[mitreid-connect] UMA Resource Set creation

Luiz Omori luiz.omori at duke.edu
Tue Nov 24 09:21:58 EST 2015 

OK, thanks.

Just curious for the reason behind it: why userinfo_endpoint is not returned within the UMA config? I mean others like authorization_endpoint, token_endpoint, introspection_endpoint are there so it seems it was left out on purpose.

Regards,
Luiz

From: Justin Richer
Date: Monday, November 23, 2015 at 9:38 PM
To: Luiz Omori
Cc: "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>"
Subject: Re: [mitreid-connect] UMA Resource Set creation

It’s in the UMA-specific well-known. You’re looking at the OpenID Connect one. The URL for that (given your issuer root) is http://localhost:8080/uma-server-webapp-1.2.2/.well-known/uma-configuration

Yes, there’s a lot of overlap between these. Yes, there are some inconsistencies in using different keys for the same values. Yes, everything is to spec (and the UMA spec has bugs filed against it for this very reason).

 — Justin

On Nov 23, 2015, at 9:04 PM, Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>> wrote:

Humm, where is “resource_set_registration_endpoint”? See below what I’m getting from the well-known endpoint. What is the usual value for “resource_set_registration_endpoint” e.g. considering the root as http://localhost:8080/uma-server-webapp-1.2.2?

{
  "request_parameter_supported":true,
  "claims_parameter_supported":false,
  "introspection_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/introspect",
  "scopes_supported":[
    "openid",
    "profile",
    "email",
    "address",
    "phone",
    "offline_access"
  ],
  "issuer":"http://localhost:8080/uma-server-webapp-1.2.2/",
  "userinfo_encryption_enc_values_supported":[
    "A256CBC+HS512",
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512",
    "A128CBC+HS256"
  ],
  "id_token_encryption_enc_values_supported":[
    "A256CBC+HS512",
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512",
    "A128CBC+HS256"
  ],
  "authorization_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/authorize",
  "service_documentation":"http://localhost:8080/uma-server-webapp-1.2.2/about",
  "request_object_encryption_enc_values_supported":[
    "A256CBC+HS512",
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512",
    "A128CBC+HS256"
  ],
  "userinfo_signing_alg_values_supported":[
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "claims_supported":[
    "sub",
    "name",
    "preferred_username",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "zone_info",
    "locale",
    "updated_at",
    "birthdate",
    "email",
    "email_verified",
    "phone_number",
    "phone_number_verified",
    "address"
  ],
  "claim_types_supported":[
    "normal"
  ],
  "op_policy_uri":"http://localhost:8080/uma-server-webapp-1.2.2/about",
  "token_endpoint_auth_methods_supported":[
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],
  "token_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/token",
  "response_types_supported":[
    "code",
    "token"
  ],
  "request_uri_parameter_supported":false,
  "userinfo_encryption_alg_values_supported":[
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5"
  ],
  "grant_types_supported":[
    "authorization_code",
    "implicit",
    "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "client_credentials",
    "urn:ietf:params:oauth:grant_type:redelegate"
  ],
  "revocation_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/revoke",
  "userinfo_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/userinfo",
  "token_endpoint_auth_signing_alg_values_supported":[
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "op_tos_uri":"http://localhost:8080/uma-server-webapp-1.2.2/about",
  "require_request_uri_registration":false,
  "id_token_encryption_alg_values_supported":[
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5"
  ],
  "jwks_uri":"http://localhost:8080/uma-server-webapp-1.2.2/jwk",
  "subject_types_supported":[
    "public",
    "pairwise"
  ],
  "id_token_signing_alg_values_supported":[
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512",
    "none"
  ],
  "registration_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/register",
  "request_object_signing_alg_values_supported":[
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "request_object_encryption_alg_values_supported":[
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5"
  ]
}

Regards,
Luiz

From: <mitreid-connect-bounces at mit.edu<mailto:mitreid-connect-bounces at mit.edu>> on behalf of Justin Richer
Date: Monday, November 23, 2015 at 6:23 PM
To: "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>"
Subject: Re: [mitreid-connect] UMA Resource Set creation

This is a broken part of the UMA spec. You need to add "/resource_set" to the end of the value in "resource_set_registration_endpoint" in the discovery document. "registration_endpoint" is for dynamic client registration.

There is not currently any UI to interact with the resource set registration because this is intended to be an action taken by *resource servers* and not by users directly. The self-service developer protected resource registration is not for UMA-style protected resources but rather for OAuth protected resources that are set up to use token introspection.

Hope that helps,
 -- Justin

On 11/23/2015 4:20 PM, Luiz Omori wrote:
Hi,

We are looking into the UMA implementation and have some basic questions. Is there a way to register resource sets (as in https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg.html) through the UI? If not, what is the endpoint for that? We tried the registration endpoint from the well-known response but it didn’t work (http://localhost:8080/uma-server-webapp-1.2.2/.well-known/openid-configuration -> "registration_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/register”<http://localhost:8080/uma-server-webapp-1.2.2/register%E2%80%9D>)

Regards,
Luiz



_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>http://mailman.mit.edu/mailman/listinfo/mitreid-connect


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20151124/6d898790/attachment-0001.html

More information about the mitreid-connect mailing list