Abstract
This document contains non-normative release notes produced by the User-Managed Access Work Group explaining how new versions of the UMA specifications differ from previous ones.
Status
This document includes final release notes for the UMA V1.0.1 Recommendations and incomplete draft release notes for the UMA V2.0 Draft Recommendations.all versions of UMA.
Editor
- Eve Maler
Intellectual Property Notice
The User-Managed Access Work Group operates under Kantara IPR Policy - Option Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND) (HTML version) and the publication of this document is governed by the policies outlined in this option.
The content of this document is copyright of Kantara Initiative. © 2018 Kantara Initiative
...
Table of Contents
Table of Contents | ||||||
---|---|---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
This document contains non-normative release notes produced by the User-Managed Access Work Group explaining how new versions of the UMA specifications differ from previous ones. (tbs: complete all "tbs:" tasks throughout)
The UMA specifications use Semantic Versioning:
...
NOTE: Reading the release notes is not a substitute for reading the specifications carefully. In each specification release, much work is typically done to improve clarity and applicability for implementers and others. See the UMA Implementer's Guide for additional commentary.
The UMA specifications use Semantic Versioning:
Given a version number MAJOR.MINOR.PATCH, increment the:
- MAJOR version when you make incompatible API changes,
- MINOR version when you add functionality in a backwards-compatible manner, and
- PATCH version when you make backwards-compatible bug fixes.
Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
The following shorthand terms and abbreviations are used in this document (see also the terminology, including abbreviations, defined in the specifications):
- AS: authorization server
- RS: resource server
- Core: UMA Core specification (applies to versions 1.0 and 1.0.1)
- RSR: OAuth Resource Set Registration specification (applies to versions 1.0 and 1.0.1)
- Grant: UMA Grant for OAuth Authorization (applies to version 2.0)
- FedAuthz: Federated Authorization for UMA (applies to version 2.0)
- I-D: IETF Internet-Draft specification
- Sec: section
Where a change relates to an a GitHub issue recorded in GitHub, the linked issue number is provided.
Differences and changes noted are between V2.0 and V1.0.x generally. Where the distinction between V1.0 and V1.0.1 is important, it will be noted; otherwise "UMA1" is used.
...
Anchor | ||||
---|---|---|---|---|
|
...
UMA1 to UMA V2.0
...
The UMA V2.0 Recommendations are User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 specifications Authorization (Grant, FedAuthz) (tbs: link to final) are in Draft Recommendation form. This section will be completed, and updated as required, as the specifications progress to Recommendation status.
Version Themes
The themes of this major version are to:
- Increase OAuth 2.0 alignment
- Improve Internet of Things readiness
- Improve readiness for "wide ecosystems", where the requesting party and AS have no pre-established relationship
Specification Reorganization and Conformance Levels
The two specifications were divided differently. Core and RSR were recombined into Grant (tbs: link to final) and FedAuthz (tbs: link to final), divided in this way:
- All communications of the client and requesting party with the AS moved to Grant. This specification formally defines an extension OAuth grant.
- The communications of the resource owner and resource server with the AS moved to FedAuthz. This includes:
- Policy setting (outside the scope of UMA)
- PAT issuance
- Protection API
- Resource registration (formerly in RSR)
- The RS's permission requests at the AS (formerly in Core)
- The RS's token introspection at the AS (formerly in Core)
It is now optional to implement the features appearing in FedAuthz; thus, this specification defines a conformance level. However, it is best to implement both specifications to receive the full benefits of "user-managed access".
(Note that drafts of 2.0 prior to late April 2017 used the 1.0.1 organizing principle.)
Summary of Terminology Changes
(256)
See also the next section for some endpoint naming changes.
V1.0.1 | V2.0 | Comments |
---|---|---|
configuration data | metadata, discovery document | For better clarity and OAuth alignment |
policies | authorization grant rules, policy conditions | For better consistency |
protection API token (PAT) | protection API access token (PAT) | For better clarity |
resource set, resource set registration | resource, resource registration (protected while registered) | For better clarity and OAuth alignment |
authorization API | UMA grant (an extension OAuth grant) | Result of redesign (tbs: point to 153/165 subsection) |
authorization API token (AAT) | goes away; a new related token is persisted claims token (PCT) | Result of redesign (tbs: point to 154/264 subsection) |
register a permission (for permission ticket) | request (one or more) permission(s) (on behalf of a client) | For better clarity |
trust elevation | authorization process and authorization assessment | Result of redesign (tbs: point to 266/310/317 subsection) |
claims pushing + claims gathering = (n/a) | claims pushing + claims gathering = claims collection | For better consistency |
step-up authentication | (n/a); just authorization process | Result of redesign (tbs: point to 154/264 subsection and 266/310/317 subsection) |
RPT as an UMA access token | RPT as an OAuth access token | Result of redesign (tbs: point to 153/165 subsection) |
Summary of API and Endpoint Changes
These design changes include some endpoint naming changes.
V1.0.1 | V2.0 | Comments |
---|---|---|
.well-known/uma-configuration | .well-known/uma2-configuration | |
OAuth endpoints:
| OAuth endpoints:
| Previously, the token endpoint issued both PATs and AATs. In V2.0, the token endpoint issues PATs, and now RPTs as well; there are no AATs. (Note that the authorization endpoint is used for authenticating resource owners only, not requesting parties.) |
Protection API:
| Protection API:
| |
Authorization API:
| n/a | The prior function of the RPT endpoint is served by the token endpoint. |
Requesting party claims endpoint | Claims interaction endpoint |
Authorization Server Discovery Document and Metadata Changes
Discovery Document and Metadata Simplification
UMA's endpoint and feature discovery mechanism was defined in total by its V1.0.1 Core specification. V2.0 makes use of the OAuth discovery mechanism instead. V2.0 also eliminates metadata fields already defined by the OAuth discovery or OpenID Connect specification. The Grant and FedAuthz specifications each define only the metadata fields they require. (59, 157, 159, 305)
Changes to AS-Client and RS-Client Interfaces (Including Requesting Party Interactions): Now the UMA Grant
All client-involved interfaces were codified in V2.0 as the UMA grant, an OAuth extension grant.
Permission Ticket Rotation
After the AS initially generates the permission ticket and the RS conveys it to the client, whenever the client subsequently approaches the AS token endpoint or redirects the requesting party to the AS claims gathering endpoint, the AS is required to rotate the value of the permission ticket every time it hands a ticket value back to the client. This action obsoletes any need for the Claims-Gathering Extension specification (see this explanation).
RPT Endpoint Removed and Extension Grant Defined
The specialized RPT endpoint was removed in favor of using the standard OAuth token endpoint. A formal extension OAuth grant was defined, working with regular OAuth capabilities and OAuth error codes to the extent possible. This enabled reuse of large portions of the threat model, the client type model, the ability to use client credentials to be authenticated at the token endpoint (see the next section for additional discussion). (153, 165)
tbs: to be continued...
Changes to the AS-RS Interface (Protection API): Now Federated Authorization
tbs: to be continued...known as "Grant") and Federated Authorization for User-Managed Access (UMA) 2.0 (known as "FedAuthz"). The official versions are downloadable from the Kantara Reports & Recommendations page; this document links to specific sections within the HTML versions.
Differences and changes noted are between V2.0 and V1.0.n generally; note that internal revision differences between UMA2 revisions are not tracked here. (You may find it helpful to refer to the Disposition of Comments document, a record of specification changes during the Public Comment periods late in their final review cycle, and the GitHub repository where the specifications are managed.) Where the distinction between V1.0 and V1.0.1 is important, it will be noted; otherwise the label "UMA1" is used.
The following sequence diagrams may be of assistance as brief summaries of changes made:
- Sequence diagram for Grant, highlighting key changes from UMA1
- Sequence diagram for FedAuthz, highlighting key changes from UMA1
Version Themes
The major themes of this version, as determined by the Work Group's 2016 roadmap planning process, were (along with constantly improving security) to:
- Increase OAuth 2.0 alignment
- Improve Internet of Things readiness
- Improve readiness for "wide ecosystems", where the requesting party and the resource owner's AS have no pre-established relationship
Specification Reorganization and Conformance Levels
The two specifications were divided differently until late April 2017. Core and RSR were recombined into Grant and FedAuthz, as follows:
- All communications of the client and requesting party with the AS appear in Grant. This specification formally defines an extension OAuth grant.
- All communications of the resource owner and resource server with the AS appear in FedAuthz. This includes:
- Policy setting (outside the scope of UMA)
- PAT definition and issuance
- Protection API
- Resource registration (previously, RSR specified only this endpoint/API and Core specified everything else)
- The RS's permission requests at the AS
- The RS's token introspection at the AS
- The formal profiles for API extensibility URIs
https://docs.kantarainitiative.org/uma/profiles/prot-ext-1.0
,https://docs.kantarainitiative.org/uma/profiles/authz-ext-1.0
, andhttps://docs.kantarainitiative.org/uma/profiles/rsrc-ext-1.0
were removed and replaced with recommendations (Grant Sec 4 and FedAuthz Sec 1.3) to define profiles as needed and to useuma_profiles_supported
metadata (Grant Sec 2) to declare them.
It is now optional to implement the features appearing in FedAuthz; thus, this specification effectively defines a conformance level. (Note: To receive the full benefits of "user-managed access", it is best to implement and use the features of both specifications.)
Anchor | ||||
---|---|---|---|---|
|
Note the following terminology changes made throughout the specifications. (256) See also Summary of API and Endpoint Changes below for naming changes made to some of the endpoints.
UMA1 | UMA2 | Comments |
---|---|---|
configuration data | metadata, discovery document | For better clarity and OAuth alignment |
policies | authorization grant rules, policy conditions | For better consistency |
protection API token (PAT) | protection API access token (PAT) | For better clarity and OAuth alignment |
resource set, resource set registration | resource, resource registration (protected while registered) | For better clarity and OAuth alignment |
authorization API | UMA grant (an extension OAuth grant) | Result of redesign (see Token Endpoint Replaces RPT Endpoint; Client-Side Communications Defined as Extension Grant) |
authorization API token (AAT) | goes away; a new related token is persisted claims token (PCT) | Result of redesign (see AAT Removed in Favor of PCT) |
register a permission (for permission ticket) | request (one or more) permission(s) (on behalf of a client) | For better clarity |
trust elevation | authorization process and authorization assessment | Result of redesign (see Authorization Assessment Gains Precision) |
claims pushing + claims gathering = (n/a) | claims pushing + claims gathering = claims collection | For better consistency |
step-up authentication | (n/a); just authorization process | Result of redesign (see AAT Removed in Favor of PCT andAuthorization Assessment Gains Precision) |
RPT as an UMA access token | RPT as an OAuth access token | Result of redesign (see Token Endpoint Replaces RPT Endpoint; Client-Side Communications Defined as Extension Grant) |
Anchor | ||||
---|---|---|---|---|
|
These design changes include naming changes made to some of the endpoints.
UMA1 | UMA2 | Comments |
---|---|---|
.well-known/uma-configuration | .well-known/uma2-configuration | The same authorization server can have two different discovery endpoints, one serving UMA1 metadata and one serving UMA2 metadata. |
OAuth endpoints:
| OAuth endpoints:
| Previously, the token endpoint issued both PATs and AATs. Now the token endpoint issues PATs and RPTs; there are no AATs. (Note that the authorization endpoint is used for authenticating resource owners only, not requesting parties.) |
Protection API:
| Protection API (now OPTIONAL):
| In the case of the first two endpoints, there are both design (primarily syntax) and naming differences, which also affects their corresponding metadata in the authorization server discovery document. |
Authorization API:
| - | In UMA2, there is no authorization API. The prior function of the RPT endpoint is served by the existing OAuth token endpoint. |
Requesting party claims endpoint | Claims interaction endpoint | This is just a naming difference. |
Authorization Server Discovery Document and Metadata Changes
Discovery Document and Metadata Simplification
UMA1's endpoint and feature discovery mechanism was defined in total by its Core specification. UMA2 makes use of the OAuth Authorization Server Discovery mechanism instead (still in Internet-Draft form at the time of UMA2 publication), eliminating metadata fields already defined by the OAuth discovery or OpenID Connect specification. The Grant (Sec 2) and FedAuthz (Sec 2) specifications each define only the metadata fields they require. (59, 157, 159, 305)
Definition of OAuth Dynamic Client Registration Metadata Field
The new metadata field claims_redirect_uris
enables the client to pre-register claims redirection URIs. (Grant Sec 2, Sec 3.3.2, Sec 7.3) (337 sub-issues c and d)
permissions Claim and Sub-Claims in Token Introspection Object Not Requested to Be IANA-Registered as JWT Claims
Previously, it was intended to make an IANA registration request of the claims inside the introspection object as independent JWT claims. This would enable them to be formally used in RPTs, such that an RS can validate the access token locally with these claims packed inside it. Because of potential security and privacy considerations, it was determined not to define this token format for now. (FedAuthz Sec 9) (334)
Changes to AS-Client, RS-Client, and AS-Requesting Party Interfaces (Now UMA Grant Specification)
Authorization Server Rotates Permission Ticket
After the AS initially generates the permission ticket and the RS conveys it to the client, whenever the client subsequently approaches the AS token endpoint or redirects the requesting party to the AS claims gathering endpoint, the AS is required to rotate the value of the permission ticket every time it hands a permission ticket value back to the client (Grant Sec 3.3.3, Sec 3.3.6). This action obsoletes the need for the UMA Claims-Gathering Extension for Enhanced Security specification (see this explanation of that specification for more information).
Anchor | ||||
---|---|---|---|---|
|
The specialized RPT endpoint was removed in favor of using the standard OAuth token endpoint (Grant Sec 3.3.1). A formal extension OAuth grant was defined (same section), working with regular OAuth capabilities and OAuth error codes to the extent possible (Sec 3.3.6). This enabled reuse of large portions of the threat model and the client type model, along with the ability for the client to request scopes and to authenticate using its own client credentials at the token endpoint (see the next section for additional discussion). (153, 165)
Anchor | ||||
---|---|---|---|---|
|
An end-user requesting party no longer needs to mediate issuance of an AAT at the AS, and the client no longer needs to use an AAT in order to request a token; it simply uses its own client credentials at the OAuth token endpoint as in a normal grant (see Token Endpoint Replaces RPT Endpoint and Client-Side Communications Defined as Grant). Thus, the first time the requesting party needs to interact with the AS, if at all, is to provide claims interactively when redirected by the client as part of claims collection. This is in contrast to UMA1, where an end-user requesting party would have been expected to engage in an interactive OAuth flow to log in and then authorize AAT issuance at the AS's authorization endpoint. In UMA1, the (required) AAT could have been used by the AS as a reminder of claims about the current requesting party. In UMA2, the (optional) PCT is available to serve in this capacity instead, without the OAuth mechanism being involved (Grant Sec 3.3.1). Note that UMA2 does not require the AS to involve the requesting party in an interactive flow authorizing PCT issuance (Grant Sec 3.3.3). (154, 264)
Deprecated Response-Body Permission Ticket Return Option By RS Removed
In UMA V1.0.1 the RS was able to return the initial permission ticket to the client in the response body for backwards compatibility with UMA V1.0, but this option was deprecated; now this option has been removed. (233)
Permission Ticket Return By AS With Redirect-User Hint No Longer Deprecated
In UMA V1.0.1 the AS was able to return the permission ticket to the client along with the redirect_user
hint, but the client was not supposed to depend on ticket accuracy, and the supply of this ticket was deprecated. Now all permission tickets directly supplied by the AS are rotated and the value is safe for the client to depend on (Grant Sec 3.3.6). (233)
More Discretionary Permission Requests
The instruction for the RS to request permissions on the client's behalf (which can be a private interface or the standardized interface governed by FedAuthz) is now defined as a recommendation ("SHOULD") to be reasonable for the client's resource request, rather than being required to meet it ("minimally suffices"). The UMA Implementer's Guide has a section on Considerations Regarding Resource Server Permission Requests that explains how and why this level of discretion is more appropriate.
need_info Response Structured Flattened
The JSON nested object structure of the need_info
error response from the AS has been flattened. Now it directly contains a permission ticket and either a required_claims
or a redirect_user
hint (or both) (Grant Sec 3.3.6). (237, 308)
not_authorized Error Renamed to request_denied
The UMA1 error not_authorized
has been renamed to request_denied
. Note that this error was re-added only in a later revision of UMA2. See the UMA Implementer's Guide section called Understanding Authorization Server Response Options From the Token Endpoint to understand AS error semantics. (Grant Sec 3.3.6) (340)
Added interval parameter to request_submitted Error
An optional interval
parameter was added to the request_submitted
error to enable the AS to inform the client about appropriate polling intervals. (Grant Sec 3.3.6) (341)
New Refresh Token Clarity
It has been clarified that the AS can issue a refresh token and the client can use the refresh token grant to attempt to get a new RPT with it (Grant Sec 3.3.5, Sec 3.6). (238, 284)
Anchor | ||||
---|---|---|---|---|
|
Inputs to authorization assessment and results calculation are more normative and precise. It is also now possible for permissions with zero scopes to be granted (Grant Sec 3.3.4). (266, 310, 317)
Permission Ticket Ecosystem Rationalized
The permission ticket generation ecosystem has been rationalized. In UMA2, a permission ticket is always generated, and the value rotated, in cases of a redirect back from the claims interaction endpoint and in cases of need_info
and request_submitted
errors from token endpoint requests, and never in cases of other errors. An authorization process is still ongoing while the authorization server is still generating permission tickets. (275, 279, 298)
Only One Pushed Claim Token Now Allowed at a Time
In UMA1, the mechanism for claim token pushing was a JSON-encoded request message sent to the RPT endpoint, optionally including with a claim_tokens
array each of whose objects had a format
parameter and a token
parameter. In UMA2 (Grant Sec 3.3.4), , due to increased alignment with OAuth, this structure was flattened and the request message – now sent to the token endpoint as application/x-www-form-urlencoded
format – contains each of the inner parameters only once. (If it is desired to send multiple claim tokens in a single request message, a compound claim token format could be defined.)
RPT Upgrading Logic Improved
UMA2 includes more comprehensive and normative logic around RPT upgrading (Grant Sec 3.3.5, Sec 3.3.5.1). (281)
Token Revocation Clarifications
UMA2 includes more comprehensive and normative text around token revocation, and defines a token type hint for PCTs (Grant Sec 3.7). (295)
Refresh Token Grant and Downscoping Logic Clarifications
UMA2 ensures that the logic of downscoping during token refreshing is properly defined given that UMA scopes are bound to resources, and clarifies that the AS does not perform authorization assessment in this context (Grant Sec 3.6). (306)
Changes to AS-RS Interface/Protection API (Now Federated Authorization Specification)
Resource Registration Endpoint
Extraneous URL Parts Removed From Resource Registration API
The API available at the resource registration endpoint required the path to contain the string resource_set
. This string has ben removed (FedAuthz Sec 3.2). (155)
Scope Description Documents No Longer Expected to Resolve at Run Time When Scopes Are URLs
The AS is no longer expected to resolve scope description details at resource registration time or at any other run-time requirement (FedAuthz Sec 3.1.1). (269)
Resource Descriptions Lose uri Parameter
The uri
parameter in the resource description was removed due to potential security and privacy concerns. (FedAuthz Sec 3.1) (270)
Resource and Scope Description Documents Gain Description Parameters
Resource description documents and scope description documents each now have a new parameter, description
, for a human-readable string describing the resource or scope (respectively) at length. (271, 272)
scopes Parameter in Resource Description Document Renamed to resource_scopes
The scopes
parameter in the resource description document has been renamed to resource_scopes
(FedAuthz Sec 3.1). (318)
New HTTP 400 and invalid_request Error
For a typical variety of malformed-request errors, a response of an HTTP 400 (Bad Request) status code and an optional invalid_request
error code is now defined. (FedAuthz Sec 3.2) (354-1)
Permission Endpoint
Requesting Multiple Permissions and Permissions With Zero Scopes
It is now possible for the RS to request multiple permissions on the client's behalf, not just one; this enables the RS to request "packages" of multiple resources that are likely to need to be accessed together. It is also possible for the RS to supply zero scopes on a requested permission (FedAuthz Sec 4.1); this is because the client can request its own scopes directly from the AS (for more discussion see Token Endpoint Replaces RPT Endpoint; Client-Side Communications Defined as Extension Grant). (317)
Token Introspection Endpoint
scopes parameter renamed to resource_scopes in Introspection Response Object
The scopes
parameter in the token introspection response object has been renamed to resource_scopes
(FedAuthz Sec 5.1.1). (158)
Anchor | ||||
---|---|---|---|---|
|
In UMA2, the RPT is explicitly a type of OAuth access token, and it has been clarified that the token can be self-contained and valided locally by the RS, or introspected at the AS at run time, or its cached value used as appropriate (FedAuthz Sec 5). (261)
permissions Claim in Token Introspection Object Must Be Used
If token introspection is used (see Options Not to Use Token Introspection Explicitly Allowed), the introspection object can no longer be extended to replace the permissions
claim with an entirely different structure. (322)
permission Claim exp Sub-Claim's Meaning If Absent Removed
The statement about the permission
claim's exp
sub-claim not expiring if it is absent was removed for the multi-part rationale given in the linked issue. (337 sub-issue a)
...
Anchor | ||||
---|---|---|---|---|
|
...
Previously, the security considerations around accepting policy-setting context information from an incompletely trusted AS were not covered. Now they cover the user_access_policy_uri
property, which is the only policy-setting context information passed from AS to RS. (185) (RSR Sec 4)
Specification Reorganizations
The specifications, particularly Core Sec 3, were reorganized in the fashion of OpenID Connect, with the goal of giving a subsection to every request and response message. Other notable changes include:
...
Anchor | ||||
---|---|---|---|---|
|
Following is a catalog of notable changes to the specifications in the pre-V1.0 timeframe.
Core Changes
Internet-Draft Rev 11 to Rev 12
...
- We decided not to progress this specification in its current form, so we will let it expire and will not reference it from Core.
...
...
Anchor | ||||
---|---|---|---|---|
|
Change History |
---|
...