...
Paul Bryan has stated a preference expressing a set of terms as a Web resource whose representation can be retrieved with an HTTP GET and modified (with an affirmation that the terms are being met) with an HTTP POST.
...
Abstract
This document is a product of the User-Managed Access Work Group. It records the scenarios and use cases governing the development of the User-Managed Access protocol and guiding associated implementations and deployments.
...
Status
...
This document is currently under active development. Its latest version can always be found here. See the Change History at the end of this document for its revision number.
...
Editors
...
- Hasan Ibne Akram
- Eve Maler
Several other UMA WG members have also contributed scenarios, as noted below.
...
Intellectual Property Notice
...
The User-Managed Access Work Group operates under Option Liberty and the publication of this document is governed by the policies outlined in this option.
...
Table of Contents
| Table of Contents |
|---|
| minLevel | 1 |
|---|
| maxLevel | 3 |
|---|
| outline | true |
|---|
| indent | 20px |
|---|
|
...
Introduction and InstructionsThis document is a product of the User-Managed Access Work Group. It records the scenarios and use cases governing the development of the User-Managed Access protocol and guiding associated implementations and deployments, and outlines technical issues raised thereby.
Please copy and revise an existing scenario in adding new scenarios and subordinate use cases. Each scenario is created as a separate child wiki page with a name like xyz_scenario and then linked from here. Change the status keyword in each scenario and use case title as appropriate, linking to the meeting minutes page explaining the status change:
- Pending: Initial status when first submitted
- Accepted: Needs to be accounted for in UMA V1 and/or its associated compliant implementations
- Deferred: Relevant to the problem space; may be considered in future versions
- Rejected: Out of scope
Edit the descriptions of technical issues and scope questions to reflect (or point to) group decisions about how to handle them.
| Include Page |
|---|
| uma:calendar_scenario |
|---|
| uma:calendar_scenario |
|---|
|
| Include Page |
|---|
| uma:ecommerce_scenario |
|---|
| uma:ecommerce_scenario |
|---|
|
| Include Page |
|---|
| uma:loan_scenario |
|---|
| uma:loan_scenario |
|---|
|
| Include Page |
|---|
| uma:distributed_services_scenario |
|---|
| uma:distributed_services_scenario |
|---|
|
| Include Page |
|---|
| uma:location_scenario |
|---|
| uma:location_scenario |
|---|
|
| Include Page |
|---|
| uma:requester_delegate_scenario |
|---|
| uma:requester_delegate_scenario |
|---|
|
| Include Page |
|---|
| uma:employer_scenario |
|---|
| uma:employer_scenario |
|---|
|
| Include Page |
|---|
| uma:custodian_scenario |
|---|
| uma:custodian_scenario |
|---|
|
| Include Page |
|---|
| uma:resourcemove_scenario |
|---|
| uma:resourcemove_scenario |
|---|
|
| Include Page |
|---|
| uma:terms_null_scenario |
|---|
| uma:terms_null_scenario |
|---|
|
| Include Page |
|---|
| uma:terms_id_scenario |
|---|
| uma:terms_id_scenario |
|---|
|
| Include Page |
|---|
| uma:terms_fact_scenario |
|---|
| uma:terms_fact_scenario |
|---|
|
| Include Page |
|---|
| uma:terms_promise_scenario |
|---|
| uma:terms_promise_scenario |
|---|
|
| Include Page |
|---|
| uma:terms_payment_scenario |
|---|
| uma:terms_payment_scenario |
|---|
|
...
IssuesFollowing are discussions of technical issues raised by one or more scenarios and use cases. Acceptance of a scenario or use case will imply agreeing to develop a satisfactory solution to applicable issues.
Issue: Policies Specific to the Web Resource Type
There is a potential need to restrict, anonymize, blur, or otherwise transform a shared resource, possibly based on the unique characteristics of its content type.
With respect to calendar resources, the premier calendar format standard already accounts for a blurring of data details by providing a "free/busy" option in addition to a full-data option. It feels like it should be out of scope to solve for filtering the calendar data cleverly (beyond the format's natural capabilities) to hide Alice's destination, hotel, etc. (though generic solutions such as making events taggable, and then filtering on the tags in a relationship manager interface, come to mind). An "identity oracle" approach (filtering the data into a completely different type) might be necessary if what Alice is trying to convey is simply "don't deliver my newspaper on these days" vs. "here's all of my travel information".
In the Controlling Two-Way Sharing of Location Information scenario, note that FireEagle allows a user to choose to share locations only at the city level, and this level happens to be chosen for the connection that authorizes Dopplr to read the FireEagle location (a different level can be chosen for each application that reads location from FireEagle). As it happens, Dopplr does not offer the same policy capability. Without having to teach UMA generically about all the possible policy options specific to all the kinds of information in the world, is it possible for each Host to teach each AM about the policy options it offers, in some way that lets the the relationship manager application surrounding the AM present user interface options to see and select these policies? Seeing may have less protocol impact than selecting, and seems to be a minimum value-add if the goal is to allow OAuth users to get a global view.
Some data-usage policies and terms may possibly have an interaction with some resource types, such as requiring recipients to discard volatile data after a period dictated by the data's type.
It has been observed that if fine-grained calendar filtering were a solved problem, different calendar sites could be shared with different friends as a way of managing minimal disclosure through indirection.
| Anchor |
|---|
| issue-endpt-disco |
|---|
| issue-endpt-disco |
|---|
|
Issue: Authorization Manager Endpoint DiscoveryThe mockups linked in the calendar scenario imagine that the user's authorization manager endpoint (what we imagine Alice will perceive as the name of her relationship management service) will be handled as if it were an OpenID, with introductions to popular relationship manager services offered in an array by potential UMA Hosts much in the way that the RPX solution presents options. (The user always has the ability to self-host an authorization manager endpoint, similarly to self-hosting an OpenID provider – and they might even be colocated.)
| Anchor |
|---|
| issue-resourceURL-handling |
|---|
| issue-resourceURL-handling |
|---|
|
Issue: Handling the Resource URL and Provisioning It to the Consumer SiteThe mockups linked in the calendar scenario imagine the simplest possible situation: The Consumer site literally asks for exactly the kind of information it needs, and the user copies and pastes a URL into a field.
This is how calendar feeds, photo streams, RSS feeds, and other such resources are shared today; it works but we need to consider its scalability to arbitrary types of information. There are several challenges here: The Consumer's ability to handle the information, its way of expressing the desire/need for the correct information, and the user's (or user agent's) ability to provide it in a convenient and correct fashion.
In addition, the relationship manager interface is shown having some knowledge of that resource as a unique object. We need to consider how to let the AM and SP communicate about this information appropriately.
In the case of the photo set scenario, note that in OAuth usage today, the resource-based interaction is often accomplished silently from the user's perspective: the desired combinatorial effect simply "happens" as if the feature that was "outsourced" to a third-party app were native. Perhaps this is possible in the UMA approach.
| Anchor |
|---|
| protected_query |
|---|
| protected_query |
|---|
|
Issue: Protected Resource QueryHow and whether to request the "protected status" of a resource: To answer this question, a host would pretty much have to go through the same dance as for a request for actual access! It might be protected against requester A but not requester B, or protected with a real-time user consent loop, etc. We'll wait to see what real scenarios arise that need to be solved, and perhaps it will turn out that they can tolerate imprecision/latency. Before a host gives out the 401, it already knows intrinsically whether the resource is protected by some AM, and it has the ability to tell the requester this (whether this is a good idea or not we don't know yet). It just doesn't yet know whether the requester is going to be authorized to access it.
Since we're now out of the authentication business, keep in mind that whatever the host does in response to the initial approach of the requester is up to it. It can assign a pseudonymous form of identifier (possibly literally using a cookie-based method), or really anything. If the host needs to protect the privacy of the requester according to its own policies or applicable laws or whatever, it's up to the host to choose an ID wisely. We don't really care about protecting the requester's privacy, however; the whole point of letting the authorizing user control access is to let them do so on whatever criteria, and as part of that process the requester is simply going to have to authenticate, even if weakly.
OAuth (the subject of our design principle #2) actually brings two different use cases to the table: service authentication and a "read/write" framework for service access. Both are valuable to us.
...
| Anchor |
|---|
| change-history |
|---|
| change-history |
|---|
|
Change History
...