oauth-uma-grant.xml

<?xml version="1.0" encoding="US-ASCII"?>
<?xml-stylesheet type='text/xsl' href='http://xml2rfc.tools.ietf.org/authoring/rfc2629.xslt' ?>
<!DOCTYPE rfc PUBLIC "-//IETF//DTD RFC 2629//EN"
"http://xml2rfc.tools.ietf.org/authoring/rfc2629.dtd" [
<!ENTITY RFC6749 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml">
<!ENTITY RFC2119 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC7159 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7159.xml">
<!ENTITY RFC7591 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7591.xml">
<!ENTITY RFC5785 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5785.xml">
<!ENTITY RFC3986 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3986.xml">
<!ENTITY RFC6750 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6750.xml">
<!ENTITY RFC6819 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6819.xml">
<!ENTITY RFC7009 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7009.xml">
]>
<rfc category="std" docName="oauth-uma-grant" id="kantara" ipr="kantara"
     target="recommendation" version="2.0">
  <?xml-stylesheet texttype='text/xsl' href='rfc2629.xslt' ?>

  <?rfc toc='yes' ?>

  <?rfc tocdepth='4' ?>

  <?rfc symrefs='yes' ?>

  <?rfc sortrefs='yes' ?>

  <?rfc compact='yes' ?>

  <?rfc subcompact='no' ?>

  <front>
    <title abbrev="">User-Managed Access (UMA) 2.0 Grant for OAuth 2.0
    Authorization</title>

    <author fullname="Eve Maler" initials="E." role="editor" surname="Maler">
      <organization>ForgeRock</organization>

      <address>
        <email>eve.maler@forgerock.com</email>
      </address>
    </author>

    <author fullname="Maciej Machulak" initials="M." surname="Machulak">
      <organization>HSBC</organization>

      <address>
        <email>maciej.p.machulak@hsbc.com</email>
      </address>
    </author>

    <author fullname="Justin Richer" initials="J." surname="Richer">
      <organization>Bespoke Engineering</organization>

      <address>
        <email>justin@bspk.io</email>
      </address>
    </author>

    <date day="7" month="January" year="2018" />

    <abstract>
      <t>This specification defines a means for a client, representing a
      requesting party, to use a permission ticket to request an OAuth 2.0
      access token to gain access to a protected resource asynchronously from
      the time a resource owner authorizes access.</t>
    </abstract>
  </front>

  <middle>
    <section anchor="introduction" title="Introduction">
      <t>This specification defines an extension OAuth 2.0 <xref
      target="RFC6749" /> grant. The grant enhances OAuth capabilities in the
      following ways:<list style="symbols">
          <t>The resource owner authorizes protected resource access to
          clients used by entities that are in a <spanx>requesting
          party</spanx> role. This enables party-to-party authorization,
          rather than authorization of application access alone.</t>

          <t>The authorization server and resource server interact with the
          client and requesting party in a way that is
          <spanx>asynchronous</spanx> with respect to resource owner
          interactions. This lets a resource owner configure an authorization
          server with authorization grant rules (policy conditions) at will,
          rather than authorizing access token issuance synchronously just
          after authenticating.</t>
        </list></t>

      <t>For example, bank customer (resource owner) Alice with a bank account
      service (resource server) can use a sharing management service
      (authorization server) hosted by the bank to manage access to her
      various protected resources by spouse Bob, accounting professional
      Charline, and and financial information aggregation company Decide
      Account, all using different client applications. Each of her bank
      accounts is a protected resource, and two different scopes of access she
      can control on them are viewing account data and accessing payment
      functions.</t>

      <t>An OPTIONAL second specification, <xref target="UMAFedAuthz" />,
      defines a means for an UMA-enabled authorization server and resource
      server to be loosely coupled, or federated, in a resource owner context.
      This specification, together with <xref target="UMAFedAuthz" />,
      constitutes UMA 2.0.</t>

      <section title="Notational Conventions">
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
        "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
        "OPTIONAL" in this document are to be interpreted as described in
        <xref target="RFC2119" />.</t>

        <t>Unless otherwise noted, all parameter names and values are case
        sensitive. JSON <xref target="RFC7159" /> data structures defined in
        this specification MAY contain extension parameters that are not
        defined in this specification. Any entity receiving or retrieving a
        JSON data structure SHOULD ignore extension parameters it is unable to
        understand. Extension names that are unprotected from collisions are
        outside the scope of this specification.</t>
      </section>

      <section anchor="roles" title="Roles">
        <t>The UMA grant enhances the OAuth definitions of entities in order
        to accommodate the requesting party role.<list style="hanging">
            <t hangText="resource owner"><vspace />An entity capable of
            granting access to a protected resource, the "user" in
            User-Managed Access. The resource owner MAY be an end-user
            (natural person) or MAY be a non-human entity treated as a person
            for limited legal purposes (legal person), such as a
            corporation.</t>

            <t hangText="requesting party"><vspace />A natural or legal person
            that uses a client to seek access to a protected resource. The
            requesting party may or may not be the same party as the resource
            owner.</t>

            <t hangText="client"><vspace />An application that is capable of
            making requests for protected resources with the resource owner's
            authorization and on the requesting party's behalf.</t>

            <t hangText="resource server"><vspace />A server that hosts
            resources on a resource owner's behalf and is capable of accepting
            and responding to requests for protected resources.</t>

            <t hangText="authorization server"><vspace />A server that
            protects, on a resource owner's behalf, resources hosted at a
            resource server.</t>
          </list></t>
      </section>

      <section anchor="high-level-flow" title="Abstract Flow">
        <t>The UMA grant enhances the abstract protocol flow of OAuth.</t>

        <t><xref target="protocol-flow" /> shows an example flow illustrating
        a variety of messaging paths and artifacts. The resource owner entity
        and its communications with the authorization server are included for
        completeness, although policy condition setting is outside the scope
        of this specification and communications among the other four entities
        are asynchrjonous with respect to resource owner actions. Further,
        although both claims pushing and interactive claims gathering are
        shown, both might not typically be used in one scenario.</t>

        <figure anchor="protocol-flow" title="Example Flow">
          <artwork><![CDATA[requesting                             authorization resource resource
  party        client                      server     server    owner
    |            |                           |          |         |
    |            |                           |Set policy|         |
    |            |                           |conditions (anytime)|
    |            |                           |<- - - - - - - - - -|
    |            |Resource request (no access token)    |         |
    |            |------------------------------------->|         |
    |            |401 response with initial permission  |         |
    |            |ticket, authz server location         |         |
    |            |<-------------------------------------|         |
    |            |Access token (RPT) request |          |         |
    |            |with permission ticket,    |          |         |
    |            |claim token (push claims)  |          |         |
    |            |-------------------------->|          |         |
    |            |                      +----|Authz     |         |
    |            |                      +--->|assessment|         |
    |            |403 response with new      |          |         |
    |            |permission ticket,         |          |         |
    |            |need_info error,           |          |         |
    |            |redirect_user hint         |          |         |
    |            |<--------------------------|          |         |
    |Redirect    |                           |          |         |
    |user with   |                           |          |         |
    |permission  |                           |          |         |
    |ticket      |                           |          |         |
    |<-----------|                           |          |         |
    |Follow redirect to authz server         |          |         |
    |--------------------------------------->|          |         |
    |Interactive claims gathering            |          |         |
    |<- - - - - - - - - - - - - - - - - - - >|          |         |
    |Redirect back with new permission       |          |         |
    |ticket                                  |          |         |
    |<---------------------------------------|          |         |
    |Follow      |                           |          |         |
    |redirect    |                           |          |         |
    |to client   |                           |          |         |
    |----------->|                           |          |         |
    |            |RPT request with permission|          |         |
    |            |ticket                     |          |         |
    |            |-------------------------->|          |         |
    |            |                      +----|Authz     |         |
    |            |                      +--->|assessment|         |
    |            |Response with RPT and PCT  |          |         |
    |            |<--------------------------|          |         |
    |            |Resource request with RPT  |          |         |
    |            |------------------------------------->|         |
    |            |Protected resource         |          |         |
    |            |<-------------------------------------|         |

]]></artwork>
        </figure>

        <t>Following are key concepts relevant to this specification, as
        illustrated in the figure:<list style="hanging">
            <t hangText="requesting party token (RPT)">An OAuth access token
            associated with the UMA grant. An RPT is unique to a requesting
            party, client, authorization server, resource server, and resource
            owner.</t>

            <t hangText="permission">Authorized access to a particular
            resource with some number of scopes bound to that resource. A
            permission ticket represents some number of requested permissions.
            An RPT represents some number of granted permissions. Permissions
            are part of the authorization server's process and are opaque to
            the client.</t>

            <t hangText="permission ticket">A correlation handle representing
            requested permissions that is created and maintained by the
            authorization server, initially passed to the client by the
            resource server, and presented by the client at the token endpoint
            and during requesting party redirects.</t>

            <t hangText="authorization process">The process through which the
            authorization server determines whether it should issue an RPT to
            the client on the requesting party's behalf, based on a variety of
            inputs. A key component of the process is authorization
            assessment. (See <xref target="authorization-process" />.)</t>

            <t hangText="claim">A statement of the value or values of one or
            more attributes of an entity. The authorization server typically
            needs to collect and assess one or more claims of the requesting
            party or client against policy conditions as part of protecting a
            resource. The two methods available for UMA claims collection are
            claims pushing and interactive claims gathering. Note: Claims
            collection might involve authentication for unique user
            identification, but depending on policy conditions might
            additionally or instead involve the collection of non-uniquely
            identifying attributes, authorization for some action (for
            example, see <xref target="redirect-back" />), or other statements
            of agreement.</t>

            <t hangText="claim token">A package of claims provided directly by
            the client to the authorization server through claims pushing.</t>

            <t hangText="persisted claims token (PCT)">A correlation handle
            issued by an authorization server that represents a set of claims
            collected during one authorization process, available for a client
            to use in attempting to optimize a future authorization
            process.</t>
          </list></t>

        <t>Note: How the client acquired knowledge of the resource server's
        interface and the specific endpoint of the desired protected resource
        is outside the scope of this specification. For example, the resource
        server might have a programmatic API or it might serve up simple web
        pages, and the resource owner might have advertised the endpoint
        publicly on a blog or other website, listed it in a discovery service,
        or emailed a link to a particular intended requesting party.</t>

        <section anchor="authorization-process" title="Authorization Process">
          <t>The authorization process involves the following activities:<list
              style="symbols">
              <t>Claims collection. Claims pushing by a client is defined in
              <xref target="uma-grant-type" />, and interactive claims
              gathering with an end-user requesting party is defined in <xref
              target="claim-redirect" />.</t>

              <t>Authorization assessment (as defined in <xref
              target="authorization-assessment" />). Authorization assessment
              involves the authorization server assembling and evaluating
              policy conditions, scopes, claims, and any other relevant
              information sourced outside of UMA claims collection flows, in
              order to mitigate access authorization risk.</t>

              <t>Authorization results determination (as defined in <xref
              target="authorization-assessment" />). The authorization server
              either returns a success code (as defined in <xref
              target="give-rpt" />), an RPT, and an optional PCT, or an error
              code (as defined in <xref target="authorization-failure" />). If
              the error code is <spanx style="verb">need_info</spanx> or
              <spanx style="verb">request_submitted</spanx>, the authorization
              server provides a permission ticket, giving the client an
              opportunity to continue within the same authorization process
              (including engaging in further claims collection).</t>
            </list></t>

          <t>Different choices of claims collection methods, other inputs to
          authorization assessment, and error codes might be best suited for
          different deployment ecosystems. For example, where no
          pre-established relationship is expected between the resource
          owner's authorization server and the requesting party, initial
          requesting party redirection might be a useful pattern, at which
          point the authorization server might either authenticate the
          requesting party locally or serve as a relying party for a remote
          identity provider. Where a common authorization server functions as
          an identity provider for all resource owners and requesting parties,
          having the client push claim tokens sourced from that central server
          itself with a pre-negotiated format and contents might be a useful
          pattern.</t>
        </section>
      </section>
    </section>

    <section anchor="as-config" title="Authorization Server Metadata">
      <t>The authorization server supplies metadata in a discovery document to
      declare its endpoints. The client uses this discovery document to
      discover these endpoints for use in the flows defined in <xref
      target="protocol-flow-details-sec" />.</t>

      <t>The authorization server MUST make a discovery document available.
      The structure of the discovery document MUST conform to that defined in
      <xref target="OAuthMeta" />. The discovery document MUST be available at
      an endpoint formed by concatenating the string <spanx
      style="verb">/.well-known/uma2-configuration</spanx> to the <spanx
      style="verb">issuer</spanx> metadata value defined in <xref
      target="OAuthMeta" />, using the well-known URI syntax and semantics
      defined in <xref target="RFC5785" />. In addition to the metadata
      defined in <xref target="OAuthMeta" />, this specification defines the
      following metadata for inclusion in the discovery document:<list
          hangIndent="6" style="hanging">
          <t hangText="claims_interaction_endpoint"><vspace />OPTIONAL. A
          static endpoint URI at which the authorization server declares that
          it interacts with end-user requesting parties to gather claims. If
          the authorization server also provides a claims interaction endpoint
          URI as part of its <spanx style="verb">redirect_user</spanx> hint in
          a <spanx style="verb">need_info</spanx> response to a client on
          authorization failure (see <xref target="authorization-failure" />),
          that value overrides this metadata value. Providing the static
          endpoint URI is useful for enabling interactive claims gathering
          prior to any pushed-claims flows taking place, for example, for
          gathering authorization for subsequent claim pushing (see <xref
          target="claim-redirect" />).</t>

          <t hangText="uma_profiles_supported"><vspace />OPTIONAL. UMA
          profiles and extensions supported by this authorization server. The
          value is an array of string values, where each string value is a URI
          identifying an UMA profile or extension. As discussed in <xref
          target="profiles" />, an authorization server supporting a profile
          or extension related to UMA SHOULD supply the specification's
          identifying URI (if any) here.</t>
        </list></t>

      <t>If the authorization server supports dynamic client registration, it
      MUST allow client applications to register <spanx
      style="verb">claims_redirect_uri</spanx> metadata, as defined in <xref
      target="claim-redirect" />, using the following metadata field:<list
          hangIndent="6" style="hanging">
          <t hangText="claims_redirect_uris"><vspace />OPTIONAL. Array of one
          or more claims redirection URIs.</t>
        </list></t>
    </section>

    <section anchor="protocol-flow-details-sec" title="Flow Details">
      <section anchor="client-attempts-tokenless-access"
               title="Client Requests Resource Without Providing an Access Token">
        <t>The client requests a protected resource without providing any
        access token.</t>

        <t>Note: This process does not assume that any relevant policy
        conditions have already been defined at the authorization server.</t>

        <t>For an example of how the resource server can put resources under
        the protection of an authorization server, see <xref
        target="UMAFedAuthz" />.</t>

        <figure>
          <preamble>Example of a client request at a protected resource
          without providing an access token:</preamble>

          <artwork><![CDATA[GET /users/alice/album/photo.jpg HTTP/1.1
Host: photoz.example.com
...
]]></artwork>
        </figure>
      </section>

      <section anchor="rs-tokenless-response"
               title="Resource Server Responds to Client's Tokenless Access Attempt">
        <t>The resource server responds to the client's tokenless resource
        request.</t>

        <t>The resource server MUST obtain a permission ticket from the
        authorization server to provide in its response, but the means of
        doing so is outside the scope of this specification. For an example of
        how the resource server can obtain the permission ticket, see <xref
        target="UMAFedAuthz" />.</t>

        <t>The process of choosing what permissions to request from the
        authorization server may require interpretation and mapping of the
        client's resource request. The resource server SHOULD request a set of
        permissions with scopes that is reasonable for the client's resource
        request.</t>

        <t>Note: In order for the resource server to know which authorization
        server to approach for the permission ticket and on which resource
        owner's behalf, it needs to derive the necessary information using
        cues provided by the structure of the API where the resource request
        was made, rather than by an access token. Commonly, this information
        can be passed through the URI, headers, or body of the client's
        request. Alternatively, the entire interface could be dedicated to the
        use of a single resource owner and protected by a single authorization
        server.</t>

        <t>See <xref target="ticket-management" /> for permission ticket
        security considerations.</t>

        <section anchor="permission-success-to-client"
                 title="Resource Server Response to Client on Permission Request Success">
          <t>If the resource server is able to provide a permission ticket
          from the authorization server, it responds to the client by
          providing a <spanx style="verb">WWW-Authenticate</spanx> header with
          the authentication scheme <spanx style="verb">UMA</spanx>, with the
          <spanx style="verb">issuer</spanx> URI from the authorization
          server's discovery document in an <spanx style="verb">as_uri</spanx>
          parameter and the permission ticket in a <spanx
          style="verb">ticket</spanx> parameter.</t>

          <figure>
            <preamble>For example:</preamble>

            <artwork><![CDATA[HTTP/1.1 401 Unauthorized
WWW-Authenticate: UMA realm="example",
  as_uri="https://as.example.com",
  ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de"
...
]]></artwork>
          </figure>
        </section>

        <section anchor="permission-failure-to-client"
                 title="Resource Server Response to Client on Permission Request Failure">
          <t>If the resource server is unable to provide a permission ticket
          from the authorization server, then it includes a header of the
          following form in its response to the client: <spanx
          style="verb">Warning: 199 - "UMA Authorization Server
          Unreachable"</spanx>.</t>

          <figure>
            <preamble>For example:</preamble>

            <artwork><![CDATA[HTTP/1.1 403 Forbidden
Warning: 199 - "UMA Authorization Server Unreachable"
...
]]></artwork>
          </figure>

          <t>Without an authorization server location and permission ticket,
          the client is unable to continue.</t>
        </section>
      </section>

      <section anchor="seek-authorization"
               title="Client Seeks RPT on Requesting Party's Behalf">
        <t>The client seeks issuance of an RPT.</t>

        <t>This process assumes that:<list style="symbols">
            <t>The client has obtained a permission ticket and an
            authorization server location from the resource server.</t>

            <t>The client has retrieved the authorization server's discovery
            document as needed.</t>

            <t>The client has obtained a client identifier or a full set of
            client credentials as appropriate, either statically or
            dynamically (for example, through <xref target="RFC7591" /> or
            <xref target="OIDCDynClientReg" />). This grant works with clients
            of both confidential and public types.</t>
          </list></t>

        <t>Initiation of this process has two options. One option is for the
        client to request an RPT from the token endpoint immediately, as
        defined in <xref target="uma-grant-type" />. Claim pushing is
        available at this endpoint. The other option, if the authorization
        server&rsquo;s discovery document statically provided a claims
        interaction endpoint, is for the client to redirect the requesting
        party immediately to that endpoint for interactive claims gathering,
        as defined in <xref target="claim-redirect" />.</t>

        <section anchor="uma-grant-type"
                 title="Client Request to Authorization Server for RPT">
          <t>The client makes a request to the token endpoint by sending the
          following parameters:<list style="hanging">
              <t hangText="grant_type">REQUIRED. MUST be the value <spanx
              style="verb">urn:ietf:params:oauth:grant-type:uma-ticket</spanx>.</t>

              <t hangText="ticket">REQUIRED. The most recent permission ticket
              received by the client as part of this authorization
              process.</t>

              <t hangText="claim_token">OPTIONAL. If this parameter is used,
              it MUST appear together with the <spanx
              style="verb">claim_token_format</spanx> parameter. A string
              containing directly pushed claim information in the indicated
              format. It MUST be base64url encoded unless specified otherwise
              by the claim token format. The client MAY provide this
              information on both first and subsequent requests to this
              endpoint. The client and authorization server together might
              need to establish proper audience restrictions for the claim
              token prior to claims pushing. See <xref target="trust-push" />
              and <xref target="rqp-privacy" /> for security and privacy
              considerations regarding pushing of claims.</t>

              <t hangText="claim_token_format">OPTIONAL. If this parameter is
              used, it MUST appear together with the <spanx
              style="verb">claim_token</spanx> parameter. A string specifying
              the format of the claim token in which the client is directly
              pushing claims to the authorization server. The string MAY be a
              URI. Examples of potential types of claim token formats are
              <xref target="OIDCCore" /> ID Tokens and SAML assertions.</t>

              <t hangText="pct">OPTIONAL. If the authorization server
              previously returned a PCT along with an RPT, the client MAY
              include the PCT in order to optimize the process of seeking a
              new RPT. Given that some claims represented by a PCT are likely
              to contain identity information about a requesting party, a
              client supplying a PCT in its RPT request MUST make a best
              effort to ensure that the requesting party using the client now
              is the same as the requesting party that was associated with the
              PCT when it was issued. See <xref target="trust-push" /> and
              <xref target="rqp-privacy" /> for additional security and
              privacy considerations regarding persistence of claims. The
              client MAY use the PCT for the same requesting party when
              seeking an RPT for a resource different from the one sought when
              the PCT was issued, or a protected resource at a different
              resource server entirely. See <xref
              target="sec-consid-exposure" /> for additional PCT security
              considerations. See <xref target="give-rpt" /> for the form of
              the authorization server's response with a PCT.</t>

              <t hangText="rpt">OPTIONAL. Supplying an existing RPT (which MAY
              be expired) gives the authorization server the option of
              upgrading that RPT instead of issuing a new one (see <xref
              target="rpt-upgrading" /> for more about this option).</t>

              <t hangText="scope">OPTIONAL. A string of space-separated values
              representing requested scopes. For the authorization server to
              consider any requested scope in its assessment, the client MUST
              have been pre-registered for the same scope with the
              authorization server. The client should consult the resource
              server's API documentation for details about which scopes it can
              expect the resource server's initial returned permission ticket
              to represent as part of the authorization assessment (see <xref
              target="authorization-assessment" />).</t>
            </list></t>

          <figure>
            <preamble>Example of a request message with no optional parameters
            (line breaks are shown only for display convenience):</preamble>

            <artwork><![CDATA[POST /token HTTP/1.1
Host: as.example.com
Authorization: Basic jwfLG53^sad$#f
...
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket
&ticket=016f84e8-f9b9-11e0-bd6f-0021cc6004de
]]></artwork>
          </figure>

          <figure>
            <preamble>Example of a request message that includes an existing
            RPT for upgrading, a scope being sought that was previously
            registered with the authorization server, and a PCT and a claim
            token for consideration in the authorization process:</preamble>

            <artwork><![CDATA[POST /token HTTP/1.1
Host: as.example.com
Authorization: Basic jwfLG53^sad$#f
...
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket
&ticket=016f84e8-f9b9-11e0-bd6f-0021cc6004de
&claim_token=eyj0...
&claim_token_format=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23IDToken
&pct=c2F2ZWRjb25zZW50
&rpt=sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv
&scope=read
]]></artwork>
          </figure>

          <t>This specification provides a means to define profiles of claim
          token formats for use with UMA (see <xref target="profiles" />). The
          authorization server SHOULD document the profiles it supports in its
          discovery document.</t>
        </section>

        <section anchor="claim-redirect"
                 title="Client Redirect of Requesting Party to Authorization Server for Interactive Claims-Gathering">
          <t>The client redirects an end-user requesting party to the
          authorization server's claims interaction endpoint for one or more
          interactive claims-gathering processes as the authorization server
          requires. These can include direct interactions, such as account
          registration and authentication local to the authorization server as
          an identity provider, filling out a questionnaire, or asking the
          user to authorize subsequent collection of claims by interaction or
          pushing, and persistent storage of such claims (for example, as
          associated with a PCT). Interactions could also involve further
          redirection, for example, for federated (such as social)
          authentication at a remote identity provider, and other federated
          claims gathering. See <xref target="trust-push" /> and <xref
          target="rqp-privacy" /> for security and privacy considerations
          regarding pushing and persistence of claims.</t>

          <t>The client might have initiated redirection immediately on
          receiving an initial permission ticket from the resource server, or,
          for example, in response to receiving a <spanx
          style="verb">redirect_user</spanx> hint in a <spanx
          style="verb">need_info</spanx> error (see <xref
          target="authorization-failure" />).</t>

          <t>In order for the client to redirect the requesting party
          immediately on receiving the initial permission ticket from the
          resource server, this process assumes that the authorization server
          has statically declared its claims interaction endpoint in its
          discovery document.</t>

          <t>The client constructs the request URI by adding the following
          parameters to the query component of the claims interaction endpoint
          URI using the <spanx
          style="verb">application/x-www-form-urlencoded</spanx> format:<list
              style="hanging">
              <t hangText="client_id">REQUIRED. The client's identifier issued
              by the authorization server.</t>

              <t hangText="ticket">REQUIRED. The most recent permission ticket
              received by the client as part of this authorization
              process.</t>

              <t hangText="claims_redirect_uri">REQUIRED if the client has
              pre-registered multiple claims redirection URIs or has
              pre-registered no claims redirection URI; OPTIONAL only if the
              client has pre-registered a single claims redirection URI. The
              URI to which the client wishes the authorization server to
              direct the requesting party's user agent after completing its
              interaction. The URI MUST be absolute, MAY contain an <spanx
              style="verb">application/x-www-form-urlencoded</spanx>-formatted
              query parameter component that MUST be retained when adding
              additional parameters, and MUST NOT contain a fragment
              component. The client SHOULD pre-register its <spanx
              style="verb">claims_redirect_uri</spanx> with the authorization
              server, and the authorization server SHOULD require all clients,
              and MUST require public clients, to pre-register their claims
              redirection endpoints (see <xref target="as-config" />). Claims
              redirection URIs are different from the redirection URIs defined
              in <xref target="RFC6749" /> in that they are intended for the
              exclusive use of requesting parties and not resource owners.
              Therefore, authorization servers MUST NOT redirect requesting
              parties to pre-registered redirection URIs defined in <xref
              target="RFC6749" /> unless such URIs are also pre-registered
              specifically as claims redirection URIs. If the URI is
              pre-registered, this URI MUST exactly match one of the
              pre-registered claims redirection URIs, with the matching
              performed as described in Section 6.2.1 of <xref
              target="RFC3986" /> (Simple String Comparison).</t>

              <t hangText="state">RECOMMENDED. An opaque value used by the
              client to maintain state between the request and callback. The
              authorization server includes this value when redirecting the
              user agent back to the client. The use of this parameter is for
              preventing cross-site request forgery (see <xref
              target="csrf" /> for further security information).</t>
            </list></t>

          <figure>
            <preamble>Example of a request issued by a client application
            (line breaks are shown only for display convenience):</preamble>

            <artwork><![CDATA[GET /rqp_claims?client_id=some_client_id
&ticket=016f84e8-f9b9-11e0-bd6f-0021cc6004de
&claims_redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fredirect_claims
&state=abc HTTP/1.1
Host: as.example.com
]]></artwork>
          </figure>
        </section>

        <section anchor="redirect-back"
                 title="Authorization Server Redirect of Requesting Party Back to Client After Interactive Claims-Gathering">
          <t>At the conclusion of a successful interaction with the requesting
          party, the authorization server returns the requesting party to the
          client, adding the following parameters to the query component of
          the claims redirection URI using the <spanx
          style="verb">application/x-www-form-urlencoded</spanx> format:<list
              style="hanging">
              <t hangText="ticket">REQUIRED. A permission ticket that allows
              the client to make further requests to the authorization server
              during this authorization process. The value MUST NOT be the
              same as the one the client used to make its request.</t>

              <t hangText="state">OPTIONAL. The same state value that the
              client provided in the request. It MUST be present if and only
              if the client provided it (see <xref target="csrf" /> for
              further security information).</t>
            </list></t>

          <t>Note: Interactive claims-gathering processes are outside the
          scope of this specification. The purpose of the interaction is for
          the authorization server to gather information for its own
          authorization assessment purposes. This redirection does not involve
          sending any of the information back to the client.</t>

          <t>The authorization server MAY use interactive claims-gathering to
          request authorization from the requesting party for persisting
          claims across authorization processes. Such persisted claims will be
          represented by a PCT issued to the client in a subsequent step.</t>

          <t>The client MUST ignore unrecognized response parameters. If the
          request fails due to a missing, invalid, or mismatching claims
          redirection URI, or if the client identifier is missing or invalid,
          the authorization server SHOULD inform the requesting party of the
          error and MUST NOT automatically redirect the user agent to the
          invalid redirection URI.</t>

          <t>If the request fails for reasons other than a missing or invalid
          claims redirection URI, the authorization server informs the client
          by adding an <spanx style="verb">error</spanx> parameter to the
          query component of the claims redirection URI as defined in Section
          4.1.2.1 of <xref target="RFC6749" />.</t>

          <figure>
            <preamble>Example of a response issued by an authorization server
            (line breaks are shown only for display convenience):</preamble>

            <artwork><![CDATA[HTTP/1.1 302 Found
Location: https://client.example.com/redirect_claims?
ticket=cHJpdmFjeSBpcyBjb250ZXh0LCBjb250cm9s&state=abc
]]></artwork>
          </figure>
        </section>

        <section anchor="authorization-assessment"
                 title="Authorization Assessment and Results Determination">
          <t>When the authorization server has received a request for an RPT
          from a client as defined in <xref target="uma-grant-type" />, it
          assesses whether the client is authorized to receive the requested
          RPT and determines the results.</t>

          <t>The authorization server MUST apply the following conceptual
          authorization assessment calculation in determining authorization
          results. Note: As this calculation is internal to authorization
          server operations, its particulars are outside the scope of this
          specification. <list style="numbers">
              <t>Assemble a set called <spanx>RegisteredScopes</spanx>
              containing the scopes for which the client is pre-registered
              (either dynamically or through some static process) at the
              authorization server. Assemble a set called
              <spanx>RequestedScopes</spanx> containing the scopes the client
              most recently requested at the token endpoint. The permission
              ticket that was presented by the client at the token endpoint
              represents some number of resources, each with some number of
              scopes; for each of those resources, assemble a set called
              <spanx>TicketScopes(resource)</spanx> containing the scopes
              associated with that resource.</t>

              <t>For each resource in the permission ticket, determine a final
              set of requested scopes as follows:
              <spanx>RequestedScopes(resource)={TicketScopes(resource) &#8746;
              {RegisteredScopes &#8745; RequestedScopes}}</spanx>. Treat each
              scope in <spanx>{RegisteredScopes &#8745;
              RequestedScopes}</spanx> as matching any available scope
              associated with a resource found in the permission ticket.</t>

              <t>For each <spanx>RequestedScopes(resource)</spanx> set,
              determine all operative policy conditions, and claims and other
              relevant information serving as input to them, and evaluate its
              authorization status.</t>

              <t>For each scope in <spanx>RequestedScopes(resource)</spanx>
              that passes the evaluation, add it to a set called
              <spanx>CandidateGrantedScopes(resource)</spanx>.</t>
            </list></t>

          <t>Note: Claims and other information gathered during one
          authorization process may become out of date in terms of their
          relevance for future authorization processes. The authorization
          server is responsible for managing such relevance wherever
          information associated with a PCT, or other persistently stored
          information, is used as input to authorization, including policy
          conditions themselves.</t>

          <t>Note: Since the authorization server's policy expression and
          evaluation capabilities are outside the scope of this specification,
          any one implementation might take a simple or arbitrarily complex
          form, with varying abilities to combine or perform calculations over
          claims and their values. For example, logical operations such as
          accepting "either claim value A or claim value B" as correct are
          possible to implement.</t>

          <t>In the authorization results phase, the authorization server
          examines each <spanx>CandidateGrantedScopes(resource)</spanx> set to
          determine whether to issue an RPT and what permissions should be
          associated with it. If all <spanx>RequestedScopes(resource)</spanx>
          sets can be granted, then the authorization server subsequently
          responds with a success code and issues an RPT containing
          <spanx>CandidateGrantedScopes</spanx> for each resource.</t>

          <t>Otherwise, the authorization server subsequently issues either an
          RPT containing <spanx>CandidateGrantedScopes</spanx> for each
          resource, or one of the error codes, as appropriate. The reason for
          the two options is that granting only partial scopes might not be
          useful for the client's and requesting party's purposes in seeking
          authorization for access. The choice of error depends on policy
          conditions and the authorization server's implementation choices.
          The conditions for the <spanx style="verb">need_info</spanx>, <spanx
          style="verb">request_denied</spanx>, and <spanx
          style="verb">request_submitted</spanx> error codes are dependent on
          authorization assessment and thus these codes might be more likely
          than the others to be issued subsequent to such a calculation.</t>

          <t>The following example illustrates authorization assessment and
          partial results. <list style="symbols">
              <t>The resource server has three of the resource owner's
              resources of interest to the client and requesting party, <spanx
              style="verb">photo1</spanx> and <spanx
              style="verb">photo2</spanx> with scopes <spanx
              style="verb">view</spanx>, <spanx style="verb">resize</spanx>,
              <spanx style="verb">print</spanx>, and <spanx
              style="verb">download</spanx>, and <spanx
              style="verb">album</spanx> with scopes <spanx
              style="verb">view</spanx>, <spanx style="verb">edit</spanx>, and
              <spanx style="verb">download</spanx>. It considers <spanx
              style="verb">photo1</spanx> and <spanx
              style="verb">photo2</spanx> to be logically "inside" <spanx
              style="verb">album</spanx>.</t>

              <t>Though the exact contents of RPTs, permissions, and
              permission requests are opaque to the client, the resource
              server has documented its API, available scopes, and permission
              requesting practices. For example, if the client requests an
              album resource, it expects that the resource server will request
              a permission for the album with a scope that approximates the
              attempted client operation, but will also request permissions
              for all the photos "inside" the album, with <spanx
              style="verb">view</spanx> scope only.</t>

              <t>The client has a pre-registered scope of <spanx
              style="verb">download</spanx> with the authorization server.
              This enables the client later to request this scope dynamically
              on behalf of its requesting party from the token endpoint. The
              authorization server assembles the set
              <spanx>RegisteredScopes</spanx> with contents of scope <spanx
              style="verb">download</spanx>.</t>

              <t>The client requests the album resource in an attempt to edit
              it, so the resource server obtains a permission ticket with
              three permissions in it: for <spanx style="verb">album</spanx>
              with a scope of <spanx style="verb">edit</spanx>, and for <spanx
              style="verb">photo1</spanx> and <spanx
              style="verb">photo2</spanx>, each with a scope of <spanx
              style="verb">view</spanx>. The authorization server assembles
              the following sets: <spanx>TicketScopes</spanx>(<spanx
              style="verb">album</spanx>) containing <spanx
              style="verb">edit</spanx>, <spanx>TicketScopes</spanx>(<spanx
              style="verb">photo1</spanx>) containing <spanx
              style="verb">view</spanx>, and
              <spanx>TicketScopes</spanx>(<spanx style="verb">photo2</spanx>)
              containing <spanx style="verb">view</spanx>.</t>

              <t>While asking for an RPT at the token endpoint, the client
              requests <spanx style="verb">download</spanx> scope on the
              requesting party's behalf. The authorization server determines
              the contents of the following sets:
              <spanx>RequestedScopes</spanx>(<spanx
              style="verb">album</spanx>) containing <spanx
              style="verb">edit</spanx> and <spanx
              style="verb">download</spanx>,
              <spanx>RequestedScopes</spanx>(<spanx
              style="verb">photo1</spanx>) containing <spanx
              style="verb">view</spanx> and <spanx
              style="verb">download</spanx>, and
              <spanx>RequestedScopes</spanx>(<spanx
              style="verb">photo2</spanx>) containing <spanx
              style="verb">view</spanx> and <spanx
              style="verb">download</spanx>.</t>

              <t>The resource owner has set policy conditions that allow
              access by this particular requesting party only to <spanx
              style="verb">photo1</spanx> and only for <spanx
              style="verb">view</spanx> scope.</t>

              <t>Based on the authorization server's authorization assessment
              calculation, it determines the contents of the following sets:
              <spanx>CandidateGrantedScopes</spanx>(<spanx
              style="verb">album</spanx>) containing no scopes,
              <spanx>CandidateGrantedScopes</spanx>(<spanx
              style="verb">photo1</spanx>) containing <spanx
              style="verb">view</spanx>, and
              <spanx>CandidateGrantedScopes</spanx>(<spanx
              style="verb">photo2</spanx>) containing no scopes. This adds up
              to less than in the corresponding <spanx>RequestedScopes</spanx>
              sets. The authorization server therefore has a choice whether to
              issue an RPT (in this case, containing a permission for <spanx
              style="verb">photo1</spanx> with <spanx
              style="verb">view</spanx> scope) or an error (say, <spanx
              style="verb">request_denied</spanx>, or <spanx
              style="verb">request_submitted</spanx> if has a way to notify
              the resource owner about the album editing resource request and
              seek an added policy covering it).</t>
            </list></t>

          <t>See <xref target="default-deny" /> for a discussion of
          authorization implementation threats.</t>
        </section>

        <section anchor="give-rpt"
                 title="Authorization Server Response to Client on Authorization Success">
          <t>If the authorization server's assessment process results in
          issuance of permissions, it issues the RPT with which it has
          associated the permissions by using the successful response form
          defined in Section 5.1 of <xref target="RFC6749" />.</t>

          <t>The authorization server MAY return a refresh token. See <xref
          target="refresh" /> for more information about refreshing an
          RPT.</t>

          <t>The authorization server MAY add the following parameters to its
          response:<list style="hanging">
              <t hangText="pct">OPTIONAL. A correlation handle representing
              claims and other information collected during this authorization
              process, which the client is able to present later in order to
              optimize future authorization processes on behalf of a
              requesting party. The PCT MUST be unguessable by an attacker.
              The PCT MUST NOT disclose claims from the requesting party
              directly to possessors of the PCT. Instead, such claims SHOULD
              be associated by reference to the PCT or expressed in an
              encrypted format that can be decrypted only by the authorization
              server that issued the PCT. See <xref target="claim-redirect" />
              for more information about the end-user requesting party
              interaction option. See <xref target="sec-consid-exposure" />
              for additional PCT security considerations.</t>

              <t hangText="upgraded">OPTIONAL. Boolean value. If the client
              submits an RPT in the request and the authorization server
              includes the permissions of the RPT from the request as part of
              the newly issued RPT, then it MUST set this value to <spanx
              style="verb">true</spanx>. If it sets the value to <spanx
              style="verb">false</spanx> or the value is absent, the client
              MUST act as if the newly issued RPT does not include the
              permissions associated with the RPT from the request. (See <xref
              target="rpt-upgrading" />.)</t>
            </list></t>

          <t>The authorization server MAY include any of the parameters
          defined in Section 5.1 of <xref target="RFC6749" /> on its response,
          except that it SHOULD NOT include the <spanx
          style="verb">scope</spanx> parameter. This is because for an RPT's
          permissions, each scope is associated with a specific resource, even
          though this association is opaque to the client. Note: The outcome
          of authorization assessment may result in expiration periods for
          RPTs, permissions, and refresh tokens that can affect the client's
          later requests for refreshing the RPT.</t>

          <figure>
            <preamble>Example:</preamble>

            <artwork><![CDATA[HTTP/1.1 200 OK
Content-Type: application/json
... 

{  
   "access_token":"sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
   "token_type":"Bearer"
}
]]></artwork>
          </figure>

          <figure>
            <preamble>Example with a PCT in the response:</preamble>

            <artwork><![CDATA[HTTP/1.1 200 OK
Content-Type: application/json
...

{  
   "access_token":"sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
   "token_type":"Bearer",
   "pct":"c2F2ZWRjb25zZW50"
}
]]></artwork>
          </figure>

          <section anchor="rpt-upgrading"
                   title="Authorization Server Upgrades RPT">
            <t>The authorization server MAY implement RPT upgrading. The
            authorization server SHOULD document its practices regarding RPT
            upgrades and to act consistently with respect to RPT upgrades so
            as to enable clients to manage received RPTs efficiently.</t>

            <t>If the authorization server has implemented RPT upgrading, the
            client has submitted an RPT in its request, and the result is
            success, the authorization server adds the permissions from the
            client's previous RPT to the RPT it is about to issue, setting the
            value of <spanx style="verb">upgraded</spanx> in its response
            containing the upgraded RPT to <spanx
            style="verb">true</spanx>.</t>

            <t>If the authorization server is upgrading an RPT, and the RPT
            string is new rather than repeating the RPT provided by the client
            in the request, then the authorization server SHOULD revoke the
            existing RPT, if possible, and the client MUST discard its
            previous RPT. If the authorization server does not upgrade the RPT
            but issues a new RPT, the client MAY retain the existing RPT.</t>

            <figure>
              <preamble>Example with <spanx style="verb">upgraded</spanx> in
              the response:</preamble>

              <artwork><![CDATA[HTTP/1.1 200 OK
Content-Type: application/json
...

{  
   "access_token":"sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
   "token_type":"Bearer",
   "upgraded":true
}
]]></artwork>
            </figure>
          </section>
        </section>

        <section anchor="authorization-failure"
                 title="Authorization Server Response to Client on Authorization Failure">
          <t>If the client's request to the token endpoint results in failure,
          the authorization server responds with an error, as defined in
          Section 5.2 of <xref target="RFC6749" /> and as follows.<list
              style="hanging">
              <t hangText="invalid_grant">If the provided permission ticket
              was not found at the authorization server, or the provided
              permission ticket has expired, or any other original reasons to
              use this error code are found as defined in <xref
              target="RFC6749" />, the authorization server responds with the
              HTTP 400 (Bad Request) status code.</t>

              <t hangText="invalid_scope">At least one of the scopes included
              in the request does not match an available scope for any of the
              resources associated with requested permissions for the
              permission ticket provided by the client. The authorization
              server MAY also return this error when at least one of the
              scopes included in the request does not match a scope for which
              the client is pre-registered with the authorization server. The
              authorization server responds with the HTTP 400 (Bad Request)
              status code.</t>

              <t hangText="need_info">The authorization server needs
              additional information in order for a request to succeed, for
              example, a provided claim token was invalid or expired, or had
              an incorrect format, or additional claims are needed to complete
              the authorization assessment. The authorization server responds
              with the HTTP 403 (Forbidden) status code. It MUST include a
              <spanx style="verb">ticket</spanx> parameter, and it MUST also
              include either the <spanx style="verb">required_claims</spanx>
              parameter or the <spanx style="verb">redirect_user</spanx>
              parameter, or both, as hints about the information it
              needs.<list style="hanging">
                  <t hangText="ticket">REQUIRED. A permission ticket that
                  allows the client to make a further request to the
                  authorization server's token endpoint as part of this same
                  authorization process, potentially immediately. The value
                  MUST NOT be the same as the one the client used to make its
                  request.</t>

                  <t hangText="required_claims">An array of objects that
                  describe the required claims, with the following
                  subparameters:<list style="hanging">
                      <t hangText="claim_token_format">OPTIONAL. An array of
                      strings specifying a set of acceptable formats for a
                      claim token pushed by the client containing this claim,
                      as defined in <xref target="uma-grant-type" />. Any one
                      of the referenced formats would satisfy the
                      authorization server's requirements. Each string MAY be
                      a URI.</t>

                      <t hangText="claim_type">OPTIONAL. A string, indicating
                      the expected interpretation of the provided claim value.
                      The string MAY be a URI.</t>

                      <t hangText="friendly_name">OPTIONAL. A string that
                      provides a human-readable form of the claim's name. This
                      can be useful as a "display name" for use in user
                      interfaces in cases where the actual name is complex or
                      opaque, such as an OID or a UUID.</t>

                      <t hangText="issuer">OPTIONAL. An array of strings
                      specifying a set of acceptable issuing authorities for
                      the claim. Any one of the referenced authorities would
                      satisfy the authorization server's requirements. Each
                      string MAY be a URI.</t>

                      <t hangText="name">OPTIONAL. A string (which MAY be a
                      URI) representing the name of the claim; the "key" in a
                      key-value pair.</t>
                    </list></t>

                  <t hangText="redirect_user">The claims interaction endpoint
                  URI to which to redirect the end-user requesting party at
                  the authorization server to continue the process of
                  interactive claims gathering, as defined in <xref
                  target="claim-redirect" />. For example, the authorization
                  server could require the requesting party to log in to an
                  account, or fill out a CAPTCHA to help prove humanness, or
                  perform any number of other interactive tasks. If the
                  requesting party is not an end-user, then no client action
                  is possible on receiving the hint. If a static claims
                  interaction endpoint was also provided in the authorization
                  server's discovery document, then this value overrides the
                  static value. Providing a value in this response might be
                  appropriate, for example, if the URI needs to be customized
                  per requesting party with a query parameter.</t>
                </list></t>

              <t hangText="request_denied">The client is not authorized to
              have these permissions. The authorization server responds with
              the HTTP 403 (Forbidden) status code.</t>

              <t hangText="request_submitted">The authorization server
              requires intervention by the resource owner to determine whether
              the client is authorized to have these permissions. The
              authorization server responds with the HTTP 403 (Forbidden)
              status code. It MUST include a <spanx
              style="verb">ticket</spanx> parameter and MAY include an <spanx
              style="verb">interval</spanx> parameter.<list style="hanging">
                  <t hangText="ticket">REQUIRED. A permission ticket that
                  allows the client to make one or more later polling requests
                  to the token endpoint as part of this same authorization
                  process, when the resource owner might have completed some
                  approval (or denial) action. The value MUST NOT be the same
                  as the one the client used to make its request.</t>

                  <t hangText="interval">OPTIONAL. The minimum amount of time
                  in seconds that the client SHOULD wait between polling
                  requests to the token endpoint. See <xref
                  target="ticket-management" /> for security considerations in
                  scenarios involving polling and consequences for permission
                  ticket lifetimes.</t>
                </list></t>
            </list></t>

          <figure>
            <preamble>Example when the permission ticket was not found or has
            expired:</preamble>

            <artwork><![CDATA[HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
...

{  
   "error":"invalid_grant"
}
]]></artwork>
          </figure>

          <figure>
            <preamble>Example of a <spanx style="verb">need_info</spanx>
            response with hints about required claims:</preamble>

            <artwork><![CDATA[HTTP/1.1 403 Forbidden
Content-Type: application/json
Cache-Control: no-store
...

{  
   "error":"need_info",
   "ticket":"ZXJyb3JfZGV0YWlscw==",
   "required_claims":[  
      {  
         "claim_token_format":[  
            "http://openid.net/specs/openid-connect-core-1_0.html#IDToken"
         ],
         "claim_type":"urn:oid:0.9.2342.19200300.100.1.3",
         "friendly_name":"email",
         "issuer":[  
            "https://example.com/idp"
         ],
         "name":"email23423453ou453"
      }
   ]
}
]]></artwork>
          </figure>

          <figure>
            <preamble>Example of a <spanx style="verb">need_info</spanx>
            response with a hint to redirect the requesting party to a claims
            interaction endpoint:</preamble>

            <artwork><![CDATA[HTTP/1.1 403 Forbidden
Content-Type: application/json
Cache-Control: no-store
...

{  
   "error":"need_info",
   "ticket":"ZXJyb3JfZGV0YWlscw==",
   "redirect_user":"https://as.example.com/rqp_claims?id=2346576421"
}
]]></artwork>
          </figure>

          <figure>
            <preamble>Example when the client was not authorized to have the
            permissions:</preamble>

            <artwork><![CDATA[HTTP/1.1 403 Forbidden
Content-Type: application/json
Cache-Control: no-store
...

{  
   "error":"request_denied"
}
]]></artwork>
          </figure>

          <figure>
            <preamble>Example when the authorization server requires resource
            owner intervention, including the optional <spanx
            style="verb">interval</spanx> parameter:</preamble>

            <artwork><![CDATA[HTTP/1.1 403 Forbidden
Content-Type: application/json
Cache-Control: no-store
...

{  
   "error":"request_submitted",
   "ticket?:?ZXJyb3JfZGV0YWlscw==",
   "interval": 5
}
]]></artwork>
          </figure>
        </section>
      </section>

      <section anchor="client-rpt-attempt"
               title="Client Requests Resource and Provides an RPT">
        <t>The client requests the resource, now in possession of an RPT. The
        client uses <xref target="RFC6750" /> for a bearer token, and any
        other suitable presentation mechanism for an RPT of another access
        token type.</t>

        <figure>
          <preamble>Example of a client request for the resource carrying an
          RPT:</preamble>

          <artwork><![CDATA[GET /users/alice/album/photo.jpg HTTP/1.1
Authorization: Bearer sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv
Host: photoz.example.com
...
]]></artwork>
        </figure>
      </section>

      <section anchor="rs-rpt-response"
               title="Resource Server Responds to Client's RPT-Accompanied Resource Request">
        <t>The resource server responds to the client's RPT-accompanied
        resource request.</t>

        <t>If the resource request fails, the resource server responds as if
        the request were unaccompanied by an access token, as defined in <xref
        target="rs-tokenless-response" />.</t>

        <t>The resource server MUST NOT give access in the case of an invalid
        RPT or an RPT associated with insufficient authorization.</t>

        <t>For an example of how the resource server can introspect the RPT
        and its permissions at the authorization server prior to responding to
        the client's request, see <xref target="UMAFedAuthz" />.</t>
      </section>

      <section anchor="refresh" title="Authorization Server Refreshes RPT">
        <t>As noted in <xref target="give-rpt" />, when issuing an RPT, the
        authorization server MAY also issue a refresh token.</t>

        <t>Having previously received a refresh token from the authorization
        server, the client MAY use the refresh token grant as defined in <xref
        target="RFC6749" /> to attempt to refresh an expired RPT. If the
        client includes the <spanx style="verb">scope</spanx> parameter in its
        request, the authorization server MAY limit the scopes in the
        permissions associated with any resulting refreshed RPT to the scopes
        requested by the client.</t>

        <t>The authorization server MUST NOT perform an authorization
        assessment calculation on receiving the client's request to refresh an
        RPT.</t>
      </section>

      <section anchor="token-revocation"
               title="Client Requests Token Revocation">
        <t>If the authorization server presents a token revocation endpoint as
        defined in <xref target="RFC7009" />, the client MAY use the endpoint
        to request revocation of an RPT (access token), refresh token, or PCT
        previously issued to it on behalf of a requesting party. This
        specification defines the following token type hint value:<list
            style="hanging">
            <t hangText="pct">Helps the authorization server optimize lookup
            of a PCT for revocation.</t>
          </list></t>
      </section>
    </section>

    <section anchor="profiles" title="Profiles and Extensions">
      <t>An UMA profile restricts UMA's available options. An UMA extension
      defines how to use UMA's extensibility points. The two can be combined.
      Some reasons for creating profiles and extensions include:<list
          style="symbols">
          <t>A profile restricting options in order to tighten security</t>

          <t>A profile/extension restricting options and adding messaging
          parameters for use with a specific industry API</t>

          <t>A profile that documents a specific URI, format, and
          interpretation for pushed claim tokens (see <xref
          target="uma-grant-type" />)</t>

          <t>An extension that defines additional metadata for the
          authorization server discovery document to define machine-readable
          usage details</t>
        </list></t>

      <t>The following actions are RECOMMENDED regarding the creation and use
      of profiles and extensions:<list style="symbols">
          <t>The creator of a profile or extension related to UMA SHOULD
          assign it a uniquely identifying URI.</t>

          <t>The authorization server supporting a profile or extension
          related to UMA with such a URI SHOULD supply the identifying URI in
          its <spanx style="verb">uma_profiles_supported</spanx> metadata (see
          <xref target="as-config" />).</t>
        </list></t>
    </section>

    <section anchor="sec-consid" title="Security Considerations">
      <t>This specification relies mainly on OAuth 2.0 security mechanisms as
      well as transport-level security. Thus, implementers are strongly
      advised to read <xref target="BCP195" /> and the security considerations
      in <xref target="RFC6749" /> (Section 10) and <xref target="RFC6750" />
      (Section 5) along with the security considerations of any other OAuth
      token-defining specifications in use, along with the entire <xref
      target="RFC6819" /> specification, and apply the countermeasures
      described therein. As well, implementers should take into account the
      security considerations in all other normatively referenced
      specifications.</t>

      <t>The following sections describe additional security
      considerations.</t>

      <section anchor="csrf" title="Cross-Site Request Forgery">
        <t>Redirection used for gathering claims interactively from an
        end-user requesting party (described in <xref
        target="claim-redirect" />) creates the potential for cross-site
        request forgery (CSRF). This may be the result of an open redirect if
        the authorization server does not force the client to pre-register its
        claims redirection endpoint, and server-side artifact tampering if the
        client does not avail itself of the <spanx style="verb">state</spanx>
        parameter.</t>

        <t>A CSRF attack against the authorization server's claims interaction
        endpoint can result in an attacker obtaining authorization for access
        through a malicious client without involving or alerting the end-user
        requesting party. The authorization server MUST implement CSRF
        protection for its claims interaction endpoint and ensure that a
        malicious client cannot obtain authorization without the awareness and
        involvement of the requesting party.</t>

        <t>If the client uses the interactive claims gathering feature, it
        MUST implement CSRF protection for its claims redirection URI. It
        SHOULD use the <spanx style="verb">state</spanx> parameter when
        redirecting the requesting party to the claims interaction endpoint.
        The value of the <spanx style="verb">state</spanx> parameter MUST be
        unguessable by an attacker. Once the authorization server redirects
        the requesting party back, with the required binding value contained
        in the <spanx style="verb">state</spanx> parameter, the client MUST
        check that the value of the <spanx style="verb">state</spanx>
        parameter received is equal to the value sent in the initial
        redirection request. Depending on the type of application, a client
        has several methods for storing and later verifying the value of the
        <spanx style="verb">state</spanx> parameter in between the initial
        redirect and the eventual resulting request to the claims redirection
        URI, including storage in a server-side session-bound variable,
        cryptographic derivation from a browser cookie, or secure
        application-level storage. The client MUST treat requests containing
        an invalid or unknown <spanx style="verb">state</spanx> parameter
        value as an error.</t>

        <t>The <spanx style="verb">state</spanx> parameter SHOULD NOT include
        sensitive client or requesting party information in plain text, as it
        is transmitted through third-party components (the requesting party's
        user agent) and could be stored insecurely.</t>
      </section>

      <section anchor="sec-consid-exposure" title="RPT and PCT Exposure">
        <t>When a client redirects an end-user requesting party to the claims
        interaction endpoint, the client provides no a priori context to the
        authorization server about which user is appearing at the endpoint,
        other than implicitly through the permission ticket. Thus, a malicious
        client has the opportunity to switch end-users -- say, enabling
        malicious end-user Carlos to impersonate legitimate end-user Bob, who
        might be represented by a PCT already in that client's possession and
        might even have authorized the issuance of that PCT -- after the
        redirect completes and before it returns to the token endpoint to seek
        permissions.</t>

        <t>To mitigate this threat, the authorization server, with the support
        of the resource owner, should consider the following strategies in
        combination.<list style="symbols">
            <t>Require that the requesting party legitimately represent the
            wielder of the RPT on a legal or contractual level. This solution
            alone does not reduce the risk from a technical perspective.</t>

            <t>Gather claims interactively from an end-user requesting party
            that demonstrate that some sufficiently strong level of
            authentication was performed.</t>

            <t>Require claims to have a high degree of freshness in order for
            them to satify policy conditions.</t>

            <t>Tighten time-to-live strategies around RPTs and their
            associated permissions (see <xref target="ttl" />).</t>
          </list></t>

        <t>The client MUST only share the RPT (access token) with the resource
        server and authorization server, as explained in Section 10.3 of <xref
        target="RFC6749" />, and thus MUST keep it confidential from the
        requesting party. Because a malicious requesting party (the user of
        the client in the UMA grant) may have incentives to steal an RPT that
        the resource owner (the user of the client in other OAuth grants) does
        not, this security consideration takes on especial importance.</t>

        <t>The PCT is similar to a refresh token in that it allows
        non-interactive issuance of access tokens. The authorization server
        and client MUST keep the PCT confidential in transit and storage, and
        MUST NOT share the PCT with any entity other than each other. The
        authorization server MUST maintain the binding between the PCT and the
        client to which it was issued.</t>

        <t>Given that the PCT represents a set of requesting party claims, a
        client supplying a PCT in its RPT request MUST make a best effort to
        ensure that the requesting party using the client now is the same as
        the requesting party that was associated with the PCT when it was
        issued. Different clients will have different capabilities in this
        respect; for example, some applications are single-user and perform no
        local authentication, associating all PCTs with the "current user",
        while others might have more sophisticated authentication and user
        mapping capabilities.</t>

        <t>If the authorization server has reason to believe that a PCT is
        compromised, for example, if the PCT has been supplied by a client
        that has "impossible geography" parameters, the authorization server
        should consider not using the claims based on that PCT in its
        authorization assessment.</t>
      </section>

      <section anchor="pop"
               title="Strengthening RPT Protection Using Proof of Possession">
        <t>After the client's resource request with an RPT, assuming the
        client sent an RPT of the bearer style such as defined in <xref
        target="RFC6750" />, the resource server will have received from the
        client the entire secret portion of the token. This specification
        assumes only bearer-type tokens because they are the only type
        standardized as of this specification's publication. However, to
        strengthen protection for RPTs using a proof-of-possession approach,
        the resource server could receive an RPT that consists of only a
        cryptographically signed token identifier, and then to validate the
        signature, it could, for example, submit the token identifier to the
        token introspection endpoint to obtain the necessary key information.
        The details of this usage are outside the scope of this
        specification.</t>
      </section>

      <section anchor="cred-guessing" title="Credentials-Guessing">
        <t>Permission tickets and PCTs are additional credentials that the
        authorization server MUST prevent attackers from guessing, as defined
        in Section 10.10 of <xref target="RFC6749" />.</t>
      </section>

      <section anchor="ticket-management" title="Permission Ticket Management">
        <t>Within the constraints of making permission ticket values
        unguessable, the authorization server MAY format the permission ticket
        however it chooses, for example, either as a random string that
        references data held on the server or by including data within the
        ticket itself.</t>

        <t>Permission tickets MUST be single-use. This prevents susceptibility
        to a session fixation attack.</t>

        <t>The authorization server MUST invalidate a permission ticket when
        the client presents the permission ticket to either the token endpoint
        or the claims interaction endpoint, or when the permission ticket
        expires, whichever occurs first.</t>

        <t>The client SHOULD check that the value of the <spanx
        style="verb">ticket</spanx> parameter it receives back from the
        authorization server in each response and each redirect of the
        requesting party back to it differs from the one it sent to the server
        in the initial request or redirect.</t>

        <t>If the authorization server has reason to believe that a permission
        ticket is compromised, for example, because it has seen the permission
        ticket before and it believes the first appearance was from a
        legitimate client and the second appearance is from an attacker, it
        should consider invalidating any access tokens based on this
        evidence.</t>

        <t>Given that scenarios involving the <spanx
        style="verb">request_submitted</spanx> error code are likely to
        involve polling intervals, the permission ticket needs to last long
        enough to give the client a chance to attempt a polling request, which
        then needs to figure into other permission ticket security
        considerations.</t>
      </section>

      <section anchor="default-deny"
               title="Naive Implementations of Default-Deny Authorization">
        <t>While a reasonable approach for most scenarios is to implement the
        classic stance of default-deny ("everything that is not expressly
        allowed is forbidden"), corner cases can inadvertently result in
        default-permit behavior. For example, it is insufficient to create
        default "empty" policy conditions stating "no claims are needed", and
        then accept an empty set of supplied claims as sufficient for access
        during authorization assessment.</t>
      </section>

      <section anchor="trust-push"
               title="Requirements for Pre-Established Trust Regarding Claim Tokens">
        <t>When a client makes an RPT request, it has the opportunity to push
        a claim token to attempt to satisfy policy conditions (see <xref
        target="uma-grant-type" />).</t>

        <t>Claim tokens of any format typically contain audience restrictions,
        and an authorization server would not typically be in the primary
        audience for a claim token held or generated by a client. It is
        RECOMMENDED to document how the client, authorization server,
        requesting party, and any additional ecosystem entities and parties
        will establish a trust relationship and communicate any required
        keying material in a claim token profile, as described in <xref
        target="profiles" />. Authorization servers are RECOMMENDED not to
        accept claim tokens pushed by untrusted clients and not to ignore
        audience restrictions found in claim tokens pushed by clients.</t>

        <t>A malicious client could push a claim token to the authorization
        server (revealing the claims therein; see <xref
        target="rqp-privacy" />) to seek resource access on its own behalf
        prior to any opportunity for an end-user requesting party to authorize
        claims collection. It is RECOMMENDED either for trust relationships
        established by the ecosystem parties to include prior requesting party
        authorization as required, or for end-user requesting party
        authorization to be gathered interactively prior to claims pushing, as
        described in <xref target="claim-redirect" />.</t>

        <t>Some deployments could have exceptional circumstances allowing the
        authorization server to validate claim tokens. For example, if the
        authorization server itself is also the identity provider for the
        requesting party, then it would be able to validate any ID token that
        the client pushes as a claim token and also validate the client to
        which it was issued.</t>
      </section>

      <section anchor="trust-considerations"
               title="Profiles and Trust Establishment">
        <t>Parties that are operating and using UMA software entities may need
        to establish agreements about the parties' rights and responsibilities
        on a legal or contractual level, along with common interpretations of
        UMA constructs for consistent and expected software behavior. These
        agreements can be used to improve the parties' respective security
        postures. Written profiles are a key mechanism for conveying and
        enforcing these agreements. <xref target="profiles" /> discusses
        profiling. See <xref target="UMA-legal" /> to learn about frameworks
        and tools to assist in the legal and contractual elements of deploying
        UMA-enabled services.</t>
      </section>
    </section>

    <section anchor="priv-consid" title="Privacy Considerations">
      <t>UMA has the following privacy considerations.</t>

      <section anchor="ttl"
               title="Policy Condition Setting, Time-to-Live Management, and Removal of Authorization Grants">
        <t>The setting of policy conditions, the resource owner-authorization
        server interface, and the resource owner-resource server interface are
        outside the scope of this specification. (For an example of how a
        secure and authorized resource owner context can be established
        between the resource server and authorization server, see <xref
        target="UMAFedAuthz" />.)</t>

        <t>A variety of flows and user interfaces for policy condition setting
        involving user agents for both of these servers are possible, each
        with different privacy consequences for end-user resource owners. As
        well, various authorization, security, and time-to-live strategies
        could be applied on a per-resource owner basis or a per-authorization
        server basis, as the entities see fit. Validity periods of RPTs,
        refresh tokens, permissions, caching periods for responses, and even
        OAuth client credentials are all subject to management. Different
        time-to-live strategies might be suitable for different resources and
        scopes.</t>

        <t>In order to account for modifications of policy conditions that
        result in the withdrawal of authorization grants (for example, fewer
        scopes, fewer resources, or resources available for a shorter time) in
        as timely a fashion as possible, the authorization server should align
        its strategies for management of these factors with resource owner
        needs and actions rather than those of clients and requesting parties.
        For example, the authorization server may want to invalidate a
        client's RPT and refresh token as soon as a resource owner changes
        policy conditions in such a way as to deny the client and its
        requesting party future access to a full set of previously held
        permissions.</t>
      </section>

      <section anchor="rqp-privacy"
               title="Requesting Party Information at the Authorization Server">
        <t>Claims are likely to contain personal, personally identifiable, and
        sensitive information, particularly in the case of requesting parties
        who are end-users.</t>

        <t>If the authorization server supports persisting claims for any
        length of time (for example, to support issuance of PCTs), then it
        SHOULD provide a secure and privacy-protected means of storing claim
        data. It is also RECOMMENDED for the authorization server to use an
        interactive claims-gathering flow to ask an end-user requesting party
        for authorization to collect any claims subsequently and to persist
        their claims (for example, before issuing a PCT), if no prior
        requesting party authorization has been established among the
        ecosystem parties (see <xref target="trust-push" />).</t>
      </section>

      <section title="Resource Owner Information at the Resource Server">
        <t>Since the client's initial request for a protected resource is made
        in an unauthorized and unauthenticated context, such requests are by
        definition open to all users. The response to that request includes
        the authorization server's location to enable the client to request an
        access token and present claims. If it is known out of band that
        authorization server is owned and controlled by a single user, or
        visiting the authorization server contains other identifying
        information, then an unauthenticated and unauthorized client would be
        able to tell which resource owner is associated with a given resource.
        Other information about the resource owner, such as organizational
        affiliation or group membership, may be gained from this transaction
        as well.</t>
      </section>

      <section title="Profiles and Trust Establishment">
        <t>Parties that are operating and using UMA software entities may need
        to establish agreements about mutual rights, responsibilities, and
        common interpretations of UMA constructs for consistent and expected
        software behavior. These agreements can be used to improve the
        parties' respective privacy postures. See <xref
        target="trust-considerations" /> for more information. Additional
        considerations related to Privacy by Design concepts are discussed in
        <xref target="UMA-PbD" />.</t>
      </section>
    </section>

    <section anchor="IANA" title="IANA Considerations">
      <t>This document makes the following requests of IANA.</t>

      <section title="Well-Known URI Registration">
        <t>This specification registers the well-known URI defined in <xref
        target="as-config" />, as required by Section 5.1 of <xref
        target="RFC5785" />.</t>

        <section title="Registry Contents">
          <t>
            <list style="symbols">
              <t>URI suffix: <spanx
              style="verb">uma2-configuration</spanx></t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref target="as-config" /> in this
              document</t>
            </list>
          </t>
        </section>
      </section>

      <section title="OAuth 2.0 Authorization Server Metadata Registry">
        <t>This specification registers OAuth 2.0 authorization server
        metadata defined in <xref target="as-config" />, as required by
        Section 7.1 of <xref target="OAuthMeta" />.</t>

        <section title="Registry Contents">
          <t>
            <list style="symbols">
              <t>Metadata name: <spanx
              style="verb">claims_interaction_endpoint</spanx></t>

              <t>Metadata description: endpoint metadata</t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref target="as-config" /> in this
              document</t>
            </list>

            <list style="symbols">
              <t>Metadata name: <spanx
              style="verb">uma_profiles_supported</spanx></t>

              <t>Metadata description: profile/extension feature metadata</t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref target="as-config" /> in this
              document</t>
            </list>
          </t>
        </section>
      </section>

      <section title="OAuth 2.0 Dynamic Client Registration Metadata Registry">
        <t>This specification registers OAuth 2.0 dynamic client registration
        metadata defined in <xref target="as-config" />, as required by
        Section 4.1 of <xref target="RFC7591" />.</t>

        <section title="Registry Contents">
          <t>
            <list style="symbols">
              <t>Metadata name: <spanx
              style="verb">claims_redirect_uris</spanx></t>

              <t>Metadata description: claims redirection endpoints</t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref target="as-config" /> in this
              document</t>
            </list>
          </t>
        </section>
      </section>

      <section title="OAuth 2.0 Extension Grant Parameters Registration">
        <t>This specification registers the parameters defined in <xref
        target="uma-grant-type" />, as required by Section 11.2 of <xref
        target="RFC6749" />.</t>

        <section title="Registry Contents">
          <t>
            <list style="symbols">
              <t>Parameter name: <spanx style="verb">claim_token</spanx></t>

              <t>Parameter usage location: client request, token endpoint</t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref target="uma-grant-type" /> in
              this document</t>
            </list>
          </t>

          <t>
            <list style="symbols">
              <t>Parameter name: <spanx style="verb">pct</spanx></t>

              <t>Parameter usage location: client request, token endpoint</t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref target="uma-grant-type" /> in
              this document</t>
            </list>

            <list style="symbols">
              <t>Parameter name: <spanx style="verb">pct</spanx></t>

              <t>Parameter usage location: authorization server response,
              token endpoint</t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref target="give-rpt" /> in this
              document</t>
            </list>

            <list style="symbols">
              <t>Parameter name: <spanx style="verb">rpt</spanx></t>

              <t>Parameter usage location: client request, token endpoint</t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref target="uma-grant-type" /> in
              this document</t>
            </list>

            <list style="symbols">
              <t>Parameter name: <spanx style="verb">ticket</spanx></t>

              <t>Parameter usage location: client request, token endpoint</t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref target="uma-grant-type" /> in
              this document</t>
            </list>
          </t>

          <t>
            <list style="symbols">
              <t>Parameter name: <spanx style="verb">upgraded</spanx></t>

              <t>Parameter usage location: authorization server response,
              token endpoint</t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref target="give-rpt" /> in this
              document</t>
            </list>
          </t>
        </section>
      </section>

      <section title="OAuth 2.0 Extensions Error Registration">
        <t>This specification registers the errors defined in <xref
        target="authorization-failure" />, as required by Section 11.4 of
        <xref target="RFC6749" />.</t>

        <section title="Registry Contents">
          <t>
            <list style="symbols">
              <t>Error name: <spanx style="verb">need_info</spanx> (and its
              subsidiary parameters)</t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref
              target="authorization-failure" /> in this document</t>

              <t>Error usage location: authorization server response, token
              endpoint</t>
            </list>

            <list style="symbols">
              <t>Error name: <spanx style="verb">request_denied</spanx></t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref
              target="authorization-failure" /> in this document</t>

              <t>Error usage location: authorization server response, token
              endpoint</t>
            </list>

            <list style="symbols">
              <t>Error name: <spanx style="verb">request_submitted</spanx>
              (and its subsidiary parameters)</t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref
              target="authorization-failure" /> in this document</t>

              <t>Error usage location: authorization server response, token
              endpoint</t>
            </list>
          </t>
        </section>
      </section>

      <section title="OAuth Token Type Hints Registration">
        <t>This specification registers the errors defined in <xref
        target="token-revocation" />, as required by Section 4.1.2 of <xref
        target="RFC7009" />.</t>

        <section title="Registry Contents">
          <t>
            <list style="symbols">
              <t>Hint value: <spanx style="verb">pct</spanx></t>

              <t>Change controller: Kantara Initiative User-Managed Access
              Work Group - staff@kantarainitiative.org</t>

              <t>Specification document: <xref target="token-revocation" /> in
              this document</t>
            </list>
          </t>
        </section>
      </section>
    </section>

    <section anchor="Acknowledgments" title="Acknowledgments">
      <t>The following people made significant text contributions to the
      specification:<list style="symbols">
          <t>Paul C. Bryan, ForgeRock US, Inc. (former editor)</t>

          <t>Domenico Catalano, Oracle (former author)</t>

          <t>Mark Dobrinic, Cozmanova</t>

          <t>George Fletcher, AOL</t>

          <t>Thomas Hardjono, MIT (former editor)</t>

          <t>Andrew Hindle, Hindle Consulting Limited</t>

          <t>Lukasz Moren, Cloud Identity Ltd</t>

          <t>James Phillpotts, ForgeRock</t>

          <t>Christian Scholz, COMlounge GmbH (former editor)</t>

          <t>Mike Schwartz, Gluu</t>

          <t>Cigdem Sengul, Nominet UK</t>

          <t>Jacek Szpot, Newcastle University</t>
        </list></t>

      <t>Additional contributors to this specification include the Kantara UMA
      Work Group participants, a list of whom can be found at <xref
      target="UMAnitarians" />.</t>
    </section>
  </middle>

  <back>
    <references title="Normative References">
      <reference anchor="BCP195" target="https://tools.ietf.org/html/bcp195">
        <front>
          <title>Recommendations for Secure Use of Transport Layer Security
          (TLS) and Datagram Transport Layer Security (DTLS)</title>

          <author initials="Y." surname="Sheffer">
            <organization />
          </author>

          <date day="" month="May" year="2015" />
        </front>
      </reference>

      <reference anchor="OIDCCore"
                 target="http://openid.net/specs/openid-connect-core-1_0.html">
        <front>
          <title>OpenID Connect Core 1.0 incorporating errata set 1</title>

          <author initials="N." surname="Sakimura">
            <organization />
          </author>

          <date day="8" month="November" year="2014" />
        </front>
      </reference>

      <reference anchor="OIDCDynClientReg"
                 target="http://openid.net/specs/openid-connect-registration-1_0.html">
        <front>
          <title>OpenID Connect Dynamic Client Registration 1.0 incorporating
          errata set 1</title>

          <author initials="N." surname="Sakimura">
            <organization>OpenID Foundation</organization>
          </author>

          <date day="8" month="November" year="2014" />
        </front>
      </reference>

      <reference anchor="UMAFedAuthz"
                 target="https://docs.kantarainitiative.org/uma/rec-oauth-uma-federated-authz-2.0.html">
        <front>
          <title>Federated Authorization for User-Managed Access (UMA)
          2.0</title>

          <author initials="E." surname="Maler">
            <organization>ForgeRock</organization>
          </author>

          <date day="7" month="January" year="2018" />
        </front>
      </reference>

      <reference anchor="OAuthMeta"
                 target="https://tools.ietf.org/html/draft-ietf-oauth-discovery-08">
        <front>
          <title>OAuth 2.0 Authorization Server Metadata</title>

          <author initials="M." surname="Jones">
            <organization>ForgeRock</organization>
          </author>

          <date day="16" month="November" year="2017" />
        </front>
      </reference>

      &RFC2119;

      &RFC3986;

      &RFC5785;

      <?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6415"?>

      <?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6711"?>

      &RFC6749;

      &RFC6750;

      &RFC6819;

      &RFC7159;

      <?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7519"?>

      &RFC7591;

      &RFC7009;
    </references>

    <references title="Informative References">
      <reference anchor="UMA-PbD"
                 target="https://kantarainitiative.org/confluence/display/uma/Privacy+by+Design+Implications+of+UMA">
        <front>
          <title>Privacy by Design Implications of UMA</title>

          <author initials="E." surname="Maler" />

          <date day="" month="" year="2018" />
        </front>
      </reference>

      <reference anchor="UMAnitarians"
                 target="https://kantarainitiative.org/confluence/display/uma/Participant+Roster">
        <front>
          <title>UMA Participant Roster</title>

          <author initials="E." surname="Maler">
            <organization>Maler</organization>
          </author>

          <date day="" month="" year="2017" />
        </front>
      </reference>

      <reference anchor="UMA-legal"
                 target="http://kantarainitiative.org/confluence/display/uma/UMA+Legal">
        <front>
          <title>UMA Legal</title>

          <author initials="E." surname="Maler">
            <organization>Maler</organization>
          </author>

          <date day="" month="" year="2017" />
        </front>
      </reference>
    </references>
  </back>
</rfc>