...
For now, UMA assumes that tokens are opaque (not internally structured) and that, therefore, the authorization server responsible for having issued the token will be responsible for dereferencing it as necessary. Therefore, for example, the UMA protocol includes a way for a resource server to make API calls to the AM to check the status of a token presented to it by a requesterclient. However, we anticipate building in optional support for tokens that use the JSON Web Token format, which will enable "local" validation without requiring a round trip to the server at run time.
...
UMA is not formally related to XACML, but we can imagine some patterns of usage that bridge XACML and UMA. For example, UMA does not standardize a policy expression format or its evaluation, and treats an authorization manager as a conflated policy decision point (or at least authoritative authorization data source), policy administration point, and policy information point for the purposes of UMA's in-band flows. An AS could provide authorization data for which a host resource server could then seek interpretation at a true XACML PDP. An UMA representative made a presentation to the XACML TC on 19 October 2012 to discuss liaison and technical opportunities. A specialized UMA token profile could also be used to provide a pattern for XACML's ongoing efforts to simplify/RESTify the current XACML standard.
...
Data Sharing, User Control, and Privacy Implications
How can UMA make
...
requesting parties adhere to the user's wishes for privacy and data usage control?
The demands the user may want to make on the requesting side can't be solved only with cryptography and web protocols; you quickly get into the realm of agreements and liability.
...