By: Reinier Vos user 23 Aug 2018 at 4:42 a.m. CDT

1 Response
Reinier Vos gravatar
In the Authorization Policy you can define the required claims in an UMA RPT Policiy script. Here I define e.g. 'mail' to be required in the claims. This all works well with both claim pushing and claim gathering. However, I'm a bit lost how to achieve user managed/configurable policies. At this point it seems a user can only configure scopes. Since these scopes don't contain parameters, a policy (bound to the scope)is more or less static. In my case, in the UMA RPT Policiy script I can either - check for the existence of 'mail' and allow access - hardcode a specific 'mail' value. Ofcourse, I can make some kind of database/webservice call to retrieve specific 'mail' values that are allowed (which would be set by the Resource Owner), but this seems a bit clumsy to me (The application responsible for configuring needs to know available LDAP attributes) Is/will it be possible for a 'Resource Owner' to configure/grant access based an specific LDAP attributes a 'Requeting Party' needs?

By Michael Schwartz staff 28 Aug 2018 at 3:34 p.m. CDT

Michael Schwartz gravatar
Remember, the UMA RPT policy is just step one--it is the policy that controls the **back-channel** decision to grant access. If you want to interact with the user, the UMA client needs to redirect the user (Rqp) to the UMA claims gathering endpoint, where the AS can display pages (for example, a page that says "Please wait for the RO to approve the release of this information"). How you would notify the RO, how the RO would approve, and how you would notify the UMA client to re-check for access, is all out of scope of UMA. UMA does not define how you express or implement policy. I'm closing this ticket, because it's not appropriate to assign design questions to Gluu Support staff. But feel free to continue to comment on it.