On 2017-11-05 18:37, Cigdem Sengul wrote:
In the case of rogue requestor being the client, it does not have
visibility into what is included in the permission ticket ( ticket is a
reference returned by rs to be presented at as). It may dos Rs with
requests, which rs may implement a solution like rate limiting (not
described in uma).
The as api for rs is protected via an oauth2 token (PAT) which rs must
present for permission registration (as well as for other functions).
This Pat allows as to map es’s request to a particular Ro. Rs can only
ask for permissions for the resources and scopes it already registered
with the As.
Hope I was able to clarify.
Thanks,
—Cigdem
Just for even more clarity: What you (or is it UMA?) call ticket is
equivalent to the OAuth access tokens?
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
