<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">First off, the UMA functionality is considered “beta” at this stage, so it’s functional but don’t be surprised if things do break from time to time. :)<div class=""><br class=""></div><div class="">With that in mind: The way the system works is that you need to set up a resource set, then set a policy on that set. The policy contains a set of claims that are required to be fulfilled before handing a token to the client. Our system will only take claims in the form of OpenID Connect identity claims. In particular, we’ve streamlined the UI to do an email-based check, using webfinger as a bridge between domains and systems. </div><div class=""><br class=""></div><div class="">After you have the policy set, you get a permissions ticket. This ticket doesn’t have any claims fulfilled on it yet, so when the client goes to get an RPT with it, it will fail. There are no claims inside the AAT or even associated with the AAT. (In a future version of the spec, the AAT is likely to be dropped entirely.) </div><div class=""><br class=""></div><div class="">The RS never provides claims to fulfill a ticket, that’s the job of the client and the RqP. In our implementation, the RqP needs to log in to the claims gathering endpoint with OpenID Connect, which will cause the claims associated with that user’s ID token and user profile to be associated with the ticket. The ticket will then need to be presented by the client to the RPT endpoint again to try to get the RPT. This time, if the claims in the ticket satisfy the claims in the resource set, then the token is granted.</div><div class=""><br class=""></div><div class="">Without this step, there’s absolutely no way to tell if the authorization server should issue the RPT.</div><div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""><div class=""><div><blockquote type="cite" class=""><div class="">On Nov 30, 2015, at 12:10 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div style="" class="">Hi,</div>
<div style="" class=""><br class="">
</div>
<div style="" class="">I have been trying to retrieve an UMA RPT token but it’s failing where AuthorizationRequestEndpoint tries to verify that the resource set required claims are provided in the permission ticket. I did create a sharing policy
for the resource. Apparently my Permission Ticket is missing “email_verified”, “sub”, “email”. Questions:</div>
<ol class="">
<li class="">Why is this verification done at all? Isn’t the Resource Server the one that requests Permission Tickets and provide them to the client? Shouldn’t the Resource Set required claims be verified against the claims within the AAT?</li><li class="">What is the correct way to pass claims during the Permission Ticket request? Currently my RS is requesting it by providing a PAT token and filling the body with resource_set_id plus some scopes.</li></ol>
<div class=""><font color="#ff0000" class="">ClaimProcessingResult result = claimsProcessingService.claimsAreSatisfied(rs, ticket);</font></div>
<div style="" class=""><br class="">
</div>
<div style="" class="">I’m quite new to UMA.</div>
<div style="" class=""><br class="">
</div>
<div style="" class="">Regards,</div>
<div style="" class="">Luiz</div>
<div style="" class="">
<div id="MAC_OUTLOOK_SIGNATURE" class=""></div>
</div>
</div>
_______________________________________________<br class="">mitreid-connect mailing list<br class=""><a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect<br class=""></div></blockquote></div><br class=""></div></div></body></html>