Closed joebandenburg closed 6 years ago
I would say it depends more on WHY CandidateGrantedScopes (CGSc) < RequestedScopes (RSc) than on the fact it actually happened. From this reason, the sentence: "the client is not authorized to have these permissions added" seems too general to me and causes overlapping with the other possible errors.
The invalid_scope is quite clear, I'd say: CGSc < RSc because there is a scope in RequestedScopes that is not registered for any of the requested resources.
Then it might be necessarry to more explicitly state the "precedence" of request_submitted and need_info: Let's say the CGSc is two scopes short: first scope rulled out because there was not enough claims = need_info, second rulled out because of the policies can't be fulfilled with given claims (that are sufficient to compute the decisions) = request_submitted (let's call this scope unreachable). The problem is the AS can choose a strategy according to which it either issues RPT with less scopes than requested or not. The precedence should however be tied to that strategy: If the policy of AS is to issue RPT only when CGSs = RSc, then if there is any unreachable scope -> request_submitted should be thrown (need_info would be just wasting of time). Contrary, if AS would issue RPT when CGSs < RSc (and more precisely, if it would issue RPT with CGSs = RSc - {unreachable scopes}), need_info should be thrown (request_submitted would cause waiting when just supplying additional claim might be enough).
Actually now that I see it, I think the former is just a special case of the latter, so: Does AS want to issue RPT if CGSc <= RSc - {unreachable scopes}? Yes -> need_info, No -> request_submitted.
This last sentence might be worth mentioning in the standard as it clarifies the behaviour and is not restricting (at least for the meaningful implementations).
For me it is also worth to say that I agree with your point from some of the other issues, that actually it might not be a MUST for AS to support submitting the requests to RO, hence, request_submitted could be replaced.
I suspect this relates to #340.
Discussed and decided in UMA telecon 2017-08-07, but reopened after further consideration, and influenced by new #340 decision in UMA telecon 2017-08-17.
The spec says in section 3.3.4:
It is not clear which, if any, of the defined error codes the AS should return in this case. None of
invalid_grant
,invalid_scope
,request_submitted
orneed_info
seem to apply here.The closest match seems to be
invalid_grant
as it includes the description "the client is not authorized to have these permissions added". However, a HTTP response code of 400 bad request does not seem to be appropriate here.