forked from mrtopf/UMA-Specifications
-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathuma-permission-reg.xml
237 lines (194 loc) · 8.58 KB
/
uma-permission-reg.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc PUBLIC "-//IETF//DTD RFC 2629//EN"
"http://xml.resource.org/authoring/rfc2629.dtd" [
<!ENTITY RFC2119 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC6749 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6749.xml">
<!ENTITY RFC7159 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7159.xml">
<!ENTITY UMA PUBLIC "" "http://kantarainitiative.org/confluence/display/uma/Home">
<!ENTITY UMAreqs PUBLIC "" "http://kantarainitiative.org/confluence/display/uma/UMA+Requirements">
]>
<rfc category="std" docName="draft-maler-uma-permregext" id="kantara"
ipr="kantara">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc='yes' ?>
<?rfc tocdepth='4' ?>
<?rfc symrefs='yes' ?>
<?rfc sortrefs='yes' ?>
<?rfc compact='yes' ?>
<?rfc subcompact='no' ?>
<front>
<title abbrev="draft-maler-uma-permregext">UMA Permission Registration
Extension</title>
<author fullname="Eve Maler" initials="E." surname="Maler">
<organization>ForgeRock</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<date day="" month="October" year="2015" />
<abstract>
<t>This extension specification defines a mechanism for an UMA V1.0.1
resource server to register multiple requested permissions at an UMA
authorization server, not just a single one.</t>
</abstract>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>This extension specification defines a mechanism for a User-Managed
Access (<xref target="UMA" />) V1.0.1 resource server to register
multiple requested permissions at an UMA authorization server, not just
a single one.</t>
<section title="Notational Conventions">
<t>The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',
'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in <xref
target="RFC2119" />.</t>
<t>Unless otherwise noted, all protocol properties and values are case
sensitive. JSON <xref target="RFC7159" /> data structures defined by
this specification MAY contain extension properties that are not
defined in this specification. Any entity receiving or retrieving a
JSON data structure SHOULD ignore extension properties it is unable to
understand. Extension names that are unprotected from collisions are
outside the scope of this specification.</t>
</section>
</section>
<section anchor=""
title="Extension to How Resource Server Registers Requested Permissions With Authorization Server">
<t>The resource server is assumed to need to use the protection API's
permission registration endpoint under all the same circumstances as
defined in the base UMA specification. This extension specification
defines a mechanism for allowing an array of one or more requested
permissions.</t>
<t>Note: A future minor revision of the UMA specification could
potentially incorporate this extension as long as the non-array option
is preserved; the non-array option could be eliminated only in a future
major revision of the specification because it would be backwards
incompatible.</t>
<section anchor="summary" title="Extension Summary and Identifying URI">
<t>Following is a summary of the extension defined in this
specification.<list style="symbols">
<t>Identifying URI: <spanx
style="verb">https://docs.kantarainitiative.org/uma/extensions/perm-reg-1.0</spanx></t>
<t>Extension author and contact information: Eve Maler
([email protected])</t>
<t>Updates or obsoletes: None; this extension is new.</t>
<t>Security considerations: None additional.</t>
<t>Privacy considerations: None additional.</t>
<t>Error states: See below.</t>
</list></t>
</section>
<section title="Authorization Server Configuration Data Extension for Indicating Extension Support">
<t>An authorization server that supports the extension defined in this
specification MUST provide a JSON property in its configuration data
with a name that matches the identifying URI as defined in <xref
target="summary" />, and one of the following values:<list
style="hanging">
<t hangText="supported">This is an authorization server that
supports the extension form of requested permission registration
in addition to the form defined in the UMA V1.0.1
specification.</t>
<t hangText="extension-only">This is an authorization server that
supports the extension form (arrays only), and not the singular
form of requested permissions. Note that such an authorization
server <spanx style="strong">cannot conform</spanx> to UMA V1.0 or
V1.0.1.</t>
</list> </t>
</section>
<section title="Resource Server Request to Permission Registration Endpoint">
<figure>
<preamble>Example of an HTTP request that registers a requested
permission at the authorization server's permission registration
endpoint, with a PAT in the header, containing an array of requested
permissions with a single object in it:</preamble>
<artwork><![CDATA[
POST /host/rsrc_uri HTTP/1.1
Content-Type: application/json
Host: as.example.com
Authorization: Bearer 426561726572
[
{ "resource_set_id": "7b727369647d",
"scopes": [ "view", "print" ]
}
]
]]></artwork>
</figure>
<figure>
<preamble>Example of an HTTP request that registers a requested
permission at the authorization server's permission registration
endpoint, with a PAT in the header, containing an array of requested
permissions with three objects in it:</preamble>
<artwork><![CDATA[
POST /host/rsrc_uri HTTP/1.1
Content-Type: application/json
Host: as.example.com
Authorization: Bearer 426561726572
[
{ "resource_set_id": "7b727369647d",
"scopes": [ "view", "crop", "lightbox" ]
},
{ "resource_set_id": "7b72736964327d",
"scopes": [ "view", "layout", "print" ]
},
{ "resource_set_id": "7b72736964337d",
"scopes": [
"http://www.example.com/scopes/all"
]
}
]
]]></artwork>
</figure>
</section>
<section title="Authorization Server Response to Resource Server on Permission Registration Success">
<t>If the authorization server is successful in creating a permission
ticket in response to all the elements of the resource server's
request, it responds with an HTTP 201 (Created) status code and
includes a ticket property in the JSON-formatted body that represents
the entire set of the one or more requested permissions that were
registered.</t>
<figure>
<preamble>For example:</preamble>
<artwork><![CDATA[
HTTP/1.1 201 Created
Content-Type: application/json
...
{
"ticket": "332d7273-6964732d-63726561-74656421"
}
]]></artwork>
</figure>
</section>
<section title="Authorization Server Response to Resource Server on Permission Registration Failure">
<t>If the resource server's request is authenticated properly but
fails because one or more of the requested permissions has an invalid
resource set identifier or an invalid scope, then... [TO BE DISCUSSED:
What should happen? Should a partial result be registered? If so, what
should be the response? Or should the whole thing fail?]</t>
</section>
</section>
<section title="Security Considerations">
<t>None additional.</t>
</section>
<section title="Privacy Considerations">
<t>None additional.</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This document makes no request of IANA.</t>
</section>
</middle>
<back>
<references title="Normative References">
&RFC2119;
&RFC7159;
<reference anchor="UMA"
target="https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html">
<front>
<title>User-Managed Access (UMA) Profile of OAuth 2.0</title>
<author initials="T." surname="Hardjono">
<organization>MIT</organization>
</author>
<date day="" month="September" year="2015" />
</front>
</reference>
</references>
</back>
</rfc>