
  string claim_token;
  string claim_token_format;
  string ticket;
  string permissions;
  string scope;
};

dictionary ClaimDescription {
  string claim_token_format;
  string claim_type;
  string issuer;
  string name;
  string friendly_name;
};

dictionary ErrorDescription {
  string error;
  string error_description;
  string error_uri;
  string state;
};

dictionary NeedInfoError : ErrorDescription {
  required string ticket;
  string required_claims;
  string redirect_user;
};

dictionary RequestSubmittedError : ErrorDescription {
  string ticket;
  string interval;
};

dictionary NeedInteractionError : ErrorDescription {
  string redirect_user;
};

enum ErrorCode {
  "access_denied",
  "invalid_client",
  "invalid_grant",
  "invalid_request",
  "invalid_resource_id",
  "invalid_scope",
  "need_info",
  "not_found",
  "request_denied",
  "request_submitted",
  "server_error",
  "temporarily_unavailable",
  "unauthorized_client",
  "unsupported_grant_type",
  "unsupported_method_type",
  "unsupported_response_type"
};

Issues Index

This is an issue.
Refer to OAuth 2.1 only, as soon as it is out of draft.
Specify resource owner and relying parties to be natural or legal persons or groups of people.
todo
todo
todo
Should we also allow (dynamic) registration? E.g. for clients that cannot host anything?
Look into extending this to DIDs + DID Documents (using a limited list of DID methods, or the universal resolver).
decide on profile URI
Should be RECOMMENDED, or even REQUIRED instead
Should be RECOMMENDED, or even REQUIRED instead
loosen required url (since ref in discovery anyway)
use [Resource-Meta] (instead of "storage description"), and possibly also [Client-Meta]
Require key exhange algorithms based on ephemeral Diffie–Hellman ciphers (TLS_DHE and TLS_ECDHE) to ensure forward secrecy.
Require HTTP/2, which includes the requirements above, and patches some vulnerabilities in (m)TLS negotiation.
In the long-term, abstract from HTTP towards any SASL-aware application layer (cf. draft-vanrein-httpauth-sasl-06) . Conversely, enable HTTP-delivered OAuth tokens to be presented to SASL resource servers with rfc7628.
In the long-term, add support for DTLS & QUIC.
Subsitute with
decide on minimal headers/components to sign
make accepting state param a must for AS: the authorization server must include it unaltered in the redirection to the client
Presuming most ASs will come with some kind of native app, a QR-based flow would be handy. We could specify how, after scanning an RS’s QR code, the AS (app) would contact that RS on a Well-Known URI to initiate contact, either through a redirect URI or by specifying a code to be checked/entered.
go into inheritance of these scopes from the newly registered resource in future resources!
clarify what 'policies'/'criteria' are, and whether each AS is obliged to support them all, or urged to provide a certain minimum set ....
look into particular use of realm parameter (vs scope) to limit protection space for user/ticket/type
Go into the combination of permissions and ticket.
add support for Rich Authorization Requests and/or JWT-Secured Authorization Requests and/or Pushed Authorization Requests.
add usage of Persistent Claims Tokens and upgrading of RPTs
consider simply disallowing this, and letting 'scope' double as 'permissions', with permission descriptions without a resource id functioning as 'global scopes' (and similar without scope ids functioning as all scopes on one resource).
clarify claim token formats, and discuss advertising them with a parameter separate from uma profiles
TODO
TODO
TODO
Go into the combination of permissions and scope (and possibly ticket).