resty-uma2.patch

--- ../lua-resty-openidc/lib/resty/openidc.lua	2018-11-08 03:55:02.952500992 -0500
+++ ./resty/uma2.lua	2018-11-08 02:33:54.420600338 -0500
@@ -64,10 +64,10 @@
    client_secret_post = true
 }
 
-local openidc = {
+local uma2 = {
   _VERSION = "1.6.1"
 }
-openidc.__index = openidc
+uma2.__index = uma2
 
 local function store_in_session(opts, feature)
   -- We don't have a whitelist of features to enable
@@ -79,7 +79,7 @@
 end
 
 -- set value in server-wide cache if available
-local function openidc_cache_set(type, key, value, exp)
+local function uma2_cache_set(type, key, value, exp)
   local dict = ngx.shared[type]
   if dict and (exp > 0) then
     local success, err, forcible = dict:set(key, value, exp)
@@ -88,7 +88,7 @@
 end
 
 -- retrieve value from server-wide cache if available
-local function openidc_cache_get(type, key)
+local function uma2_cache_get(type, key)
   local dict = ngx.shared[type]
   local value
   if dict then
@@ -99,7 +99,7 @@
 end
 
 -- invalidate values of server-wide cache
-local function openidc_cache_invalidate(type)
+local function uma2_cache_invalidate(type)
     local dict = ngx.shared[type]
     if dict then
         ngx.log(ngx.DEBUG, "flushing cache for "..type)
@@ -109,14 +109,14 @@
 end
 
 -- invalidate all server-wide caches
-function openidc.invalidate_caches()
-    openidc_cache_invalidate("discovery")
-    openidc_cache_invalidate("jwks")
-    openidc_cache_invalidate("introspection")
+function uma2.invalidate_caches()
+    uma2_cache_invalidate("discovery")
+    uma2_cache_invalidate("jwks")
+    uma2_cache_invalidate("introspection")
 end
 
 -- validate the contents of and id_token
-local function openidc_validate_id_token(opts, id_token, nonce)
+local function uma2_validate_id_token(opts, id_token, nonce)
 
   -- check issuer
   if opts.discovery.issuer ~= id_token.iss then
@@ -240,7 +240,7 @@
 end
 
 -- assemble the redirect_uri
-local function openidc_get_redirect_uri(opts)
+local function uma2_get_redirect_uri(opts)
   local scheme = opts.redirect_uri_scheme or get_scheme()
   local host = get_host_name()
   if not host then
@@ -251,7 +251,7 @@
 end
 
 -- perform base64url decoding
-local function openidc_base64_url_decode(input)
+local function uma2_base64_url_decode(input)
   local reminder = #input % 4
   if reminder > 0 then
     local padlen = 4 - reminder
@@ -261,7 +261,7 @@
   return unb64(input)
 end
 
-local function openidc_combine_uri(uri, params)
+local function uma2_combine_uri(uri, params)
   if params == nil or next(params) == nil then
     return uri
   end
@@ -273,7 +273,7 @@
 end
 
 -- send the browser of to the OP's authorization endpoint
-local function openidc_authorize(opts, session, target_url, prompt)
+local function uma2_authorize(opts, session, target_url, prompt)
   local resty_random = require "resty.random"
   local resty_string = require "resty.string"
 
@@ -286,7 +286,7 @@
     client_id=opts.client_id,
     response_type="code",
     scope=opts.scope and opts.scope or "openid email profile",
-    redirect_uri=openidc_get_redirect_uri(opts),
+    redirect_uri=uma2_get_redirect_uri(opts),
     state=state,
     nonce=nonce,
   }
@@ -314,18 +314,19 @@
 
   -- redirect to the /authorization endpoint
   ngx.header["Cache-Control"] = "no-cache, no-store, max-age=0"
-  return ngx.redirect(openidc_combine_uri(opts.discovery.authorization_endpoint, params))
+  return ngx.redirect(uma2_combine_uri(opts.discovery.authorization_endpoint, params))
 end
 
 -- parse the JSON result from a call to the OP
-local function openidc_parse_json_response(response)
+local function uma2_parse_json_response(response)
 
   local err
   local res
 
   -- check the response from the OP
   if response.status ~= 200 then
-    err = "response indicates failure, status="..response.status..", body="..response.body
+    err = cjson_s.decode(response.body)
+    --err = "response indicates failure, status="..response.status..", body="..response.body
   else
     -- decode the response and extract the JSON object
     res = cjson_s.decode(response.body)
@@ -338,7 +339,7 @@
   return res, err
 end
 
-local function openidc_configure_timeouts(httpc, timeout)
+local function uma2_configure_timeouts(httpc, timeout)
   if timeout then
     if type(timeout) == "table" then
       local r, e = httpc:set_timeouts(timeout.connect or 0, timeout.send or 0, timeout.read or 0)
@@ -349,17 +350,17 @@
 end
 
 -- Set outgoing proxy options
-local function openidc_configure_proxy(httpc, proxy_opts)
+local function uma2_configure_proxy(httpc, proxy_opts)
     if httpc and proxy_opts and type(proxy_opts) == "table"  then
-        ngx.log(ngx.DEBUG, "openidc_configure_proxy : use http proxy")
+        ngx.log(ngx.DEBUG, "uma2_configure_proxy : use http proxy")
         httpc:set_proxy_options(proxy_opts)
     else
-        ngx.log(ngx.DEBUG, "openidc_configure_proxy : don't use http proxy")
+        ngx.log(ngx.DEBUG, "uma2_configure_proxy : don't use http proxy")
     end
 end
 
 -- make a call to the token endpoint
-local function openidc_call_token_endpoint(opts, endpoint, body, auth, endpoint_name)
+local function uma2_call_token_endpoint(opts, endpoint, body, auth, endpoint_name)
 
   local ep_name = endpoint_name or 'token'
   local headers = {
@@ -395,8 +396,8 @@
   ngx.log(ngx.DEBUG, "request body for "..ep_name.." endpoint call: ", ngx.encode_args(body))
 
   local httpc = http.new()
-  openidc_configure_timeouts(httpc, opts.timeout)
-  openidc_configure_proxy(httpc, opts.proxy_opts)
+  uma2_configure_timeouts(httpc, opts.timeout)
+  uma2_configure_proxy(httpc, opts.proxy_opts)
   local res, err = httpc:request_uri(endpoint, {
     method = "POST",
     body = ngx.encode_args(body),
@@ -411,11 +412,11 @@
 
   ngx.log(ngx.DEBUG, ep_name.." endpoint response: ", res.body)
 
-  return openidc_parse_json_response(res)
+  return uma2_parse_json_response(res)
 end
 
 -- make a call to the userinfo endpoint
-local function openidc_call_userinfo_endpoint(opts, access_token)
+local function uma2_call_userinfo_endpoint(opts, access_token)
   if not opts.discovery.userinfo_endpoint then
     ngx.log(ngx.DEBUG, "no userinfo endpoint supplied")
     return nil, nil
@@ -428,8 +429,8 @@
   ngx.log(ngx.DEBUG,"authorization header '"..headers.Authorization.."'")
 
   local httpc = http.new()
-  openidc_configure_timeouts(httpc, opts.timeout)
-  openidc_configure_proxy(httpc, opts.proxy_opts)
+  uma2_configure_timeouts(httpc, opts.timeout)
+  uma2_configure_proxy(httpc, opts.proxy_opts)
   local res, err = httpc:request_uri(opts.discovery.userinfo_endpoint, {
     headers = headers,
     ssl_verify = (opts.ssl_verify ~= "no")
@@ -442,17 +443,49 @@
   ngx.log(ngx.DEBUG, "userinfo response: ", res.body)
 
   -- parse the response from the user info endpoint
-  return openidc_parse_json_response(res)
+  return uma2_parse_json_response(res)
 end
 
+-- make a call to the userinfo endpoint
+local function uma2_call_resource_set_endpoint(opts, access_token)
+  if not opts.uma2_discovery.resource_registration_endpoint then
+    ngx.log(ngx.DEBUG, "no resource_set endpoint supplied")
+    return nil, nil
+  end
+
+  local headers = {
+      ["Authorization"] = "Bearer "..access_token,
+  }
+
+  ngx.log(ngx.DEBUG,"authorization header '"..headers.Authorization.."'")
+
+  local httpc = http.new()
+  uma2_configure_timeouts(httpc, opts.timeout)
+  uma2_configure_proxy(httpc, opts.proxy_opts)
+  local res, err = httpc:request_uri(opts.uma2_discovery.resource_registration_endpoint, {
+    headers = headers,
+    ssl_verify = (opts.ssl_verify ~= "no")
+  })
+  if not res then
+    err = "accessing ("..opts.uma2_discovery.resource_registration_endpoint..") failed: "..err
+    return nil, err
+  end
+
+  ngx.log(ngx.DEBUG, "resource_set response: ", res.body)
+
+  -- parse the response from the user info endpoint
+  return uma2_parse_json_response(res)
+end
+
+
 -- computes access_token expires_in value (in seconds)
-local function openidc_access_token_expires_in(opts, expires_in)
+local function uma2_access_token_expires_in(opts, expires_in)
   return (expires_in or opts.access_token_expires_in or 3600) - 1 - (opts.access_token_expires_leeway or 0)
 end
 
-local function openidc_load_jwt_none_alg(enc_hdr, enc_payload)
-  local header = cjson_s.decode(openidc_base64_url_decode(enc_hdr))
-  local payload = cjson_s.decode(openidc_base64_url_decode(enc_payload))
+local function uma2_load_jwt_none_alg(enc_hdr, enc_payload)
+  local header = cjson_s.decode(uma2_base64_url_decode(enc_hdr))
+  local payload = cjson_s.decode(uma2_base64_url_decode(enc_payload))
   if header and payload and header.alg == "none" then
     return {
       raw_header = enc_hdr,
@@ -466,18 +499,18 @@
 end
 
 -- get the Discovery metadata from the specified URL
-local function openidc_discover(url, ssl_verify, timeout, exptime, proxy_opts)
-  ngx.log(ngx.DEBUG, "openidc_discover: URL is: "..url)
+local function uma2_discover(url, ssl_verify, timeout, exptime, proxy_opts)
+  ngx.log(ngx.DEBUG, "uma2_discover: URL is: "..url)
 
   local json, err
-  local v = openidc_cache_get("discovery", url)
+  local v = uma2_cache_get("discovery", url)
   if not v then
 
     ngx.log(ngx.DEBUG, "discovery data not in cache, making call to discovery endpoint")
     -- make the call to the discovery endpoint
     local httpc = http.new()
-    openidc_configure_timeouts(httpc, timeout)
-    openidc_configure_proxy(httpc, proxy_opts)
+    uma2_configure_timeouts(httpc, timeout)
+    uma2_configure_proxy(httpc, proxy_opts)
     local res, error = httpc:request_uri(url, {
       ssl_verify = (ssl_verify ~= "no")
     })
@@ -486,10 +519,10 @@
       ngx.log(ngx.ERR, err)
     else
       ngx.log(ngx.DEBUG, "response data: "..res.body)
-      json, err = openidc_parse_json_response(res)
+      json, err = uma2_parse_json_response(res)
       if json then
         if string.sub(url, 1, string.len(json['issuer'])) == json['issuer'] then
-          openidc_cache_set("discovery", url, cjson.encode(json), exptime or 24 * 60 * 60)
+          uma2_cache_set("discovery", url, cjson.encode(json), exptime or 24 * 60 * 60)
         else
           err = "issuer field in Discovery data does not match URL"
           ngx.log(ngx.ERR, err)
@@ -509,17 +542,22 @@
 end
 
 -- turn a discovery url set in the opts dictionary into the discovered information
-local function openidc_ensure_discovered_data(opts)
+local function uma2_ensure_discovered_data(opts)
   local err
   if type(opts.discovery) == "string" then
-    opts.discovery, err = openidc_discover(opts.discovery, opts.ssl_verify, opts.timeout, opts.jwk_expires_in, opts.proxy_opts)
+    opts.discovery, err = uma2_discover(opts.discovery, opts.ssl_verify, opts.timeout, opts.jwk_expires_in, opts.proxy_opts)
+  end
+
+  if type(opts.uma2_discovery) == "string" then
+    opts.uma2_discovery, err = uma2_discover(opts.uma2_discovery, opts.ssl_verify, opts.timeout, opts.jwk_expires_in, opts.proxy_opts)
   end
+
   return err
 end
 
 -- query for discovery endpoint data
-function openidc.get_discovery_doc(opts)
-    local err = openidc_ensure_discovered_data (opts)
+function uma2.get_discovery_doc(opts)
+    local err = uma2_ensure_discovered_data (opts)
     if err then
       ngx.log(ngx.ERR, "error getting endpoints definition using discovery endpoint")
     end
@@ -527,13 +565,13 @@
     return opts.discovery, err
 end
 
-local function openidc_jwks(url, force, ssl_verify, timeout, exptime, proxy_opts)
-  ngx.log(ngx.DEBUG, "openidc_jwks: URL is: "..url.. " (force=" .. force .. ")")
+local function uma2_jwks(url, force, ssl_verify, timeout, exptime, proxy_opts)
+  ngx.log(ngx.DEBUG, "uma2_jwks: URL is: "..url.. " (force=" .. force .. ")")
 
   local json, err, v
 
   if force == 0 then
-    v = openidc_cache_get("jwks", url)
+    v = uma2_cache_get("jwks", url)
   end
 
   if not v then
@@ -541,8 +579,8 @@
     ngx.log(ngx.DEBUG, "cannot use cached JWKS data; making call to jwks endpoint")
     -- make the call to the jwks endpoint
     local httpc = http.new()
-    openidc_configure_timeouts(httpc, timeout)
-    openidc_configure_proxy(httpc, proxy_opts)
+    uma2_configure_timeouts(httpc, timeout)
+    uma2_configure_proxy(httpc, proxy_opts)
     local res, error = httpc:request_uri(url, {
       ssl_verify = (ssl_verify ~= "no")
     })
@@ -551,9 +589,9 @@
       ngx.log(ngx.ERR, err)
     else
       ngx.log(ngx.DEBUG, "response data: "..res.body)
-      json, err = openidc_parse_json_response(res)
+      json, err = uma2_parse_json_response(res)
       if json then
-        openidc_cache_set("jwks", url, cjson.encode(json), exptime or 24 * 60 * 60)
+        uma2_cache_set("jwks", url, cjson.encode(json), exptime or 24 * 60 * 60)
       end
     end
 
@@ -653,10 +691,10 @@
   return "\3" .. encode_length(#s) .. s
 end
 
-local function openidc_pem_from_x5c(x5c)
+local function uma2_pem_from_x5c(x5c)
   -- TODO check x5c length
   ngx.log(ngx.DEBUG, "Found x5c, getting PEM public key from x5c entry of json public key")
-  local chunks = split_by_chunk(b64(openidc_base64_url_decode(x5c[1])), 64)
+  local chunks = split_by_chunk(b64(uma2_base64_url_decode(x5c[1])), 64)
   local pem = "-----BEGIN CERTIFICATE-----\n" ..
     table.concat(chunks, "\n") ..
     "\n-----END CERTIFICATE-----"
@@ -664,11 +702,11 @@
   return pem
 end
 
-local function openidc_pem_from_rsa_n_and_e(n, e)
+local function uma2_pem_from_rsa_n_and_e(n, e)
   ngx.log(ngx.DEBUG , "getting PEM public key from n and e parameters of json public key")
 
   local der_key = {
-    openidc_base64_url_decode(n), openidc_base64_url_decode(e)
+    uma2_base64_url_decode(n), uma2_base64_url_decode(e)
   }
   local encoded_key = encode_sequence_of_integer(der_key)
   local pem = der2pem(encode_sequence({
@@ -682,8 +720,8 @@
   return pem
 end
 
-local function openidc_pem_from_jwk(opts, kid)
-  local err = openidc_ensure_discovered_data(opts)
+local function uma2_pem_from_jwk(opts, kid)
+  local err = uma2_ensure_discovered_data(opts)
   if err then
     return nil, err
   end
@@ -693,7 +731,7 @@
   end
 
   local cache_id = opts.discovery.jwks_uri .. '#' .. (kid or '')
-  local v = openidc_cache_get("jwks", cache_id)
+  local v = uma2_cache_get("jwks", cache_id)
 
   if v then
     return v
@@ -702,7 +740,7 @@
   local jwk, jwks
 
   for force=0, 1 do
-    jwks, err = openidc_jwks(opts.discovery.jwks_uri, force, opts.ssl_verify, opts.timeout, opts.jwk_expires_in, opts.proxy_opts)
+    jwks, err = uma2_jwks(opts.discovery.jwks_uri, force, opts.ssl_verify, opts.timeout, opts.jwk_expires_in, opts.proxy_opts)
     if err then
       return nil, err
     end
@@ -721,14 +759,14 @@
   local pem
   -- TODO check x5c length
   if jwk.x5c then
-    pem = openidc_pem_from_x5c(jwk.x5c)
+    pem = uma2_pem_from_x5c(jwk.x5c)
   elseif jwk.kty == "RSA" and jwk.n and jwk.e then
-    pem = openidc_pem_from_rsa_n_and_e(jwk.n, jwk.e)
+    pem = uma2_pem_from_rsa_n_and_e(jwk.n, jwk.e)
   else
     return nil, "don't know how to create RSA key/cert for " .. cjson.encode(jwt)
   end
 
-  openidc_cache_set("jwks", cache_id, pem, opts.jwk_expires_in or 24 * 60 * 60)
+  uma2_cache_set("jwks", cache_id, pem, opts.jwk_expires_in or 24 * 60 * 60)
   return pem
 end
 
@@ -764,12 +802,12 @@
 end
 
 -- parse a JWT and verify its signature (if present)
-local function openidc_load_jwt_and_verify_crypto(opts, jwt_string, asymmetric_secret,
+local function uma2_load_jwt_and_verify_crypto(opts, jwt_string, asymmetric_secret,
   symmetric_secret, expected_algs, ...)
   local jwt = require "resty.jwt"
   local enc_hdr, enc_payload, enc_sign = string.match(jwt_string, '^(.+)%.(.+)%.(.*)$')
   if enc_payload and (not enc_sign or enc_sign == "") then
-    local jwt = openidc_load_jwt_none_alg(enc_hdr, enc_payload)
+    local jwt = uma2_load_jwt_none_alg(enc_hdr, enc_payload)
     if jwt then
       if opts.accept_none_alg then
         ngx.log(ngx.DEBUG, "accept JWT with alg \"none\" and no signature")
@@ -801,7 +839,7 @@
       if not secret and opts.discovery then
         ngx.log(ngx.DEBUG, "using discovery to find key")
         local err
-        secret, err = openidc_pem_from_jwk(opts, jwt_obj.header.kid)
+        secret, err = uma2_pem_from_jwk(opts, jwt_obj.header.kid)
 
         if secret == nil then
           ngx.log(ngx.ERR, err)
@@ -839,15 +877,15 @@
 --
 -- Load and validate id token from the id_token properties of the token endpoint response
 -- Parameters :
---     - opts the openidc module options
+--     - opts the uma2 module options
 --     - jwt_id_token the id_token from the id_token properties of the token endpoint response
 --     - session the current session
 -- Return the id_token, nil if valid
 -- Return nil, the error if invalid
 --
-local function openidc_load_and_validate_jwt_id_token(opts, jwt_id_token, session)
+local function uma2_load_and_validate_jwt_id_token(opts, jwt_id_token, session)
 
-  local jwt_obj, err = openidc_load_jwt_and_verify_crypto(opts, jwt_id_token, opts.secret, opts.client_secret,
+  local jwt_obj, err = uma2_load_jwt_and_verify_crypto(opts, jwt_id_token, opts.secret, opts.client_secret,
           opts.discovery.id_token_signing_alg_values_supported)
   if err then
     local alg = (jwt_obj and jwt_obj.header and jwt_obj.header.alg) or ''
@@ -871,7 +909,7 @@
   ngx.log(ngx.DEBUG, "id_token payload: ", cjson.encode(jwt_obj.payload))
 
   -- validate the id_token contents
-  if openidc_validate_id_token(opts, id_token, session.data.nonce) == false then
+  if uma2_validate_id_token(opts, id_token, session.data.nonce) == false then
     err = "id_token validation failed"
     ngx.log(ngx.ERR, err)
     return nil, err
@@ -882,7 +920,7 @@
 end
 
 -- handle a "code" authorization response from the OP
-local function openidc_authorization_response(opts, session)
+local function uma2_authorization_response(opts, session)
   local args = ngx.req.get_uri_args()
   local err
 
@@ -917,7 +955,7 @@
   local body = {
     grant_type="authorization_code",
     code=args.code,
-    redirect_uri=openidc_get_redirect_uri(opts),
+    redirect_uri=uma2_get_redirect_uri(opts),
     state = session.data.state
   }
 
@@ -926,12 +964,12 @@
   local current_time = ngx.time()
   -- make the call to the token endpoint
   local json
-  json, err = openidc_call_token_endpoint(opts, opts.discovery.token_endpoint, body, opts.token_endpoint_auth_method)
+  json, err = uma2_call_token_endpoint(opts, opts.discovery.token_endpoint, body, opts.token_endpoint_auth_method)
   if err then
     return nil, err, session.data.original_url, session
   end
 
-  local id_token, err = openidc_load_and_validate_jwt_id_token(opts, json.id_token, session);
+  local id_token, err = uma2_load_and_validate_jwt_id_token(opts, json.id_token, session);
   if err then
     return nil, err, session.data.original_url, session
   end
@@ -950,7 +988,7 @@
     -- call the user info endpoint
     -- TODO: should this error be checked?
     local user
-    user, err = openidc_call_userinfo_endpoint(opts, json.access_token)
+    user, err = uma2_call_userinfo_endpoint(opts, json.access_token)
 
     if err then
       ngx.log(ngx.ERR, "error calling userinfo endpoint: " .. err)
@@ -971,7 +1009,7 @@
   if store_in_session(opts, 'access_token') then
     session.data.access_token = json.access_token
     session.data.access_token_expiration = current_time
-            + openidc_access_token_expires_in(opts, json.expires_in)
+            + uma2_access_token_expires_in(opts, json.expires_in)
     if json.refresh_token ~= nil then
       session.data.refresh_token = json.refresh_token
     end
@@ -987,14 +1025,14 @@
 
 end
 
-local openidc_transparent_pixel = "\137\080\078\071\013\010\026\010\000\000\000\013\073\072\068\082" ..
+local uma2_transparent_pixel = "\137\080\078\071\013\010\026\010\000\000\000\013\073\072\068\082" ..
                                   "\000\000\000\001\000\000\000\001\008\004\000\000\000\181\028\012" ..
                                   "\002\000\000\000\011\073\068\065\084\120\156\099\250\207\000\000" ..
                                   "\002\007\001\002\154\028\049\113\000\000\000\000\073\069\078\068" ..
                                   "\174\066\096\130"
 
 -- handle logout
-local function openidc_logout(opts, session)
+local function uma2_logout(opts, session)
   local session_token = session.data.enc_id_token
   session:destroy()
   local headers = ngx.req.get_headers()
@@ -1006,7 +1044,7 @@
     ngx.header["Expires"] = "0"
     ngx.header["X-Frame-Options"] = "DENY"
     ngx.header.content_type = "image/png"
-    ngx.print(openidc_transparent_pixel)
+    ngx.print(uma2_transparent_pixel)
     ngx.exit(ngx.OK)
     return
   elseif opts.redirect_after_logout_uri or opts.discovery.end_session_endpoint then
@@ -1023,13 +1061,13 @@
     if opts.post_logout_redirect_uri then
       params["post_logout_redirect_uri"] = opts.post_logout_redirect_uri
     end
-    return ngx.redirect(openidc_combine_uri(uri, params))
+    return ngx.redirect(uma2_combine_uri(uri, params))
   elseif opts.discovery.ping_end_session_endpoint then
     local params = {}
     if opts.post_logout_redirect_uri then
       params["TargetResource"] = opts.post_logout_redirect_uri
     end
-    return ngx.redirect(openidc_combine_uri(opts.discovery.ping_end_session_endpoint, params))
+    return ngx.redirect(uma2_combine_uri(opts.discovery.ping_end_session_endpoint, params))
   end
 
   ngx.header.content_type = "text/html"
@@ -1038,7 +1076,7 @@
 end
 
 -- get the token endpoint authentication method
-local function openidc_get_token_auth_method(opts)
+local function uma2_get_token_auth_method(opts)
 
   if opts.token_endpoint_auth_method ~= nil and not supported_token_auth_methods[opts.token_endpoint_auth_method] then
     ngx.log(ngx.ERR, "configured value for token_endpoint_auth_method ("..opts.token_endpoint_auth_method..") is not supported, ignoring it")
@@ -1086,7 +1124,7 @@
 end
 
 -- returns a valid access_token (eventually refreshing the token)
-local function openidc_access_token(opts, session, try_to_renew)
+local function uma2_access_token(opts, session, try_to_renew)
 
   local err
 
@@ -1107,13 +1145,13 @@
   ngx.log(ngx.DEBUG, "refreshing expired access_token: ", session.data.access_token, " with: ", session.data.refresh_token)
 
   -- retrieve token endpoint URL from discovery endpoint if necessary
-  err = openidc_ensure_discovered_data(opts)
+  err = uma2_ensure_discovered_data(opts)
   if err then
     return nil, err
   end
 
   -- set the authentication method for the token endpoint
-  opts.token_endpoint_auth_method = openidc_get_token_auth_method(opts)
+  opts.token_endpoint_auth_method = uma2_get_token_auth_method(opts)
   -- assemble the parameters to the token endpoint
   local body = {
     grant_type="refresh_token",
@@ -1122,13 +1160,13 @@
   }
 
   local json
-  json, err = openidc_call_token_endpoint(opts, opts.discovery.token_endpoint, body, opts.token_endpoint_auth_method)
+  json, err = uma2_call_token_endpoint(opts, opts.discovery.token_endpoint, body, opts.token_endpoint_auth_method)
   if err then
     return nil, err
   end
   local id_token
   if json.id_token then
-    id_token, err = openidc_load_and_validate_jwt_id_token(opts, json.id_token, session)
+    id_token, err = uma2_load_and_validate_jwt_id_token(opts, json.id_token, session)
     if err then
       ngx.log(ngx.ERR, "invalid id token, discarding tokens returned while refreshing")
       return nil, err
@@ -1138,7 +1176,7 @@
 
   session:start()
   session.data.access_token = json.access_token
-  session.data.access_token_expiration = current_time + openidc_access_token_expires_in(opts, json.expires_in)
+  session.data.access_token_expiration = current_time + uma2_access_token_expires_in(opts, json.expires_in)
   if json.refresh_token then
     session.data.refresh_token = json.refresh_token
   end
@@ -1161,8 +1199,47 @@
 
 end
 
+-- get an OAuth 2.0 bearer access token from the HTTP request
+local function uma2_get_bearer_access_token(opts)
+
+  local err
+
+  local accept_token_as = opts.auth_accept_token_as or "header"
+
+  if accept_token_as:find("cookie") == 1 then
+    return uma2_get_bearer_access_token_from_cookie(opts)
+  end
+
+  -- get the access token from the Authorization header
+  local headers = ngx.req.get_headers()
+  local header =  headers['Authorization']
+
+  if header == nil or header:find(" ") == nil then
+    err = "no Authorization header found"
+    ngx.log(ngx.ERR, err)
+    return nil, err
+  end
+
+  local divider = header:find(' ')
+  if string.lower(header:sub(0, divider-1)) ~= string.lower("Bearer") then
+    err = "no Bearer authorization header value found"
+    ngx.log(ngx.ERR, err)
+    return nil, err
+  end
+
+  local access_token = header:sub(divider+1)
+  if access_token == nil then
+    err = "no Bearer access token value found"
+    ngx.log(ngx.ERR, err)
+    return nil, err
+  end
+
+  return access_token, err
+end
+
+
 -- main routine for OpenID Connect user authentication
-function openidc.authenticate(opts, target_url, unauth_action, session_opts)
+function uma2.authenticate(opts, target_url, unauth_action, session_opts)
 
   local err
 
@@ -1172,14 +1249,104 @@
 
   local access_token
 
-  err = openidc_ensure_discovered_data(opts)
+  err = uma2_ensure_discovered_data(opts)
   if err then
     return nil, err, target_url, session
   end
 
   -- set the authentication method for the token endpoint
-  opts.token_endpoint_auth_method = openidc_get_token_auth_method(opts)
+  opts.token_endpoint_auth_method = uma2_get_token_auth_method(opts)
+
+  ngx.log(ngx.DEBUG, "opts.token_endpoint_auth_method: ", opts.token_endpoint_auth_method)
 
+  local body = {}
+  if opts.client_id then
+    body.client_id=opts.client_id
+  end
+  if opts.client_secret then
+    body.client_secret=opts.client_secret
+  end
+
+
+  local device_string = string.sub(ngx.var.request_uri,1,string.len("/device"))
+  if device_string == "/device" then
+      return
+  end
+
+  local tag_string = string.sub(ngx.var.request_uri,1,string.len("/tag"))
+  if tag_string == "/tag" then
+      return
+  end
+
+
+--  if target_url == (opts.login_path or "/login" or "/auth/token") then
+  if ngx.var.request_uri == "/auth/token" then
+    ngx.req.read_body()
+    obj, err = cjson.decode(ngx.req.get_body_data())
+    body.username = obj.username
+    body.password = obj.password
+    body.grant_type = "password"
+    json, err = uma2_call_token_endpoint(opts, opts.discovery.token_endpoint, body, "client_secret_basic")
+    if err then
+      ngx.status = 403
+      ngx.say(cjson.encode(err))
+      ngx.exit(ngx.OK)
+    end
+    local response_body = {}
+    response_body.token = json.access_token
+    --response_body = json
+    ngx.status = 200
+    ngx.say(cjson.encode(response_body))
+    ngx.exit(ngx.OK)
+  end
+
+  local access_token, err = uma2_get_bearer_access_token(opts)
+  local user, err = uma2_call_userinfo_endpoint(opts, access_token)
+
+  if ngx.var.request_uri == "/auth/user" then
+    if err then
+      ngx.status = 403
+      ngx.say(cjson.encode(err))
+      ngx.exit(ngx.OK)
+    end
+    local response_body = {}
+    response_body.user = user.preferred_username
+    --response_body = user
+    ngx.status = 200
+    ngx.say(cjson.encode(response_body))
+    ngx.exit(ngx.OK)
+  end
+
+
+  body.grant_type="client_credentials"
+  json, err = uma2_call_token_endpoint(opts, opts.discovery.token_endpoint, body, opts.token_endpoint_auth_method)
+  --ngx.log(ngx.DEBUG, "token output: ", cjson.encode(json))
+
+  json, err = uma2_call_resource_set_endpoint(opts, json.access_token)
+  ngx.log(ngx.DEBUG, "resource set output: ", json[1])
+  body.claim_token_format = "urn:ietf:params:oauth:token-type:jwt"
+  body.audience = opts.client_id
+  body.grant_type = "urn:ietf:params:oauth:grant-type:uma-ticket"
+  body.claim_token = b64( "{\"http.uri\":[\""..ngx.var.request_uri.."\"],\"http.method\":[\""..ngx.var.request_method.."\"]}")
+  body.permission = json[1]
+
+
+  body.subject_token = access_token
+  json, err = uma2_call_token_endpoint(opts, opts.discovery.token_endpoint, body, "client_secret_basic")
+
+  ngx.log(ngx.DEBUG, "andrew=============final token output: ", ngx.var.request_method)
+  if err then
+    ngx.status = 403
+    ngx.say(cjson.encode(err))
+    ngx.exit(ngx.OK)
+  end
+  --ngx.log(ngx.DEBUG, "uma output: ", cjson.encode(json))
+
+  --local user, err = uma2_call_userinfo_endpoint(opts, json.access_token)
+
+  return {user=user}
+  ----------------------------------------------------------------
+  --[[
   -- see if this is a request to the redirect_uri i.e. an authorization response
   local path = target_url:match("(.-)%?") or target_url
   if path == opts.redirect_uri_path then
@@ -1190,14 +1357,14 @@
       ngx.log(ngx.ERR, err)
       return nil, err, target_url, session
     end
-    return openidc_authorization_response(opts, session)
+    return uma2_authorization_response(opts, session)
   end
 
   -- see if this is a request to logout
   if path == (opts.logout_path or "/logout") then
     ngx.log(ngx.DEBUG, "Logout path ("..path..") is currently navigated -> Processing local session removal before redirecting to next step of logout process")
 
-    openidc_logout(opts, session)
+    uma2_logout(opts, session)
     return nil, nil, target_url, session
   end
 
@@ -1207,7 +1374,7 @@
     and store_in_session(opts, 'access_token')
   then
     -- refresh access_token if necessary
-    access_token, err = openidc_access_token(opts, session, try_to_renew)
+    access_token, err = uma2_access_token(opts, session, try_to_renew)
     if err then
       ngx.log(ngx.ERR, "lost access token:" .. err)
       err = nil
@@ -1243,7 +1410,7 @@
     end
 
     ngx.log(ngx.DEBUG, "Authentication is required - Redirecting to OP Authorization endpoint")
-    openidc_authorize(opts, session, target_url, opts.prompt)
+    uma2_authorize(opts, session, target_url, opts.prompt)
     return nil, nil, target_url, session
   end
 
@@ -1251,7 +1418,7 @@
   if opts.refresh_session_interval ~= nil then
     if session.data.last_authenticated == nil or (session.data.last_authenticated+opts.refresh_session_interval) < ngx.time() then
       ngx.log(ngx.DEBUG, "Silent authentication is required - Redirecting to OP Authorization endpoint")
-      openidc_authorize(opts, session, target_url, "none")
+      uma2_authorize(opts, session, target_url, "none")
       return nil, nil, target_url, session
     end
   end
@@ -1271,20 +1438,23 @@
     err,
     target_url,
     session
+
+  --]]
+
 end
 
 -- get a valid access_token (eventually refreshing the token), or nil if there's no valid access_token
-function openidc.access_token(opts, session_opts)
+function uma2.access_token(opts, session_opts)
 
   local session = require("resty.session").open(session_opts)
 
-  return openidc_access_token(opts, session, true)
+  return uma2_access_token(opts, session, true)
 
 end
 
 
 -- get an OAuth 2.0 bearer access token from the HTTP request cookies
-local function openidc_get_bearer_access_token_from_cookie(opts)
+local function uma2_get_bearer_access_token_from_cookie(opts)
 
   local err
 
@@ -1292,7 +1462,7 @@
 
   local accept_token_as = opts.auth_accept_token_as or "header"
   if accept_token_as:find("cookie") ~= 1 then
-    return nul, "openidc_get_bearer_access_token_from_cookie called but auth_accept_token_as wants "
+    return nul, "uma2_get_bearer_access_token_from_cookie called but auth_accept_token_as wants "
       .. opts.auth_accept_token_as
   end
   local divider = accept_token_as:find(':')
@@ -1317,56 +1487,18 @@
 end
 
 
--- get an OAuth 2.0 bearer access token from the HTTP request
-local function openidc_get_bearer_access_token(opts)
-
-  local err
-
-  local accept_token_as = opts.auth_accept_token_as or "header"
-
-  if accept_token_as:find("cookie") == 1 then
-    return openidc_get_bearer_access_token_from_cookie(opts)
-  end
-
-  -- get the access token from the Authorization header
-  local headers = ngx.req.get_headers()
-  local header =  headers['Authorization']
-
-  if header == nil or header:find(" ") == nil then
-    err = "no Authorization header found"
-    ngx.log(ngx.ERR, err)
-    return nil, err
-  end
-
-  local divider = header:find(' ')
-  if string.lower(header:sub(0, divider-1)) ~= string.lower("Bearer") then
-    err = "no Bearer authorization header value found"
-    ngx.log(ngx.ERR, err)
-    return nil, err
-  end
-
-  local access_token = header:sub(divider+1)
-  if access_token == nil then
-    err = "no Bearer access token value found"
-    ngx.log(ngx.ERR, err)
-    return nil, err
-  end
-
-  return access_token, err
-end
-
 -- main routine for OAuth 2.0 token introspection
-function openidc.introspect(opts)
+function uma2.introspect(opts)
 
   -- get the access token from the request
-  local access_token, err = openidc_get_bearer_access_token(opts)
+  local access_token, err = uma2_get_bearer_access_token(opts)
   if access_token == nil then
     return nil, err
   end
 
   -- see if we've previously cached the introspection result for this access token
   local json
-  local v = openidc_cache_get("introspection", access_token)
+  local v = uma2_cache_get("introspection", access_token)
   if not v then
 
     -- assemble the parameters to the introspection (token) endpoint
@@ -1389,7 +1521,7 @@
     end
 
     -- call the introspection endpoint
-    json, err = openidc_call_token_endpoint(opts, opts.introspection_endpoint, body, opts.introspection_endpoint_auth_method, "introspection")
+    json, err = uma2_call_token_endpoint(opts, opts.introspection_endpoint, body, opts.introspection_endpoint_auth_method, "introspection")
 
     -- cache the results
     if json then
@@ -1407,7 +1539,7 @@
             end
           end
           ngx.log(ngx.DEBUG, "cache token ttl: "..ttl)
-          openidc_cache_set("introspection", access_token, cjson.encode(json), ttl)
+          uma2_cache_set("introspection", access_token, cjson.encode(json), ttl)
         end
       else
         err = "invalid token"
@@ -1423,23 +1555,23 @@
 
 -- main routine for OAuth 2.0 JWT token validation
 -- optional args are claim specs, see jwt-validators in resty.jwt
-function openidc.jwt_verify(access_token, opts, ...)
+function uma2.jwt_verify(access_token, opts, ...)
   local err
   local json
 
   local slack = opts.iat_slack and opts.iat_slack or 120
   -- see if we've previously cached the validation result for this access token
-  local v = openidc_cache_get("introspection", access_token)
+  local v = uma2_cache_get("introspection", access_token)
   if not v then
     local jwt_obj
-    jwt_obj, err = openidc_load_jwt_and_verify_crypto(opts, access_token, opts.secret, opts.secret,
+    jwt_obj, err = uma2_load_jwt_and_verify_crypto(opts, access_token, opts.secret, opts.secret,
         opts.token_signing_alg_values_expected, ...)
     if not err then
       json = jwt_obj.payload
       ngx.log(ngx.DEBUG, "jwt: ", cjson.encode(json))
 
       local ttl = json.exp and json.exp - ngx.time() or 120
-      openidc_cache_set("introspection", access_token, cjson.encode(json), ttl)
+      uma2_cache_set("introspection", access_token, cjson.encode(json), ttl)
     end
 
   else
@@ -1458,19 +1590,19 @@
   return json, err
 end
 
-function openidc.bearer_jwt_verify(opts, ...)
+function uma2.bearer_jwt_verify(opts, ...)
   local json
 
   -- get the access token from the request
-  local access_token, err = openidc_get_bearer_access_token(opts)
+  local access_token, err = uma2_get_bearer_access_token(opts)
   if access_token == nil then
     return nil, err
   end
 
   ngx.log(ngx.DEBUG, "access_token: ", access_token)
 
-  json, err = openidc.jwt_verify(access_token, opts, ...)
+  json, err = uma2.jwt_verify(access_token, opts, ...)
   return json, err, access_token
 end
 
-return openidc
+return uma2