Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of "implicit resource set" #12

Open
findthomas opened this issue Aug 16, 2011 · 5 comments
Open

Use of "implicit resource set" #12

findthomas opened this issue Aug 16, 2011 · 5 comments
Labels
rsrc-reg Related to resource registration (or the original UMA1 resource reg spec)

Comments

@findthomas
Copy link

Should it be possible to have an "implicit resource set" somehow that (in syntactic-sugar fashion) allows permissions to be passed around much as scopes already are passed around in plain OAuth? (Someone want to take this AI?)

[Previously #33]
@xmlgrrl
Copy link

xmlgrrl commented Jan 15, 2012

A recent thread on the OAuth list, regarding "OPTIONAL" scopes, may be interesting to consider in this context: http://www.ietf.org/mail-archive/web/oauth/current/msg08190.html

@xmlgrrl
Copy link

xmlgrrl commented Dec 21, 2012

A solution for this was essayed in the new oauth-resource-set-reg-00 module, but the group rejected it today. There doesn't seem to be a good solution yet.

@xmlgrrl xmlgrrl added this to the V1.0 Public Review prep milestone Aug 1, 2014
@xmlgrrl
Copy link

xmlgrrl commented Dec 21, 2014

We discussed this pretty heavily in the UMA telecon 2014-12-18 timeframe, but there's little sentiment for handling a literal implicit resource set. It's now possible to register a single (named) resource set and associate string-based OAuth-style scopes with it. It's also possible to use token introspection and off-the-shelf JWTs with the result. So there's probably little need to do anything else for the moment, since the "cost" of naming the resource set is pretty low, and even OAuth users may find it valuable to name (multiple) resource sets eventually, even without using UMA (e.g. scopes for photos vs. photo albums etc.). It's backlogged for now; we can consider whether to close it at our leisure later on.

@xmlgrrl xmlgrrl removed this from the V1.0 Public Review prep milestone Dec 21, 2014
@aleclaws
Copy link

aleclaws commented Oct 2, 2020

The 'resource definition' draft is in the spirit of this ticket, there is also some relation to #288

I interpret this issue as allowing the AS to have well know resource_type/scope pairs such that the permission in a UMA ticket can reference this 'implicit' resource instead of a specific registered resource id. It also enables AS-first flows where the client can request this resource/type scopes, and the RqP, during claims gathering, could select the specific RS that can serve the 'implicit' resource

ps. I don't have the full UMA 1 history, so let me know if this is off the mark

@xmlgrrl
Copy link

xmlgrrl commented Oct 2, 2020

The spirit was that we were looking to reduce the friction between UMA and OAuth. Reducing friction to the point of enabling AS-first flows would go a pretty long way. :-) And working within an extension (which I think resource definition is, vs. a "mere" profile?) already allows some freedom to optimize things in this direction (and in the general direction of removing chattiness and so on).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
rsrc-reg Related to resource registration (or the original UMA1 resource reg spec)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xmlgrrl @findthomas @aleclaws