I think this knowledge by clients of the ecosystem is something that a transactional authorization could avoid. Both UMA and ACE have solutions that make clients really dumb about what they need to send to the AS in regards to scopes. IMO, the RS should have the possibility to tell clients the scope they need, making a lot easier to change RS's access constraints as well as pushing contextual information that could eventually enrich the authorization process.
On Mon, Apr 22, 2019 at 4:04 PM George Fletcher <gffle...@aol.com> wrote: > Speaking just to the UMA side of things... > > ...it's possible in UMA 2 for the client to request additional scopes when > interacting with the token endpoint specifically to address cases where the > client knows it's going to make the following requests and wants to obtain > a token with sufficient privilege for those requests. This requires a fair > amount of knowledge by the client of the ecosystem but that is sometimes > the case and hence this capability exists :) > > On 4/22/19 1:18 PM, Torsten Lodderstedt wrote: > > The problem from my perspective (and my understanding of UMA) is the RS does > not have any information about the context of the request. For example, the > client might be calling a certain resource (list of accounts) and immediately > afterwards wants to obtain the balances and initiate a payment. I think the > UMA case the RS either predicts this based on policy or past behaviour of the > client OR the client will need to issue several token requests. That might > not be a problem in 1st party scenarios but it is in 3rd party scenarios if > the AS gathers consent. > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
