yuriyz commented 8 years ago

UMA 2 spec :

https://docs.kantarainitiative.org/uma/ed/oauth-uma-grant-2.0-04.html
https://docs.kantarainitiative.org/uma/ed/oauth-uma-federated-authz-2.0-04.html (There can be updated version of specs, just navigate to this folder and look up manually.

Changes are required for UMA RP commands. All UMA RS Commands are left as is. No changes for uma_rs_check_access and uma_rs_protect commands.

Changes:

UMA RP - Get RPT

If claim_token parameter is provided then claim_token_format must be provided too. For now we support only claims_token_format=http://openid.net/specs/openid-connect-core-1_0.html#IDToken

Request

{
    "command":"uma_rp_get_rpt",
    "params": {
         "oxd_id":"6F9619FF-8B86-D011-B42D-00CF4FC964FF",  <- REQUIRED
         "ticket": "016f84e8-f9b9-11e0-bd6f-0021cc6004de",     <- REQUIRED
         "claim_token": "eyj0f9b9...",                      <- OPTIONAL
         "claim_token_format": "http://openid.net/specs/openid-connect-core-1_0.html#IDToken",
         "pct": "c2F2ZWRjb25zZW50",                  <- OPTIONAL                                                      
         "rpt": "SSJHBSUSSJHVhjsgvhsgvshgsv",       <- OPTIONAL
         "scope":["read"],                           <- OPTIONAL,
         "state": "af0ifjsldkj",   <- OPTIONAL state that is returned from uma_rp_get_claims_gathering_url command
         "protection_access_token": "ejt3425"     <- OPTIONAL, required if oxd-http is used          
    }
}

Success Response

{
     "status":"ok",
     "data":{
         "access_token":"SSJHBSUSSJHVhjsgvhsgvshgsv",
         "token_type":"Bearer",
         "pct":"c2F2ZWRjb25zZW50",
         "upgraded":true
     }
}

Needs Info Error Response

{
     "status":"error",
     "data":{
         "error":"need_info",
         "error_description":"The authorization server needs additional information in order to determine whether the client is authorized to have these permissions.",
         "details": {  
             "error":"need_info",
             "ticket":"ZXJyb3JfZGV0YWlscw==",
             "required_claims":[  
                 {  
                     "claim_token_format":[  
                         "http://openid.net/specs/openid-connect-core-1_0.html#IDToken"
                     ],
                     "claim_type":"urn:oid:0.9.2342.19200300.100.1.3",
                     "friendly_name":"email",
                     "issuer":["https://example.com/idp"],
                     "name":"email23423453ou453"
                }
             ],
             "redirect_user":"https://as.example.com/rqp_claims?id=2346576421"
         }
     }
}

Invalid ticket error

{
    "status":"error",
    "data":{
        "error":"invalid_ticket",
        "error_description":"Ticket is not valid (outdated or not present on Authorization Server)."
    }
}

Internal oxd server error

{
    "status":"error",
    "data":{
        "error":"internal_error",
        "error_description":"oxd server failed to handle command. Please check logs for details."
    }
}

UMA RP - Get Claims-Gathering URL

ticket parameter for this command MUST be newest, in 90% cases it is from need_info error.

Request

{
    "command":"uma_rp_get_claims_gathering_url",
    "params": {
        "oxd_id":"6F9619FF-8B86-D011-B42D-00CF4FC964FF",  <- REQUIRED
        "ticket": "016f84e8-f9b9-11e0-bd6f-0021cc6004de",      <- REQUIRED
        "claims_redirect_uri":"https://client.example.com/cb",        <- REQUIRED
        "protection_access_token": "ejt3425"     <- OPTIONAL, required if oxd-http is used
    }
}

Success Response

{
    "status":"ok",
    "data":{
        "url":"https://as.com/restv1/uma/gather_claims
              ?client_id=@!1736.179E.AA60.16B2!0001!8F7C.B9AB!0008!AB77!1A2B
              &ticket=4678a107-e124-416c-af79-7807f3c31457
              &claims_redirect_uri=https://client.example.com/cb
              &state=af0ifjsldkj",
        "state":"af0ifjsldkj" 
    }
}

After redirect to claims-gathering url user pass Claims-Gathering Flow and if it is success user is redirected back to claims_redirect_uri with new ticket which should be provided with next uma_rp_get_rpt call.

Example of response

https://client.example.com/cb?ticket=e8e7bc0b-75de-4939-a9b1-2425dab3d5ec

UMA Authorize RPT - REMOVED

uma_rp_authorize_rpt - Removed.

UMA Get GAT - REMOVED

uma_rp_get_gat - Removed

register_site and setup_client commands update

register_site and setup_client commands have

new parameter claims_redirect_uri.
new parameter oxd_rp_programming_language. The value should be programming language that is used by oxd client, for example java, php, ruby and so on.

Stepped-up authentication

In order to support stepped-up authentication, the AS Claims-Gathering Endpoint must also be specified as valid redirect_uri. If user is authenticated at AS it will automatically recognize it. In case user is not authenticated and Claims-Gathering scripts redirect for authentication oxd can register Claims-Gathering Endpoint as client redirect_uri, so UMA 2 engine will get control back after successful authentication. This can be enabled/disabled in oxd-conf.json configuration file with uma2_auto_register_claims_gathering_endpoint_as_redirect_uri_of_client.

    ...
    "uma2_auto_register_claims_gathering_endpoint_as_redirect_uri_of_client" : true
    ...

Renamed client_logout_uris -> client_frontchannel_logout_uris

jschristie commented 7 years ago

@yuriyz, should all of these content to be written under https://gluu.org/docs/oxd/3.0.1/libraries/java/

and under https://gluu.org/docs/oxd/3.0.1/libraries/java/#uma-get-rpt and #register?

Should I add more content from UMA2 specs?

willow9886 commented 7 years ago

@jschristie UMA2 will be included in oxd 3.1 and on, not 3.0.1.

yuriyz commented 7 years ago

@jschristie those are changes to oxd protocol. It means that it has to be reflected in Protocol page and then of course it has to be reflected in all libs (java, c#, php and others).

For java lib all parameters are ready and described here, so you can prepare docs (it's actually the same with only method/fields renames with respect to changes in protocol) https://github.com/GluuFederation/oxd/tree/master/oxd-common/src/main/java/org/xdi/oxd/common/params

Let me know if something is not clear.

jschristie commented 7 years ago

@willow9886, yes i got that, that url is just for the reference of where to add the content. As @yuriyz mentioned, i will have it added to oxd Protocols, under here: https://github.com/GluuFederation/docs-oxd-prod/blob/3.1.0/3.1.0/sources/protocol/index.md