Closed michielbdejong closed 2 weeks ago
GNAP-RS introspection response has:
access (array of strings/objects): REQUIRED. The access rights associated with this access token. This MUST be in the format described in the Section 8 of [GNAP]. This array MAY be filtered or otherwise limited for consumption by the identified RS, including being an empty array, indicating that the token has no explicit access rights that can be disclosed to the RS.
How does this compare with permissions
in UMA-extended introspection responses?
Should we use GNAP-RS introspection responses instead of UMA-extended onese?
Not only for the introspection response but also for the resource registration, GNAP-RS and UMA-Fed-Auth seem to present distinct options to solve a similar problem: In UMA-Fed-Auth the RS defines a name and list of scopes and the AS adds the ID.
In GNAP-RS 3.4. Registering a Resource Set", the RS posts an array of RARs (where RAR stands for Resource Access Rights, NOT Rich Authorization Requests!)
https://datatracker.ietf.org/doc/html/draft-ietf-gnap-core-protocol#section-8 defines:
type (string): The type of resource request as a string. This field MAY define which other fields are allowed in the request object. REQUIRED.
actions (array of strings): The types of actions the client instance will take at the RS as an array of strings. For example, a client instance asking for a combination of "read" and "write" access.
locations (array of strings): The location of the RS as an array of strings. These strings are typically URIs identifying the location of the RS.
datatypes (array of strings): The kinds of data available to the client instance at the RS's API as an array of strings. For example, a client instance asking for access to raw "image" data and "metadata" at a photograph API.
identifier (string): A string identifier indicating a specific resource at the RS. For example, a patient identifier for a medical API or a bank account number for a financial API.
privileges (array of strings): The types or levels of privilege being requested at the resource. For example, a client instance asking for administrative level access, or access when the resource owner is no longer online.
The choice between UMA Resource Registry and GNAP-RS Resource Set Registry feels like a syntactical detail, unless I misunderstood some profound difference between them.
We will need to make a choice but will follow common practice from the OAuth community here.
Look into https://datatracker.ietf.org/doc/draft-ietf-gnap-resource-servers/