Behaviour for invalid/expired claim_token

KantaraInitiative / wg-uma

This is the repository of all specifications related to the User Managed Access Group

http://kantarainitiative.org/confluence/display/uma/

Other

28 stars 21 forks source link

Behaviour for invalid/expired claim_token #344

Closed mrpotes closed 7 years ago

mrpotes commented 7 years ago

If the client pushes invalid/expired claim_token, how should the AS respond - need_info? Should the spec define that behaviour?

ciseng commented 7 years ago

This would be need_info. AS could not use what was provided by the client, and lists them under required_claims again. I think we should define any behaviour in the spec that raises a question and cannot be answered immediately.

xmlgrrl commented 7 years ago

I'm inclined to agree on both points.

If the authorization assessment has policies that can't be met by the claim token provided, the AS can always return need_info (with hints, at its option).
Since this is a condition that calls for a response and the spec didn't say what to do and the question came up, we should fill in the spec gap.

xmlgrrl commented 7 years ago

Per UMA telecon 2017-08-08, need_info is correct and we need to explain this condition for the error.