...
Terminology in the protocol spec
Terms are capitalized here for clarity of definition, but are lowercase in the main body of the specification for readability. Note that in this specification, the word "profile" is used not only to refer to [WRAP] profiles, but also for the result of choosing one out of several options in a referenced specification in order to increase interoperability.
Authorizing User: A web user who configures an Authorization Manager Following is a new proposal for OAuth 2.0-based terms, now incorporated into the core protocol spec. Key definitions from the draft OAuth 2.0 specification ([OAuth20]) are reproduced here for ease of tracing UMA definitions that are dependent on them, though these OAuth definitions do not appear in the formal spec.
authorizing user: An UMA-defined variant of an [OAuth20] resource owner ("An entity capable of granting access to a protected resource."); a web user who configures an authorization manager with policies that control how it makes access decisions when a Requester requester attempts to access a Protected Resource protected resource at a Hosthost.
Authorization Manager authorization manager (AM): An UMA-defined variant of a WRAP Authorization Server an [OAuth20] authorization server ("An HTTP server capable of issuing tokens after successfully authenticating the resource owner and obtaining authorization. The authorization server may be the same server as the resource server, or a separate entity.") that carries out an Authorizing Userauthorizing user's policies governing access to a Protected Resourceprotected resource.
Protected Resource: A resource (at a Host) whose access is restricted. (Note that this differs from WRAP's definition of the same term.)
Hostprotected resource: An access-restricted resource at a host.
host: An UMA-defined variant of, respectively, a WRAP Protected Resource and WRAP Client, of an [OAuth20] resource server ("An HTTP server capable of accepting authenticated resource requests using the OAuth protocol.") that enforces access to the Protected Resources protected resources it hosts, as decided by an Authorization Managerauthorization manager.
Token Validation token validation URL: The URL at an Authorization Manager authorization manager that a Host uses host can use to validate an access token.
Claimclaim: A statement (in the sense of [IDCclaim]). Claims are conveyed by a Requester requester on behalf of a Requesting Party requesting party to an Authorization Manager authorization manager in an attempt to satisfy an authorizing user's policy. (Protected Resources resources may also contain Claimsclaims, but this is outside the view of the UMA protocol.)
Requesterrequester: An UMA-defined variant of a WRAP Client of [OAuth20] client ("An HTTP client capable of making authenticated requests for protected resources using the OAuth protocol.") that seeks access to a Protected Resourceprotected resource.
Requesting Partyrequesting party: A web user, or a corporation (or other legal person), that uses a Requester requester to seek access to a Protected Resourceprotected resource.
Additional terminology
Terms in this section do not appear in the protocol spec, but we have found it to be useful to define them in addition, for non-normative/discussion purposes.
Primary Resource Userprimary resource user: A web user who who interacts with a Host host to store and manage Protected Resources protected resources there. The Primary Resource User primary resource user may be identical to the Authorizing User authorizing user of the same resource at that host, or they they may be different people.
...
UMAnize: To make a host UMA-protected. (Thanks to Domenico for that one.)
Discussion
(See the Law.com dictionary for some helpful definitions of legal terms.)
For our purposes in UMA 1.0, an authorizing user is always a natural person (a human being). By contrast, a requesting party may be a natural person (which we may think of as person-to-person sharing, such as "Alice to Bob" with the help of various online services in the middle), or it may be a legal person such as a company (which we may think of as person-to-service sharing because the service is run by a corporation or other organization, such as "Alice to a survey application run by InfoUSA").
It's possible, though unlikely in the typical case, that Bob will deploy an online service on his own behalf that manages the requesting of access to a resource of Alice's ("Alice to Bob's homegrown app"); in that case, it would be person-to-person just as in the first case. The nature of required claims could be different depending on which kind of sharing is taking place.
ISSUE: is this correct? Is this an equal option everywhere person-to-service is an option? In some cases, Alice herself will deploy an online service on her own behalf, for which it's convenient to set up a service-access relationship with some other service that Alice uses as a host. In this way, Alice can achieve person-to-self sharing ("Alice's calendar host to Alice's homegrown calendar subscription app"), which is akin to the type of data sharing and service access enabled by OAuth and WRAP with the addition of the centralized authorization manager component.So a requester can act on behalf of several different types of requesting party, which differ in the type of profile that the requester (or rather its embedded WRAP client component) must use to request an access token from the AM (or rather from the AM's embedded WRAP authorization server component):
Type of sharing | Example | WRAP profile type |
|---|---|---|
Person-to-person | Alice allows Bob, using a popular Web 2.0 address book compilation service, to retrieve her home address from her personal datastore service (host) | Autonomous client (possibly with an invisible-to-UMA interaction with Bob to gather his consent or ask him to provide more information to be packaged up as claims) |
Person-to-service | Alice allows InfoUSA's online service to collect her demographic data from a host site where she stores it | Autonomous client (where InfoUSA is the requesting party) |
Person-to-self | Alice allows her own requester app to access her geolocation hosting service in order to set and get her current location | User delegation (in which Alice, while interacting with her own requester app, is redirected to "herself" at the AM to log in and authorize the host-requester connection) |
A claim may be affirmative, representing a statement of fact (as asserted by the requesting or another claim issuer); or promissory, a promise (as asserted by the requesting party specifically to the authorizing user). A statement of fact might be "The requesting party is over 18 years of age." A promise might be "The requesting party will adhere to the specific Creative Commons licensing terms indicated by the AM." There are technical dimensions to expressing and conveying claims, but since UMA strives to provide enforceability of resource-access agreements, there may also be legal dimensions.
In cases where a claim constitutes acceptance of an access-sharing contract offer made by the authorizing user (as presented by the AM as his or her agent in requiring the claim), the authorizing user and requesting party are the parties to the contract, and all other legal or natural persons running UMA-related services involved in managing such access are intermediaries that are not party to the contract (though they might end up being third-party beneficiaries in some cases).
Where the primary resource user and the authoring user differ, there is likely to be an interaction (invisible to UMA) at the host service that allows (or forces) the primary resource user to designate an authorizing user, and an agreement that the authorizing user acts as the primary resource user's agent or guardian or similar.
References
| Anchor | ||||
|---|---|---|---|---|
|
http://www.ietf.org/rfc/rfc2119github.com/theRazorBlade/draft-ietf-oauth/raw/master/draft-ietf-oauth.txt
| Anchor | ||||
|---|---|---|---|---|
|
http://tools.ietf.org/html/draft-hardt-oauth-01
...