forked from KantaraInitiative/wg-uma
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfeatures-and-tests.txt
589 lines (541 loc) · 24.9 KB
/
features-and-tests.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
========
Templates
==Feature-Example Support for AS feature X=={{UMA1 Feature |feature_id = Support feature X |feature_description = Explanation of feature |feature_type = interop |solution_role = AS |test_description = Instructions for test here |acceptable = Works |not_acceptable = Fails |testlist = [[UMA1:FeatureTest-Example Support for AS feature X]] |maturity_status = New |maturity_date = UMA1}}
{{FeatureTest |name = Example Support for AS feature X |testtype = normal |identifier = FTR-as-xsupport |areatested = |status = active |summary = Tests feature: Example Support for AS feature X |testedrole = AS |referencesolution1 = |referencesolution2 = |success = Works |failure = Fails}}
========
==Feature-AS config data =={{UMA1 Feature |feature_id = F-as-config |feature_description = AS makes available its config data in correct form at correct location |feature_type = interop |solution_role = AS |test_description = AS makes available its configuration data in the correct form at the correct location. |acceptable = AS configuration can be accessed and parsed. |not_acceptable = AS configuration not accessible and/or parsable. |testlist = [[UMA1:AS config data conforms to specified format]], [[UMA1:AS config data provides https endpoints]], [[UMA1:RS retrieves AS config data]], [[UMA1:Client retrieves AS config data]] |maturity_status = New |maturity_date = UMA1}}{{FeatureTest |name = AS config data conforms to specified format |testtype = normal |identifier = FT-as-config-data |areatested = |status = active |summary = AS provides configuration data that conforms to specified format |testedrole = AS |referencesolution1 = |referencesolution2 = |success = Data conforms to format requirements |failure = Fails}}{{FeatureTest |name = AS config data provides https endpoints |testtype = optional |identifier = FT-as-config-endpts |areatested = |status = active |summary = AS makes config data available through SSL/TLS-protected URL |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS config data endpoint uses https: scheme and RS or client is able to validate AS's certificate |failure = Fails}}{{FeatureTest |name = RS retrieves AS config data |testtype = normal |identifier = FT-rs-get-config-data |areatested = |status = active |summary = RS successfully accesses and parses AS config data properties it needs at http://{as_uri}/.well-known/uma-configuration or https://{as_uri}/.well-known/uma-configuration, including all endpoint-related properties not specific to the client and including handling of non-understood extension properties |testedrole = RS |referencesolution1 = |referencesolution2 = |success = RS successfully accesses and parses AS config data |failure = Fails}}{{FeatureTest |name = Client retrieves AS config data |testtype = normal |identifier = FT-c-get-config-data |areatested = |status = active |summary = Client successfully accesses and parses AS config data properties it needs at http://{as_uri}/.well-known/uma-configuration or https://{as_uri}/.well-known/uma-configuration, including all endpoint-related properties not specific to the RS and including handling of non-understood extension properties |testedrole = C |referencesolution1 = |referencesolution2 = |success = Client successfully accesses and parses AS config data |failure = Fails}}========
==Feature-dynamic client registration =={{UMA1 Feature |feature_id = F-dyn-client-reg |feature_description = AS supports generating dynamic client credentials and RS and client support getting them |feature_type = optional |solution_role = AS, RS, C |test_description = AS issues and RS or C receives dynamic client credentials |acceptable = AS and RS or C can achieve dynamic client registration |not_acceptable = Fails |testlist = [[UMA1:AS config data indicates support for dynamic client registration]], [[UMA1:RS gets client credentials dynamically]], [[UMA1:Client gets client credentials dynamically]] |maturity_status = New |maturity_date = UMA1}}{{FeatureTest |name = AS config data indicates support for dynamic client registration |testtype = optional |identifier = FT-as-dyn-client-reg |areatested = |status = active |summary = AS config data "dynamic_client_registration_supported" property contains "yes" value |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS config data "dynamic_client_registration_supported" property contains "yes" value |failure = Fails}}
{{FeatureTest |name = RS gets client credentials dynamically |testtype = optional |identifier = FT-rs-get-dyn-client-creds |areatested = |status = active |summary = RS interacts with AS to request and receive client credentials dynamically |testedrole = RS |referencesolution1 = |referencesolution2 = |success = RS gets client credentials dynamically
|failure = Fails}}{{FeatureTest |name = Client gets client credentials dynamically |testtype = optional |identifier = FT-c-get-dyn-client-creds |areatested = |status = active |summary = Client interacts with AS to request and receive client credentials dynamically |testedrole = C |referencesolution1 = |referencesolution2 = |success = Client gets client credentials dynamically |failure = Fails}}========
==Feature-Protection API token =={{UMA1 Feature |feature_id = F-pat |feature_description = AS issues PAT to RS |feature_type = interop |solution_role = AS, RS |test_description = AS successfully issues PAT to RS for use at AS's protection API |acceptable = PAT issued, or OAuth-level error generated |not_acceptable = PAT not issued when it should have been, or OAuth doesn't trap error correctly |testlist = [[UMA1:AS issues PAT to RS given correct OAuth authorization_code grant flow and request for protection API scope]], [[UMA1:AS protects protection API endpoints so as to require protection API scope for access]], [[UMA1:RS presents PAT correctly to AS protection API endpoints]] |maturity_status = New |maturity_date = UMA1}}{{FeatureTest |name = AS issues PAT to RS given correct OAuth authorization_code grant flow and request for protection API scope |testtype = normal |identifier = FT-rs-get-pat |areatested = |status = active |summary = AS issues PAT to RS given correct OAuth authorization_code grant flow (required by the spec) and request for protection API scope |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS issues PAT to RS IFF RS engages correctly and with correct scope |failure = Fails}}
{{FeatureTest |name = AS protects protection API endpoints so as to require protection API scope for access |testtype = normal |identifier = FT-as-require-pat |areatested = |status = active |summary = AS requires OAuth clients of protection API (definitionally, RSs) to present valid OAuth access tokens with protection API scope in order to use endpoints |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS allows RSs to make protection API calls IFF they present protection API scope |failure = Fails}}
{{FeatureTest |name = RS presents PAT correctly to AS protection API endpoints |testtype = normal |identifier = FT-rs-use-pat |areatested = |status = active |summary = RS presents valid OAuth access token with protection API scope when making calls to all protection API endpoints |testedrole = RS |referencesolution1 = |referencesolution2 = |success = RS presents PAT to all protection API endpoints |failure = Fails}}
========
==Feature-Authorization API token =={{UMA1 Feature |feature_id = F-aat |feature_description = AS issues AAT to client |feature_type = interop |solution_role = AS, C |test_description = AS successfully issues AAT to Client for use at AS's authorization API |acceptable = AAT issued, or OAuth-level error generated |not_acceptable = AAT not issued when it should have been, or OAuth doesn't trap error correctly |testlist = [[UMA1:AS issues AAT to client given correct OAuth authorization_code grant flow and request for authorization API scope]], [[UMA1:AS protects authorization API endpoints so as to require authorization API scope for access]], [[UMA1:Client presents AAT correctly to AS authorization API endpoints]] |maturity_status = New |maturity_date = UMA1}}{{FeatureTest |name = AS issues AAT to client given correct OAuth authorization_code grant flow and request for authorization API scope |testtype = normal |identifier = FT-c-get-aat |areatested = |status = active |summary = AS issues AAT to Client given correct OAuth authorization_code grant flow (required by the spec) and request for authorization API scope |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS issues AAT to client IFF client engages correctly and with correct scope |failure = Fails.}}
{{FeatureTest |name = AS protects authorization API endpoints so as to require authorization API scope for access |testtype = normal |identifier = FT-as-require-aat |areatested = |status = active |summary = AS requires OAuth clients of authorization API to present valid OAuth access tokens with authorization API scope in order to use endpoints |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS allows client to make authorization API calls IFF they present authorization API scope |failure = Fails}}
{{FeatureTest |name = Client presents AAT correctly to AS authorization API endpoints |testtype = normal |identifier = FT-c-use-aat |areatested = |status = active |summary = Client presents valid OAuth access token with authorization API scope when making calls to all authorization API endpoints |testedrole = C |referencesolution1 = |referencesolution2 = |success = Client presents AAT to all authorization API endpoints |failure = Fails}}
========
==Feature-Resource set registration =={{UMA1 Feature |feature_id = F-rset-reg |feature_description = RS and AS interact successfully to register resource sets to be protected |feature_type = interop |solution_role = AS, RS |test_description = RS registers resource sets at AS in order to put them under AS protection |acceptable = Resource sets are under AS protection |not_acceptable = Resource sets not successfully put under AS protection |testlist = [[UMA1:AS presents resource registration API to register and manage resource sets]], [[UMA1:RS uses resource registration API to register and manage resource sets]], [[UMA1:AS produces resource set registration API errors for error conditions]], [[UMA1:RS outsources protection of resources in AS-protected resource sets]], [[UMA1:AS retrieves scope descriptions]], [[UMA1:AS uses display elements of scope descriptions]] |maturity_status = New |maturity_date = UMA1}}{{FeatureTest |name = AS presents resource registration API to register and manage resource sets |testtype = normal |identifier = FT-as-rset-reg |areatested = |status = active |summary = AS successfully presents all of the following methods at the resource set registration endpoint, and treats others as unsupported: PUT with unique ID to register new resource set description; GET with unique ID to read already-registered resource set description, handling the presence of any policy_uri property in AS's response; PUT with If-Match and unique ID to update already-registered resource set description, handling the presence of any policy_uri property in AS's response; DELETE with a unique ID to delete an already-registered resource set description; and GET on resource_set path to read list of already-registered resource set descriptions. |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS presents all elements of resource set registration API correctly |failure = Fails}}
{{FeatureTest |name = RS uses resource registration API to register and manage resource sets |testtype = normal |identifier = FT-rs-rset-reg |areatested = |status = active |summary = RS successfully uses: PUT with unique ID to register new resource set description; GET with unique ID to read already-registered resource set description, handling the presence of any policy_uri property in AS's response; PUT with If-Match and unique ID to update already-registered resource set description, handling the presence of any policy_uri property in AS's response; DELETE with a unique ID to delete an already-registered resource set description; and GET on resource_set path to read list of already-registered resource set descriptions. |testedrole = RS |referencesolution1 = |referencesolution2 = |success = RS uses all elements of resource set registration API correctly |failure = Fails}}
{{FeatureTest |name = AS produces resource set registration API errors for error conditions |testtype = normal |identifier = FT-as-rset-reg-error |areatested = |status = active |summary = AS produces invalid_resource_set_id error when RS attempts to register a permission not associated with a currently registered resource set, and produces invalid_scope error when RS attempts to register a permission with a scope that was not already associated with indicated resource set, and produces unsupported_method_type error when RS attempts to use an unsupported HTTP method. |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS issues resource set registration API erros for error conditions |failure = Fails}}
{{FeatureTest |name = AS retrieves scope descriptions |testtype = normal |identifier = FT-as-rset-reg-scopes |areatested = |status = active |summary = AS retrieves (or attempts to retrieve) scope descriptions associated with resource set description at the time RS registers and update it, and also attempts to re-retrieve relevant scope descriptions whose cached versions have expired when authorizing user begins an AS interaction session |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS attempts to retrieve scope descriptions |failure = Fails}}
{{FeatureTest |name = AS uses display elements of scope descriptions |testtype = optional |identifier = FT-as-rset-reg-scope-display |areatested = |status = active |summary = In the interface it presents to an authorizing user, AS uses scope names and any icons defined as part of registered scope descriptions associated with that user |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS displays scope description information |failure = Fails}}
========
==Feature-Protect resource =={{UMA1 Feature |feature_id = F-protect-rsrc |feature_description = RS, AS, and client interact to enable authorized access to protected resources and block unauthorized access |feature_type = interop |solution_role = AS, RS, C |test_description = RS requires client to present valid RPT associated with appropriate authorization data in order to give access, and engages AS and informs client of next steps to enable client to seek authorization |acceptable = Protected resource released only under conditions of valid RPT associated with appropriate authorization data |not_acceptable = Protected resource released under other conditions |testlist = [[UMA1:@@TBS]] (list all below items) |maturity_status = New |maturity_date = UMA1}}{{FeatureTest |name = RS responds in non-UMA fashion to access request for unprotected resource |testtype = normal |identifier = FT-unprotected-resource |areatested = |status = active |summary = RS responds to access request for unprotected resource without including anything UMA-specific in the response |testedrole = RS |referencesolution1 = |referencesolution2 = |success = RS responds in non-UMA fashion |failure = Fails}}
{{FeatureTest |name = RS responds to absence of RPT in access request for protected resource |testtype = normal |identifier = FT-no-rpt |areatested = |status = active |summary = RS responds with HTTP 401 and as_uri |testedrole = RS |referencesolution1 = |referencesolution2 = |success = RS responds with HTTP 401 and as_uri |failure = Fails}}
{{FeatureTest |name = Client asks AS for RPT |testtype = normal |identifier = FT-c-get-rpt |areatested = |status = active |summary = Client presents valid AAT at AS's RPT endpoint to get RPT |testedrole = C |referencesolution1 = |referencesolution2 = |success = Client qualifies for and gets RPT |failure = Fails}}
{{FeatureTest |name = AS issues RPT to Client |testtype = normal |identifier = FT-as-issue-rpt |areatested = |status = active |summary = In response to client's request for an RPT at the correct endpoint with a valid AAT, AS issues RPT |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS issues RPT |failure = Fails}}
{{FeatureTest |name = RS introspects "bearer" RPT |testtype = normal |identifier = FT-rs-introspect-rpt |areatested = |status = active |summary = RS presents valid RPT at AS's token introspection endpoint to get token's status |testedrole = RS |referencesolution1 = |referencesolution2 = |success = RS gets token status |failure = Fails}}
{{FeatureTest |name = AS returns status of "bearer" RPT in access request |testtype = normal |identifier = FT-as-introspect-rpt |areatested = |status = active |summary = AS returns RPT's status in response to RS request |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS returns RPT's status |failure = Fails}}
{{FeatureTest |name = RS responds to client's invalid bearer RPT |testtype = normal |identifier = FT-rs-invalid-rpt |areatested = |status = active |summary = RS |testedrole = RS returns HTTP 401 and as_uri |referencesolution1 = |referencesolution2 = |success = RS returns HTTP 401 and as_uri |failure = Fails}}
{{FeatureTest |name = RS asks AS to register requested permission |testtype = normal |identifier = FT-rs-register-permission |areatested = |status = active |summary = RS presents valid PAT at AS's permission registration endpoint to register a requested permission, based on nature of client's access request. |testedrole = RS |referencesolution1 = |referencesolution2 = |success = RS registers requested permission |failure = Fails}}
{{FeatureTest |name = AS registers permission
|testtype = normal |identifier = FT-as-permission-ticket |areatested = |status = active |summary = AS returns permission ticket in response to RS registration of requested permission |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS returns permission ticket |failure = Fails}}
{{FeatureTest |name = RS responds to valid bearer RPT with insufficient permissions in access request for protected resource |testtype = normal |identifier = FT-rs-insufficient-perms |areatested = |status = active |summary = RS responds with HTTP 403, as_uri, and permission ticket |testedrole = RS |referencesolution1 = |referencesolution2 = |success = RS responds with HTTP 403, as_uri, and permission ticket |failure = Fails}}
{{FeatureTest |name = Client asks AS for authorization to add permission to bearer RPT |testtype = normal |identifier = FT-c-add-authz-data |areatested = |status = active |summary = Client presents valid AAT, valid RPT, and permission ticket at AS's authorization endpoint to POST request that authorization data be associated with RPT. |testedrole = C |referencesolution1 = |referencesolution2 = |success = Client receives back normal success or error message |failure = Fails}}
{{FeatureTest |name = AS denies client's request to add permission to bearer RPT |testtype = normal |identifier = FT-as-denied |areatested = |status = active |summary = AS determines that the client should not get authorization data, and returns either an invalid_ticket error, an expired_ticket error, or a not_authorized_permission error. |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS returns one of the errors. |failure = Fails}}
{{FeatureTest |name = AS grants client's request to add permission to "bearer" RPT |testtype = normal |identifier = FT-as-give-authz-data |areatested = |status = active |summary = AS associates new authorization data with the RPT that the client presented and responds with success. |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS adds authorization data and responds with success. |failure = Fails}}
{{FeatureTest |name = AS indicates it needs requesting party claims to considering adding permission to "bearer" RPT |testtype = normal |identifier = FT-as-need-claims |areatested = |status = active |summary = AS responds to the client with a need_claims error. |testedrole = AS |referencesolution1 = |referencesolution2 = |success = AS responds to the client with a need_claims error. |failure = Fails}}
{{FeatureTest |name = Client redirects requesting party to AS to provide claims |testtype = normal |identifier = FT-c-claims-redirect |areatested = |status = active |summary = Client redirects requesting party to AS to provide claims, providing a redirect URI, a callback URI, and a state parameter. |testedrole = C |referencesolution1 = |referencesolution2 = |success = redirects requesting party to AS. |failure = Fails}}