UMA 2 spec :
Changes are required for UMA RP commands. All UMA RS Commands are left as is. No changes for uma_rs_check_access
and uma_rs_protect
commands.
Changes:
UMA RP - Get RPT
If claim_token
parameter is provided then claim_token_format
must be provided too.
For now we support only claims_token_format=http://openid.net/specs/openid-connect-core-1_0.html#IDToken
Request
{
"command":"uma_rp_get_rpt",
"params": {
"oxd_id":"6F9619FF-8B86-D011-B42D-00CF4FC964FF", <- REQUIRED
"ticket": "016f84e8-f9b9-11e0-bd6f-0021cc6004de", <- REQUIRED
"claim_token": "eyj0f9b9...", <- OPTIONAL
"claim_token_format": "http://openid.net/specs/openid-connect-core-1_0.html#IDToken",
"pct": "c2F2ZWRjb25zZW50", <- OPTIONAL
"rpt": "SSJHBSUSSJHVhjsgvhsgvshgsv", <- OPTIONAL
"scope":["read"], <- OPTIONAL,
"state": "af0ifjsldkj", <- OPTIONAL state that is returned from uma_rp_get_claims_gathering_url command
"protection_access_token": "ejt3425" <- OPTIONAL, required if oxd-http is used
}
}
Success Response
{
"status":"ok",
"data":{
"access_token":"SSJHBSUSSJHVhjsgvhsgvshgsv",
"token_type":"Bearer",
"pct":"c2F2ZWRjb25zZW50",
"upgraded":true
}
}
Needs Info Error Response
{
"status":"error",
"data":{
"error":"need_info",
"error_description":"The authorization server needs additional information in order to determine whether the client is authorized to have these permissions.",
"details": {
"error":"need_info",
"ticket":"ZXJyb3JfZGV0YWlscw==",
"required_claims":[
{
"claim_token_format":[
"http://openid.net/specs/openid-connect-core-1_0.html#IDToken"
],
"claim_type":"urn:oid:0.9.2342.19200300.100.1.3",
"friendly_name":"email",
"issuer":["https://example.com/idp"],
"name":"email23423453ou453"
}
],
"redirect_user":"https://as.example.com/rqp_claims?id=2346576421"
}
}
}
Invalid ticket error
{
"status":"error",
"data":{
"error":"invalid_ticket",
"error_description":"Ticket is not valid (outdated or not present on Authorization Server)."
}
}
Internal oxd server error
{
"status":"error",
"data":{
"error":"internal_error",
"error_description":"oxd server failed to handle command. Please check logs for details."
}
}
UMA RP - Get Claims-Gathering URL
ticket
parameter for this command MUST be newest, in 90% cases it is from need_info
error.
Request
{
"command":"uma_rp_get_claims_gathering_url",
"params": {
"oxd_id":"6F9619FF-8B86-D011-B42D-00CF4FC964FF", <- REQUIRED
"ticket": "016f84e8-f9b9-11e0-bd6f-0021cc6004de", <- REQUIRED
"claims_redirect_uri":"https://client.example.com/cb", <- REQUIRED
"protection_access_token": "ejt3425" <- OPTIONAL, required if oxd-http is used
}
}
Success Response
{
"status":"ok",
"data":{
"url":"https://as.com/restv1/uma/gather_claims
?client_id=@!1736.179E.AA60.16B2!0001!8F7C.B9AB!0008!AB77!1A2B
&ticket=4678a107-e124-416c-af79-7807f3c31457
&claims_redirect_uri=https://client.example.com/cb
&state=af0ifjsldkj",
"state":"af0ifjsldkj"
}
}
After redirect to claims-gathering url user pass Claims-Gathering Flow and if it is success user is redirected back to claims_redirect_uri
with new ticket which should be provided with next uma_rp_get_rpt
call.
Example of response
https://client.example.com/cb?ticket=e8e7bc0b-75de-4939-a9b1-2425dab3d5ec
UMA Authorize RPT - REMOVED
uma_rp_authorize_rpt - Removed.
UMA Get GAT - REMOVED
uma_rp_get_gat - Removed
register_site and setup_client commands update
register_site
and setup_client
commands have
- new parameter
claims_redirect_uri
.
- new parameter
oxd_rp_programming_language
. The value should be programming language that is used by oxd client, for example java
, php
, ruby
and so on.
Stepped-up authentication
In order to support stepped-up authentication, the AS Claims-Gathering Endpoint must also be specified as valid redirect_uri
.
If user is authenticated at AS it will automatically recognize it. In case user is not authenticated and Claims-Gathering scripts redirect for authentication oxd can register Claims-Gathering Endpoint as client redirect_uri
, so UMA 2 engine will get control back after successful authentication. This can be enabled/disabled in oxd-conf.json
configuration file with uma2_auto_register_claims_gathering_endpoint_as_redirect_uri_of_client
.
...
"uma2_auto_register_claims_gathering_endpoint_as_redirect_uri_of_client" : true
...
Renamed client_logout_uris -> client_frontchannel_logout_uris