fbpx
Wikipedia

User-Managed Access

May 01, 2024

User-Managed Access (UMA) is an OAuth-based access management protocol standard for party-to-party authorization.[1] Version 1.0 of the standard was approved by the Kantara Initiative on March 23, 2015.[2]

As described by the charter of the group that developed UMA,[3] the purpose of the protocol specifications is to “enable a resource owner to control the authorization of data sharing and other protected-resource access made between online services on the owner’s behalf or with the owner’s authorization by an autonomous requesting party”. This purpose has privacy and consent implications for web applications and the Internet of Things (IoT), as explored by the collection of case studies contributed by participants in the standards group.[4]

Comparison to OAuth 2.0 edit

 
This diagram provides a high level overview of the entities and relationships involved in the UMA specification.

The diagram from [5] (see right) highlights key additions that UMA makes to OAuth 2.0.

In a typical OAuth flow: A resource owner (RO), a human who uses a client application, is redirected to an authorization server (AS) to log in and consent to the issuance of an access token. This access token allows the client application to gain API access to the resource server (RS) on the resource owner's behalf in the future, likely in a scoped (limited) fashion. The resource server and authorization server most likely operate within the same security domain, and communication between them is not necessarily standardized by the main OAuth specification.

User-Managed Access adds three main concepts and corresponding structures and flows:

Protection API
UMA defines a standardized Protection API for the authorization servers with which resource servers communicate about data security. This API enables multiple resource servers to communicate with one authorization server and vice versa. Because the Protection API is itself secured with OAuth, it allows for formal trust establishment between each pair. This also allows an authorization server to present a centralized user interface for resource owners.
Requesting Party (RqP)
UMA defines requesting parties separately from resource owners. This enables party-to-party sharing and fine-grained delegation of access authorization. A resource owner need not consent to token issuance at runtime (i.e. each time their data is requested), but can instead define a policy at the authorization server to allow requesting parties asynchronous access to specific limited authorization scopes.
Trust Elevation
UMA enables access attempts to result in successful issuance of authorization tokens based on a process of trust elevation for requesting parties. This process may involve gathering identity claims or other claims from a requesting party, thus facilitating more robust security of resource owners' data.

History and background edit

The Kantara Initiative's UMA Work Group[3] held its first meeting[6] on August 6, 2009. UMA's design principles and technical design have been informed by previous work by Sun Microsystems employees, begun in March 2008, on a protocol called ProtectServe. In turn, ProtectServe was influenced by the goals of the Vendor Relationship Management movement and an offshoot effort called feeds-based VRM.

ProtectServe and UMA's earliest versions leveraged the OAuth 1.0 protocol. As OAuth underwent significant change through the publication of the Web Resource Authorization Protocol (WRAP) specification and, subsequently, drafts of OAuth 2.0, the UMA specification has kept pace, and it now uses the OAuth 2.0 family of specifications for several key protocol flows.

UMA does not use or depend on OpenID 2.0 as a means of user identification. However, it optionally uses the OAuth-based OpenID Connect protocol as a means of collecting identity claims from a requesting party in order to attempt to satisfy the authorizing user's access policy.[citation needed]

UMA also does not use or depend on the eXtensible Access Control Markup Language (XACML) as a means of encoding user policy or requesting policy decisions. UMA does not dictate policy format, as policy evaluation is performed internally to the authorization server (AS) from the UMA perspective. Typically, XACML would be used to implement the policies inside the AS. Its implementation is out-of-scope of UMA. The UMA protocol flows for requesting access permission have some features in common with the XACML protocol.

Standardization status edit

The UMA group conducts its work in the Kantara Initiative[7] and has also contributed a series of Internet-Draft specifications to the Internet Engineering Task Force (IETF) as an eventual home for UMA standardization work. To this end, the WG has contributed several individual Internet-Drafts to the IETF for consideration. One of these, a specification for OAuth dynamic client registration,[8] served as input for the more generalized mechanism ultimately developed for OAuth.[8] UMA was presented to the OAuth Working Group[9] at the IETF 104 conference in March 2019,[10] but that did not result in any UMA specifications being adopted by the IETF.

Implementation and adoption status edit

The UMA core protocol has several implementations,[11] including several open source implementations. Sources of active and available open-source implementations include ForgeRock,[12] Gluu,[13] IDENTOS Inc.,[14] MITREid Connect,[15] Atricore, Node-UMA,[16] Roland Hedberg,[17] Keycloak,[18] and WSO2 Identity Server.[19] A Kantara Initiative group is working on developing "free and open-source software (FOSS), in several popular programming languages, that empowers developers to incorporate UMA protection and authorization API enablement into applications, services, and devices".[20]

UMA-enabled products are available from Gluu,[21] Jericho Systems,[22] ForgeRock,[23] IDENTOS Inc.[24] and WSO2 Identity Server [19]

Current processing and acceptance status edit

The UMA protocol has multiple implementations. Forgerock offers a first open source implementation under OpenUMA.[25] A first implementation of the authorization server is to be tested with OpenAM in the nightly build.[26]

Gluu has implemented UMA to secure and manage access to APIs.[27] Cloud Identity Limited has a full UMA implementation for securing and managing access to personal information and web APIs. Several others have expressed interest in implementation and interoperability testing to the working group.

Applicable use cases edit

UMA's architecture can serve a variety of consumer-facing and enterprise-facing use cases. The UMA group collects case studies on its wiki.[28]

One example set of use cases is in healthcare IT and consumer health. In the OpenID Foundation organization, a working group called Health Relationship Trust (HEART)[29] is working to "harmonize and develop a set of privacy and security specifications that enable an individual to control the authorization of access to RESTful health-related data sharing APIs", building upon, among other standards, UMA.

Another example set of use cases, which originally influenced UMA's development, is in the area of "personal data stores" in the fashion of vendor relationship management. In this conception, an individual can choose an operator of an authorization service that accepts connections from a variety of consumer-facing digital resource hosts in order to offer a dashboard with resource sharing management capabilities.

References edit

  1. ^ Maler, E.; Machulak, M.; Richer, J. (2018-01-07). "User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization". docs.kantarainitiative.org. Retrieved 2024-01-11.
  2. ^ "UMA telecon 2015-02-23 - WG - User Managed Access - Kantara Initiative". kantara.atlassian.net. Retrieved 2024-01-11.
  3. ^ a b "User Managed Access Work Group". Kantara Initiative: Trust through ID Assurance. Retrieved 2024-01-11.
  4. ^ "Case Studies - WG - User Managed Access - Kantara Initiative". kantara.atlassian.net. Retrieved 2024-01-11.
  5. ^ CIS 2015 Tuesday, June 9 - George Fletcher, AOL, retrieved 2024-01-11
  6. ^ "UMA telecon 2009-08-06 - WG - User Managed Access - Kantara Initiative". kantara.atlassian.net. Retrieved 2024-01-11.
  7. ^ "WG - User Managed Access - Kantara Initiative". kantara.atlassian.net.
  8. ^ a b Richer, Justin; Jones, Michael B.; Bradley, John; Machulak, Maciej; Hunt, Phil (July 2015). OAuth 2.0 Dynamic Client Registration Protocol (Report). Internet Engineering Task Force.
  9. ^ "Web Authorization Protocol (oauth)". datatracker.ietf.org. Retrieved 2024-01-11.
  10. ^ "IETF104 - oauth WG - meeting minutes".
  11. ^ "UMA Implementations - WG - User Managed Access - Kantara Initiative".
  12. ^ "Digital Identity for Consumers and Workforce | ForgeRock".
  13. ^ . Archived from the original on 2014-02-09. Retrieved 2024-01-19. Gluu OSS implementation of UMA
  14. ^ IDENTOS Inc. Federated Privacy Exchange (FPX)
  15. ^ "An OpenID Connect reference implementation in Java on the Spring platform". github.com. Retrieved 2024-01-19.
  16. ^ Atricore OSS implementation of UMA for Node.js
  17. ^ "Rohe/Pyuma". GitHub. 22 January 2018.
  18. ^ . Archived from the original on 2019-03-06. Retrieved 2019-03-05.
  19. ^ a b "User Managed Access - Identity Server 5.8.0 latest - WSO2 Documentation".
  20. ^ . Archived from the original on 2016-02-16. Retrieved 2015-08-13.
  21. ^ . Archived from the original on 2015-08-05. Retrieved 2015-08-13.
  22. ^ . Archived from the original on 2019-06-15.
  23. ^ "User-Managed Access (UMA) - ForgeRock".
  24. ^ "Federated Privacy Exchange - by IDENTOS".
  25. ^ "All Posts about OpenUMA". Retrieved 2024-01-19.
  26. ^ "ForgeRock Access Management". Retrieved 2024-01-19.
  27. ^ . Archived from the original on 2015-09-24. Gluu OSS implementation of UMA
  28. ^ "Case Studies - WG - User Managed Access - Kantara Initiative".
  29. ^ "HEART WG | OpenID". 27 October 2014.

Further reading edit

  • Schwartz, Michael; Machulak, Maciej (2018). "User-Managed Access". Securing the Perimiter: Deploying Identity and Access Management with Free Open Source Software. Apress. ISBN 9781484226018.

External links edit

  • UMA FAQ
  • User-Managed Access (UMA) Profile of OAuth 2.0 Recommendation
  • OAuth 2.0 Resource Set Registration Recommendation
  • UMA Implementations

May 01, 2024
user, managed, access, oauth, based, access, management, protocol, standard, party, party, authorization, version, standard, approved, kantara, initiative, march, 2015, described, charter, group, that, developed, purpose, protocol, specifications, enable, reso. User Managed Access UMA is an OAuth based access management protocol standard for party to party authorization 1 Version 1 0 of the standard was approved by the Kantara Initiative on March 23 2015 2 As described by the charter of the group that developed UMA 3 the purpose of the protocol specifications is to enable a resource owner to control the authorization of data sharing and other protected resource access made between online services on the owner s behalf or with the owner s authorization by an autonomous requesting party This purpose has privacy and consent implications for web applications and the Internet of Things IoT as explored by the collection of case studies contributed by participants in the standards group 4 Contents 1 Comparison to OAuth 2 0 2 History and background 3 Standardization status 4 Implementation and adoption status 5 Current processing and acceptance status 6 Applicable use cases 7 References 8 Further reading 9 External linksComparison to OAuth 2 0 edit nbsp This diagram provides a high level overview of the entities and relationships involved in the UMA specification The diagram from 5 see right highlights key additions that UMA makes to OAuth 2 0 In a typical OAuth flow A resource owner RO a human who uses a client application is redirected to an authorization server AS to log in and consent to the issuance of an access token This access token allows the client application to gain API access to the resource server RS on the resource owner s behalf in the future likely in a scoped limited fashion The resource server and authorization server most likely operate within the same security domain and communication between them is not necessarily standardized by the main OAuth specification User Managed Access adds three main concepts and corresponding structures and flows Protection API UMA defines a standardized Protection API for the authorization servers with which resource servers communicate about data security This API enables multiple resource servers to communicate with one authorization server and vice versa Because the Protection API is itself secured with OAuth it allows for formal trust establishment between each pair This also allows an authorization server to present a centralized user interface for resource owners Requesting Party RqP UMA defines requesting parties separately from resource owners This enables party to party sharing and fine grained delegation of access authorization A resource owner need not consent to token issuance at runtime i e each time their data is requested but can instead define a policy at the authorization server to allow requesting parties asynchronous access to specific limited authorization scopes Trust Elevation UMA enables access attempts to result in successful issuance of authorization tokens based on a process of trust elevation for requesting parties This process may involve gathering identity claims or other claims from a requesting party thus facilitating more robust security of resource owners data History and background editThe Kantara Initiative s UMA Work Group 3 held its first meeting 6 on August 6 2009 UMA s design principles and technical design have been informed by previous work by Sun Microsystems employees begun in March 2008 on a protocol called ProtectServe In turn ProtectServe was influenced by the goals of the Vendor Relationship Management movement and an offshoot effort called feeds based VRM ProtectServe and UMA s earliest versions leveraged the OAuth 1 0 protocol As OAuth underwent significant change through the publication of the Web Resource Authorization Protocol WRAP specification and subsequently drafts of OAuth 2 0 the UMA specification has kept pace and it now uses the OAuth 2 0 family of specifications for several key protocol flows UMA does not use or depend on OpenID 2 0 as a means of user identification However it optionally uses the OAuth based OpenID Connect protocol as a means of collecting identity claims from a requesting party in order to attempt to satisfy the authorizing user s access policy citation needed UMA also does not use or depend on the eXtensible Access Control Markup Language XACML as a means of encoding user policy or requesting policy decisions UMA does not dictate policy format as policy evaluation is performed internally to the authorization server AS from the UMA perspective Typically XACML would be used to implement the policies inside the AS Its implementation is out of scope of UMA The UMA protocol flows for requesting access permission have some features in common with the XACML protocol Standardization status editThe UMA group conducts its work in the Kantara Initiative 7 and has also contributed a series of Internet Draft specifications to the Internet Engineering Task Force IETF as an eventual home for UMA standardization work To this end the WG has contributed several individual Internet Drafts to the IETF for consideration One of these a specification for OAuth dynamic client registration 8 served as input for the more generalized mechanism ultimately developed for OAuth 8 UMA was presented to the OAuth Working Group 9 at the IETF 104 conference in March 2019 10 but that did not result in any UMA specifications being adopted by the IETF Implementation and adoption status editThe UMA core protocol has several implementations 11 including several open source implementations Sources of active and available open source implementations include ForgeRock 12 Gluu 13 IDENTOS Inc 14 MITREid Connect 15 Atricore Node UMA 16 Roland Hedberg 17 Keycloak 18 and WSO2 Identity Server 19 A Kantara Initiative group is working on developing free and open source software FOSS in several popular programming languages that empowers developers to incorporate UMA protection and authorization API enablement into applications services and devices 20 UMA enabled products are available from Gluu 21 Jericho Systems 22 ForgeRock 23 IDENTOS Inc 24 and WSO2 Identity Server 19 Current processing and acceptance status editThe UMA protocol has multiple implementations Forgerock offers a first open source implementation under OpenUMA 25 A first implementation of the authorization server is to be tested with OpenAM in the nightly build 26 Gluu has implemented UMA to secure and manage access to APIs 27 Cloud Identity Limited has a full UMA implementation for securing and managing access to personal information and web APIs Several others have expressed interest in implementation and interoperability testing to the working group Applicable use cases editUMA s architecture can serve a variety of consumer facing and enterprise facing use cases The UMA group collects case studies on its wiki 28 One example set of use cases is in healthcare IT and consumer health In the OpenID Foundation organization a working group called Health Relationship Trust HEART 29 is working to harmonize and develop a set of privacy and security specifications that enable an individual to control the authorization of access to RESTful health related data sharing APIs building upon among other standards UMA Another example set of use cases which originally influenced UMA s development is in the area of personal data stores in the fashion of vendor relationship management In this conception an individual can choose an operator of an authorization service that accepts connections from a variety of consumer facing digital resource hosts in order to offer a dashboard with resource sharing management capabilities References edit Maler E Machulak M Richer J 2018 01 07 User Managed Access UMA 2 0 Grant for OAuth 2 0 Authorization docs kantarainitiative org Retrieved 2024 01 11 UMA telecon 2015 02 23 WG User Managed Access Kantara Initiative kantara atlassian net Retrieved 2024 01 11 a b User Managed Access Work Group Kantara Initiative Trust through ID Assurance Retrieved 2024 01 11 Case Studies WG User Managed Access Kantara Initiative kantara atlassian net Retrieved 2024 01 11 CIS 2015 Tuesday June 9 George Fletcher AOL retrieved 2024 01 11 UMA telecon 2009 08 06 WG User Managed Access Kantara Initiative kantara atlassian net Retrieved 2024 01 11 WG User Managed Access Kantara Initiative kantara atlassian net a b Richer Justin Jones Michael B Bradley John Machulak Maciej Hunt Phil July 2015 OAuth 2 0 Dynamic Client Registration Protocol Report Internet Engineering Task Force Web Authorization Protocol oauth datatracker ietf org Retrieved 2024 01 11 IETF104 oauth WG meeting minutes UMA Implementations WG User Managed Access Kantara Initiative Digital Identity for Consumers and Workforce ForgeRock Mission Critical Authentication and Authorization Open Source vs On Demand Archived from the original on 2014 02 09 Retrieved 2024 01 19 Gluu OSS implementation of UMA IDENTOS Inc Federated Privacy Exchange FPX An OpenID Connect reference implementation in Java on the Spring platform github com Retrieved 2024 01 19 Atricore OSS implementation of UMA for Node js Rohe Pyuma GitHub 22 January 2018 Keycloak 4 0 0 Final Archived from the original on 2019 03 06 Retrieved 2019 03 05 a b User Managed Access Identity Server 5 8 0 latest WSO2 Documentation Home WG User Managed Access Developer Resources Kantara Initiative Archived from the original on 2016 02 16 Retrieved 2015 08 13 Web Access Management the Gluu Server for SSO WAM amp 2FA Gluu Archived from the original on 2015 08 05 Retrieved 2015 08 13 Jericho Systems Corporation Announces the Release of Consentral on FHIR for the Control of Sensitive Health Information Archived from the original on 2019 06 15 User Managed Access UMA ForgeRock Federated Privacy Exchange by IDENTOS All Posts about OpenUMA Retrieved 2024 01 19 ForgeRock Access Management Retrieved 2024 01 19 Gluu Open Source Archived from the original on 2015 09 24 Gluu OSS implementation of UMA Case Studies WG User Managed Access Kantara Initiative HEART WG OpenID 27 October 2014 Further reading editSchwartz Michael Machulak Maciej 2018 User Managed Access Securing the Perimiter Deploying Identity and Access Management with Free Open Source Software Apress ISBN 9781484226018 External links editUMA FAQ User Managed Access UMA Profile of OAuth 2 0 Recommendation OAuth 2 0 Resource Set Registration Recommendation UMA Implementations Retrieved from https en wikipedia org w index php title User Managed Access amp oldid 1199107482, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.