[mitreid-connect] UMA Resource Set creation

Justin Richer jricher at mit.edu
Mon Nov 23 21:38:17 EST 2015


It’s in the UMA-specific well-known. You’re looking at the OpenID Connect one. The URL for that (given your issuer root) is http://localhost:8080/uma-server-webapp-1.2.2/.well-known/uma-configuration <http://localhost:8080/uma-server-webapp-1.2.2/.well-known/uma-configuration>

Yes, there’s a lot of overlap between these. Yes, there are some inconsistencies in using different keys for the same values. Yes, everything is to spec (and the UMA spec has bugs filed against it for this very reason).

 — Justin

> On Nov 23, 2015, at 9:04 PM, Luiz Omori <luiz.omori at duke.edu> wrote:
> 
> Humm, where is “resource_set_registration_endpoint”? See below what I’m getting from the well-known endpoint. What is the usual value for “resource_set_registration_endpoint” e.g. considering the root as http://localhost:8080/uma-server-webapp-1.2.2?
> 
> {
>   "request_parameter_supported":true,
>   "claims_parameter_supported":false,
>   "introspection_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/introspect",
>   "scopes_supported":[
>     "openid",
>     "profile",
>     "email",
>     "address",
>     "phone",
>     "offline_access"
>   ],
>   "issuer":"http://localhost:8080/uma-server-webapp-1.2.2/",
>   "userinfo_encryption_enc_values_supported":[
>     "A256CBC+HS512",
>     "A256GCM",
>     "A192GCM",
>     "A128GCM",
>     "A128CBC-HS256",
>     "A192CBC-HS384",
>     "A256CBC-HS512",
>     "A128CBC+HS256"
>   ],
>   "id_token_encryption_enc_values_supported":[
>     "A256CBC+HS512",
>     "A256GCM",
>     "A192GCM",
>     "A128GCM",
>     "A128CBC-HS256",
>     "A192CBC-HS384",
>     "A256CBC-HS512",
>     "A128CBC+HS256"
>   ],
>   "authorization_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/authorize",
>   "service_documentation":"http://localhost:8080/uma-server-webapp-1.2.2/about",
>   "request_object_encryption_enc_values_supported":[
>     "A256CBC+HS512",
>     "A256GCM",
>     "A192GCM",
>     "A128GCM",
>     "A128CBC-HS256",
>     "A192CBC-HS384",
>     "A256CBC-HS512",
>     "A128CBC+HS256"
>   ],
>   "userinfo_signing_alg_values_supported":[
>     "HS256",
>     "HS384",
>     "HS512",
>     "RS256",
>     "RS384",
>     "RS512",
>     "ES256",
>     "ES384",
>     "ES512",
>     "PS256",
>     "PS384",
>     "PS512"
>   ],
>   "claims_supported":[
>     "sub",
>     "name",
>     "preferred_username",
>     "given_name",
>     "family_name",
>     "middle_name",
>     "nickname",
>     "profile",
>     "picture",
>     "website",
>     "gender",
>     "zone_info",
>     "locale",
>     "updated_at",
>     "birthdate",
>     "email",
>     "email_verified",
>     "phone_number",
>     "phone_number_verified",
>     "address"
>   ],
>   "claim_types_supported":[
>     "normal"
>   ],
>   "op_policy_uri":"http://localhost:8080/uma-server-webapp-1.2.2/about",
>   "token_endpoint_auth_methods_supported":[
>     "client_secret_post",
>     "client_secret_basic",
>     "client_secret_jwt",
>     "private_key_jwt",
>     "none"
>   ],
>   "token_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/token",
>   "response_types_supported":[
>     "code",
>     "token"
>   ],
>   "request_uri_parameter_supported":false,
>   "userinfo_encryption_alg_values_supported":[
>     "RSA-OAEP",
>     "RSA-OAEP-256",
>     "RSA1_5"
>   ],
>   "grant_types_supported":[
>     "authorization_code",
>     "implicit",
>     "urn:ietf:params:oauth:grant-type:jwt-bearer",
>     "client_credentials",
>     "urn:ietf:params:oauth:grant_type:redelegate"
>   ],
>   "revocation_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/revoke",
>   "userinfo_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/userinfo",
>   "token_endpoint_auth_signing_alg_values_supported":[
>     "HS256",
>     "HS384",
>     "HS512",
>     "RS256",
>     "RS384",
>     "RS512",
>     "ES256",
>     "ES384",
>     "ES512",
>     "PS256",
>     "PS384",
>     "PS512"
>   ],
>   "op_tos_uri":"http://localhost:8080/uma-server-webapp-1.2.2/about",
>   "require_request_uri_registration":false,
>   "id_token_encryption_alg_values_supported":[
>     "RSA-OAEP",
>     "RSA-OAEP-256",
>     "RSA1_5"
>   ],
>   "jwks_uri":"http://localhost:8080/uma-server-webapp-1.2.2/jwk",
>   "subject_types_supported":[
>     "public",
>     "pairwise"
>   ],
>   "id_token_signing_alg_values_supported":[
>     "HS256",
>     "HS384",
>     "HS512",
>     "RS256",
>     "RS384",
>     "RS512",
>     "ES256",
>     "ES384",
>     "ES512",
>     "PS256",
>     "PS384",
>     "PS512",
>     "none"
>   ],
>   "registration_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/register",
>   "request_object_signing_alg_values_supported":[
>     "HS256",
>     "HS384",
>     "HS512",
>     "RS256",
>     "RS384",
>     "RS512",
>     "ES256",
>     "ES384",
>     "ES512",
>     "PS256",
>     "PS384",
>     "PS512"
>   ],
>   "request_object_encryption_alg_values_supported":[
>     "RSA-OAEP",
>     "RSA-OAEP-256",
>     "RSA1_5"
>   ]
> }
> 
> Regards,
> Luiz
> 
> From: <mitreid-connect-bounces at mit.edu <mailto:mitreid-connect-bounces at mit.edu>> on behalf of Justin Richer
> Date: Monday, November 23, 2015 at 6:23 PM
> To: "mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>"
> Subject: Re: [mitreid-connect] UMA Resource Set creation
> 
> This is a broken part of the UMA spec. You need to add "/resource_set" to the end of the value in "resource_set_registration_endpoint" in the discovery document. "registration_endpoint" is for dynamic client registration. 
> 
> There is not currently any UI to interact with the resource set registration because this is intended to be an action taken by *resource servers* and not by users directly. The self-service developer protected resource registration is not for UMA-style protected resources but rather for OAuth protected resources that are set up to use token introspection.
> 
> Hope that helps,
>  -- Justin
> 
> On 11/23/2015 4:20 PM, Luiz Omori wrote:
>> Hi,
>> 
>> We are looking into the UMA implementation and have some basic questions. Is there a way to register resource sets (as in https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg.html <https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg.html>) through the UI? If not, what is the endpoint for that? We tried the registration endpoint from the well-known response but it didn’t work (http://localhost:8080/uma-server-webapp-1.2.2/.well-known/openid-configuration <http://localhost:8080/uma-server-webapp-1.2.2/.well-known/openid-configuration> -> "registration_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/register” <http://localhost:8080/uma-server-webapp-1.2.2/register%E2%80%9D>)
>> 
>> Regards,
>> Luiz
>> 
>> 
>> _______________________________________________
>> mitreid-connect mailing list
>> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20151123/215621a6/attachment.html


More information about the mitreid-connect mailing list