UMA 1.0.1 : use signed JWT RPT

[yuriyz]

UMA 1.0.1 : use JWT RPT

[yuriyz]

publish whether RPT is JWT on /.well-known/uma-configuration

[8:07:04 PM | Edited 8:07:07 PM] Gluu - Michael Schwartz: 'local_token_introspection': 'true'
[8:07:26 PM] Gluu - Michael Schwartz: actually, use JWT for RPT

[yuriyz]

RPT can be both JWT or access_token. It should be configurable via oxauth configuration.

[yuriyz]

Support to issue RPT as JWT is added:

1. RPT manager issue JWT or generated string depending on oxauth configuration
2. publish rpt_as_jwt=true/false on /.well-known/uma-configuration
3. corrected oxtrust json schema GluuFederation/oxTrust@9b48205
4. decision is performed based on oxauth configuration

[nynymike]

How is the RPT signed? Should the RPT signing algorithm also be specified in /.well-known/uma-configuration ?

[yuriyz]

@nynymike it is signed based on client information for ID Token:
http://openid.net/specs/openid-connect-registration-1_0.html#RegistrationRequest

• id_token_signed_response_alg
• id_token_encrypted_response_alg
• id_token_encrypted_response_enc

I've stick to ID Token signing&encryption info. Do we want to keep that separately for RPT? If yes then we need to add it to dynamic client registration.

• rpt_signed_response_alg
• rpt_encrypted_response_alg
• rpt_encrypted_response_enc

[nynymike]

Let the client register specifying signing for the id_token--we can just re-use for the rpt. But I think we should explicitly list this in uma discovery so its clear.

[yuriyz]

reopened the issue : we need to add signing&encryption info explicitly to uma discovery.

[yuriyz]

We have to publish on uma discovery following:

• rpt_signing_alg_values_supported
• rpt_encryption_alg_values_supported
• rpt_encryption_enc_values_supported

[yuriyz]

Done in cb5d08e