Working Drafts
This page collects our draft specifications and other relevant auxiliary material, and various other useful materials that may contribute to them. See the list of child pages at the bottom for a summary.
We are currently using use https://github.com/xmlgrrl/UMA-Specifications for our active spec development, with snapshots provided on the docs.kantarainitiative.org site. The UMA wiki page for the core spec now summarizes all relevant information about that spec.spec summarizes breaking and notable changes to both the core spec and other normative specs.
The normative specs include:
- User-Managed Access (UMA) Profile of OAuth 2.0 (latest version, pretty-printed) (most recent IETF I-D, possibly somewhat out of date wrt the KI version)
- OAuth 2.0 Resource Set Registration (latest version, pretty-printed) (most recent IETF I-D, possibly somewhat out of date wrt the KI version)
UMA has been made a full-fledged profile of OAuth, and over time it is incorporating (as well as spinning off) functionality that comes from the wider OAuth specification universe. The UMA core spec now refers to a resource set registration spec that was originally derived from UMA design work, but is suitable for use by other OAuth-based technologies. It also refers to a binding obligations spec that is "contractual" in nature, rather than technical. See the references in the core spec for the other referenced bits.
Following are The following auxiliary documents that are currently non-normative:
- Binding Obligations on User-Managed Access (UMA) Participants (latest version, pretty-printed) (most recent IETF I-D, possibly somewhat out of date wrt the KI version)
- UMA Requirements
- UMA Scenarios and Use Cases
- UMA Case Studies
- Privacy by Design Implications of UMA
- UMA Implementer's Guide
The following documents still available on this wiki are considered obsolete:
- User-Managed Access (UMA) Claim Profiles Framework (latest version, pretty-printed) (most recent IETF I-D, possibly somewhat out of date wrt the KI version)
- Claims 2.0 and Simple Access Authorization Claims (obsoleted by the OpenID Connect mechanisms for requesting and providing claimsClaim Profiles)
- Legal Considerations (obsoleted by Binding Obligations)
- Lexicon (obsoleted by the spec itself and Binding Obligations)
- UMA Trust Model (obsoleted by Binding Obligations)
- UMA User Stories (obsoleted by Case Studies)
- OAuth Dynamic Client Registration Protocol (obsoleted by the OAuth WG's own standards-track specification, to which UMA core now refers)
- UMA Resource Registration (obsoleted by the now spun-off OAuth Resource Set Registration spec being proposed for wider adoption)