Limitations Of IG As an UMA Resource Server
When using IG as an UMA resource server, note the following points:
IG depends on the resource owner for the PAT.
When a PAT expires, no refresh token is available to IG. The resource owner must repeat the entire share process with a new PAT in order to authorize access to protected resources. The resource owner should delete the old resource and create a new one.
Data about PATs and shared resources is held in memory.
IG has no mechanism for persisting the data across restarts. When IG stops and starts again, the resource owner must repeat the entire share process.
UMA client applications for sharing and accessing protected resources must deal with UMA error conditions and IG error conditions.
By default, the REST API to manage share objects exposed by IG is protected only by CORS.
When matching protected resource paths with share patterns, IG takes the longest match.
For example, if resource owner Alice shares
/photos/.*
with Bob, and/photos/vacation.png
with Charlie, and then Bob attempts to access/photos/vacation.png
, IG applies the sharing permissions for Charlie, not Bob. As a result, Bob can be denied access.