search

KantaraInitiative / wg-uma

This is the repository of all specifications related to the User Managed Access Group
http://kantarainitiative.org/confluence/display/uma/
Other
27 stars 21 forks source link

Which error code to return when candidate granted scopes is less than requested scopes #350

Closed joebandenburg closed 6 years ago

joebandenburg commented 6 years ago

The spec says in section 3.3.4:

If CandidateGrantedScopes < RequestedScopes, the authorization server subsequently issues either an RPT containing CandidateGrantedScopes, or one of the error codes.

It is not clear which, if any, of the defined error codes the AS should return in this case. None of invalid_grant, invalid_scope, request_submitted or need_info seem to apply here.

The closest match seems to be invalid_grant as it includes the description "the client is not authorized to have these permissions added". However, a HTTP response code of 400 bad request does not seem to be appropriate here.

xguttner commented 6 years ago

I would say it depends more on WHY CandidateGrantedScopes (CGSc) < RequestedScopes (RSc) than on the fact it actually happened. From this reason, the sentence: "the client is not authorized to have these permissions added" seems too general to me and causes overlapping with the other possible errors.

The invalid_scope is quite clear, I'd say: CGSc < RSc because there is a scope in RequestedScopes that is not registered for any of the requested resources.

Then it might be necessarry to more explicitly state the "precedence" of request_submitted and need_info: Let's say the CGSc is two scopes short: first scope rulled out because there was not enough claims = need_info, second rulled out because of the policies can't be fulfilled with given claims (that are sufficient to compute the decisions) = request_submitted (let's call this scope unreachable). The problem is the AS can choose a strategy according to which it either issues RPT with less scopes than requested or not. The precedence should however be tied to that strategy: If the policy of AS is to issue RPT only when CGSs = RSc, then if there is any unreachable scope -> request_submitted should be thrown (need_info would be just wasting of time). Contrary, if AS would issue RPT when CGSs < RSc (and more precisely, if it would issue RPT with CGSs = RSc - {unreachable scopes}), need_info should be thrown (request_submitted would cause waiting when just supplying additional claim might be enough).

Actually now that I see it, I think the former is just a special case of the latter, so: Does AS want to issue RPT if CGSc <= RSc - {unreachable scopes}? Yes -> need_info, No -> request_submitted.

This last sentence might be worth mentioning in the standard as it clarifies the behaviour and is not restricting (at least for the meaningful implementations).

For me it is also worth to say that I agree with your point from some of the other issues, that actually it might not be a MUST for AS to support submitting the requests to RO, hence, request_submitted could be replaced.

xmlgrrl commented 6 years ago

I suspect this relates to #340.

xmlgrrl commented 6 years ago

Discussed and decided in UMA telecon 2017-08-07, but reopened after further consideration, and influenced by new #340 decision in UMA telecon 2017-08-17.