[mitreid-connect] UMA Resource Set creation
Justin Richer
jricher at mit.edu
Tue Nov 24 10:29:59 EST 2015
The UMA protocol doesn’t define identity systems at all and doesn’t need that endpoint. There’s no generic OAuth discovery document (yet) so both of these protocols copy over everything that needs to be known about the OAuth portion of the server, hence the commonalities.
— Justin
> On Nov 24, 2015, at 9:21 AM, Luiz Omori <luiz.omori at duke.edu> wrote:
>
> OK, thanks.
>
> Just curious for the reason behind it: why userinfo_endpoint is not returned within the UMA config? I mean others like authorization_endpoint, token_endpoint, introspection_endpoint are there so it seems it was left out on purpose.
>
> Regards,
> Luiz
>
> From: Justin Richer
> Date: Monday, November 23, 2015 at 9:38 PM
> To: Luiz Omori
> Cc: "mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>"
> Subject: Re: [mitreid-connect] UMA Resource Set creation
>
> It’s in the UMA-specific well-known. You’re looking at the OpenID Connect one. The URL for that (given your issuer root) is http://localhost:8080/uma-server-webapp-1.2.2/.well-known/uma-configuration <http://localhost:8080/uma-server-webapp-1.2.2/.well-known/uma-configuration>
>
> Yes, there’s a lot of overlap between these. Yes, there are some inconsistencies in using different keys for the same values. Yes, everything is to spec (and the UMA spec has bugs filed against it for this very reason).
>
> — Justin
>
>> On Nov 23, 2015, at 9:04 PM, Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>> wrote:
>>
>> Humm, where is “resource_set_registration_endpoint”? See below what I’m getting from the well-known endpoint. What is the usual value for “resource_set_registration_endpoint” e.g. considering the root as http://localhost:8080/uma-server-webapp-1.2.2? <http://localhost:8080/uma-server-webapp-1.2.2?>
>>
>> {
>> "request_parameter_supported":true,
>> "claims_parameter_supported":false,
>> "introspection_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/introspect <http://localhost:8080/uma-server-webapp-1.2.2/introspect>",
>> "scopes_supported":[
>> "openid",
>> "profile",
>> "email",
>> "address",
>> "phone",
>> "offline_access"
>> ],
>> "issuer":"http://localhost:8080/uma-server-webapp-1.2.2/ <http://localhost:8080/uma-server-webapp-1.2.2/>",
>> "userinfo_encryption_enc_values_supported":[
>> "A256CBC+HS512",
>> "A256GCM",
>> "A192GCM",
>> "A128GCM",
>> "A128CBC-HS256",
>> "A192CBC-HS384",
>> "A256CBC-HS512",
>> "A128CBC+HS256"
>> ],
>> "id_token_encryption_enc_values_supported":[
>> "A256CBC+HS512",
>> "A256GCM",
>> "A192GCM",
>> "A128GCM",
>> "A128CBC-HS256",
>> "A192CBC-HS384",
>> "A256CBC-HS512",
>> "A128CBC+HS256"
>> ],
>> "authorization_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/authorize <http://localhost:8080/uma-server-webapp-1.2.2/authorize>",
>> "service_documentation":"http://localhost:8080/uma-server-webapp-1.2.2/about <http://localhost:8080/uma-server-webapp-1.2.2/about>",
>> "request_object_encryption_enc_values_supported":[
>> "A256CBC+HS512",
>> "A256GCM",
>> "A192GCM",
>> "A128GCM",
>> "A128CBC-HS256",
>> "A192CBC-HS384",
>> "A256CBC-HS512",
>> "A128CBC+HS256"
>> ],
>> "userinfo_signing_alg_values_supported":[
>> "HS256",
>> "HS384",
>> "HS512",
>> "RS256",
>> "RS384",
>> "RS512",
>> "ES256",
>> "ES384",
>> "ES512",
>> "PS256",
>> "PS384",
>> "PS512"
>> ],
>> "claims_supported":[
>> "sub",
>> "name",
>> "preferred_username",
>> "given_name",
>> "family_name",
>> "middle_name",
>> "nickname",
>> "profile",
>> "picture",
>> "website",
>> "gender",
>> "zone_info",
>> "locale",
>> "updated_at",
>> "birthdate",
>> "email",
>> "email_verified",
>> "phone_number",
>> "phone_number_verified",
>> "address"
>> ],
>> "claim_types_supported":[
>> "normal"
>> ],
>> "op_policy_uri":"http://localhost:8080/uma-server-webapp-1.2.2/about <http://localhost:8080/uma-server-webapp-1.2.2/about>",
>> "token_endpoint_auth_methods_supported":[
>> "client_secret_post",
>> "client_secret_basic",
>> "client_secret_jwt",
>> "private_key_jwt",
>> "none"
>> ],
>> "token_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/token <http://localhost:8080/uma-server-webapp-1.2.2/token>",
>> "response_types_supported":[
>> "code",
>> "token"
>> ],
>> "request_uri_parameter_supported":false,
>> "userinfo_encryption_alg_values_supported":[
>> "RSA-OAEP",
>> "RSA-OAEP-256",
>> "RSA1_5"
>> ],
>> "grant_types_supported":[
>> "authorization_code",
>> "implicit",
>> "urn:ietf:params:oauth:grant-type:jwt-bearer",
>> "client_credentials",
>> "urn:ietf:params:oauth:grant_type:redelegate"
>> ],
>> "revocation_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/revoke <http://localhost:8080/uma-server-webapp-1.2.2/revoke>",
>> "userinfo_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/userinfo <http://localhost:8080/uma-server-webapp-1.2.2/userinfo>",
>> "token_endpoint_auth_signing_alg_values_supported":[
>> "HS256",
>> "HS384",
>> "HS512",
>> "RS256",
>> "RS384",
>> "RS512",
>> "ES256",
>> "ES384",
>> "ES512",
>> "PS256",
>> "PS384",
>> "PS512"
>> ],
>> "op_tos_uri":"http://localhost:8080/uma-server-webapp-1.2.2/about <http://localhost:8080/uma-server-webapp-1.2.2/about>",
>> "require_request_uri_registration":false,
>> "id_token_encryption_alg_values_supported":[
>> "RSA-OAEP",
>> "RSA-OAEP-256",
>> "RSA1_5"
>> ],
>> "jwks_uri":"http://localhost:8080/uma-server-webapp-1.2.2/jwk <http://localhost:8080/uma-server-webapp-1.2.2/jwk>",
>> "subject_types_supported":[
>> "public",
>> "pairwise"
>> ],
>> "id_token_signing_alg_values_supported":[
>> "HS256",
>> "HS384",
>> "HS512",
>> "RS256",
>> "RS384",
>> "RS512",
>> "ES256",
>> "ES384",
>> "ES512",
>> "PS256",
>> "PS384",
>> "PS512",
>> "none"
>> ],
>> "registration_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/register <http://localhost:8080/uma-server-webapp-1.2.2/register>",
>> "request_object_signing_alg_values_supported":[
>> "HS256",
>> "HS384",
>> "HS512",
>> "RS256",
>> "RS384",
>> "RS512",
>> "ES256",
>> "ES384",
>> "ES512",
>> "PS256",
>> "PS384",
>> "PS512"
>> ],
>> "request_object_encryption_alg_values_supported":[
>> "RSA-OAEP",
>> "RSA-OAEP-256",
>> "RSA1_5"
>> ]
>> }
>>
>> Regards,
>> Luiz
>>
>> From: <mitreid-connect-bounces at mit.edu <mailto:mitreid-connect-bounces at mit.edu>> on behalf of Justin Richer
>> Date: Monday, November 23, 2015 at 6:23 PM
>> To: "mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>"
>> Subject: Re: [mitreid-connect] UMA Resource Set creation
>>
>> This is a broken part of the UMA spec. You need to add "/resource_set" to the end of the value in "resource_set_registration_endpoint" in the discovery document. "registration_endpoint" is for dynamic client registration.
>>
>> There is not currently any UI to interact with the resource set registration because this is intended to be an action taken by *resource servers* and not by users directly. The self-service developer protected resource registration is not for UMA-style protected resources but rather for OAuth protected resources that are set up to use token introspection.
>>
>> Hope that helps,
>> -- Justin
>>
>> On 11/23/2015 4:20 PM, Luiz Omori wrote:
>>> Hi,
>>>
>>> We are looking into the UMA implementation and have some basic questions. Is there a way to register resource sets (as in https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg.html <https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg.html>) through the UI? If not, what is the endpoint for that? We tried the registration endpoint from the well-known response but it didn’t work (http://localhost:8080/uma-server-webapp-1.2.2/.well-known/openid-configuration <http://localhost:8080/uma-server-webapp-1.2.2/.well-known/openid-configuration> -> "registration_endpoint":"http://localhost:8080/uma-server-webapp-1.2.2/register” <http://localhost:8080/uma-server-webapp-1.2.2/register%E2%80%9D>)
>>>
>>> Regards,
>>> Luiz
>>>
>>>
>>> _______________________________________________
>>> mitreid-connect mailing list
>>> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20151124/420f440c/attachment.html
More information about the mitreid-connect
mailing list