...
- A comprehensive technical report published under the auspices of Newcastle University called User-Managed Access to Web Resources (also available on ncl.ac.uk site) explains the requirements that drive UMA, analyzes the design features that respond to these requirements, and reviews related work.
- A ReadWriteWeb article, Identity Management and Networks: The Enterprise Considers the Social Way from 23 Sep 2010, discusses UMA's potential impact.
- Group chair Eve Maler has written about UMA and its predecessor, ProtectServe, here.
- Some older historical materials (may be out of date) explain the original thinking behind UMA and its predecessor, ProtectServe, and a poster (best printed on A0-A3 paper; 8.5x11 or 8.5x14 is okay but small) was presented at the IEEE Security and Privacy symposium poster session.
...
- tinyurl.com/umawg: wiki home page
- tinyurl.com/umafaq: this FAQ
- tinyurl.com/umav1: UMA Core home page (with list of breaking/notable changes in drafts)
- tinyurl.com/umatrust: Binding Obligations home page
- tinyurl.com/umacore: latest Core spec
- tinyurl.com/oauthrsr: latest Resource Set Registration spec
- tinyurl.com/umacase: UMA case studies page
- tinyurl.com/umaam20: Access Management 2.0 case study
- tinyurl.com/umaiiot: industrial IoT case study
- tinyurl.com/uma1iop: interop home page
Further reading:
- UMA Case Studies
- Latest specification of the UMA profile of OAuth
- UMA's binding obligations specification for dealing with contractual obligations
...
With UMA, Alice can manage all these types of sharing in a unified way, from a single web-application point of control called an "authorization server". She can set policies that guide the authorization server in allowing or disallowing access by clients to protected resources at resource servers.
Further reading:
- UMA Case Studies
- Latest specification of the UMA profile of OAuth
...
Phase 1 of the UMA core protocol involves the resource owner introducing the resource server and authorization server so they can work together. Phases 2 and 3 together involve the requesting party, using a client, making an access attempt, being tested for suitability by the authorization server to receive permission, and ultimately succeeding or failing in the attempt by presenting a token with permissions associated with it.
Further reading:
...
...
UMA's Relationship to Other Efforts
...
The specifications related to the UMA web protocol are being incubated in the Kantara Initiative, with the intent to contribute the draft work to the IETF. UMA specification draft modules have variously been contributed as IETF individual Internet-Drafts. One such draft so far, covering dynamic client registration, was accepted as an OAuth WG work item, an item that has now progressed.
Further reading:
- Kantara Initiative UMA WG charter
- IETF I-D on UMA profile of OAuth (may not be perfectly up to date compared to internal drafts)
- IETF I-D on Resource Set Registration
- OAuth WG status page
...
- Latest specification of the UMA profile of OAuth (see the terminology section)
- OAuth's RFCs: 6749 and 6750
- UMA's binding obligations specification (see the terminology discussions)
- UMA historical materials
Does UMA make use of the JSON format or JSON Web Tokens (JWT)?
...
The default, mandatory-to-implement token format for UMA "requesting party tokens" (RPTs, the token that a client presents to a resource server when trying to access a protected resource) is opaque on the wire, and a resource server introspects it at the authorization server at run time. Its format is JWT, with an extension property called "permissions" that takes into account UMA's extended concept of resource set scopes.
Further reading:
- UMA 1.0 Core Protocol
- Draft IETF I-D for token introspection
- Compendium of JWT specification links
...
- Venn quick-reference slides describing the relationships among OAuth, OpenID Connect, and UMA
- UMA Requirements
- UMA's binding obligations specification (see the terminology discussions)
- OpenID Connect specifications
- UMA and Personal Clouds webinar on 19 June 2014 (slides, SlideShare, recording)
...
Further reading:
- Privacy by Design website
- Privacy by Design Implications of UMA paper
How can UMA make requesting parties adhere to the user's wishes for privacy and data usage control?
...
UMA is shooting for a reasonable minimum level of enforceability of authorization agreements, so that if the requesting side goes against your express wishes – wishes they promised to adhere to – then you have a meaningful chance of taking them to court over it.
Further reading:
- UMA Requirements
- UMA Binding Obligations framework
- W3C workshop position paper on Controlling Data Usage with UMA
...
The "UMAnitarians" hail variously from South America, North America, Europe, the UK, Australia, and Japan.
Further reading:
Social networking has made people too willing to share their data. Won't UMA make this worse? How do we get to truly controlled sharing?
...
- UMA and Personal Clouds webinar on 19 June 2014 (slides, SlideShare, recording)
- FAQ: What is required to make an UMA deployment model "legal" from a privacy, consent, and agency standpoint?
- UMA Binding Obligations framework
- Blog post: UMA: Trust in a distributed authorization system
...
- UMA and Personal Clouds webinar on 19 June 2014 (slides, SlideShare, recording)
- FAQ: What is required to make an UMA deployment model "legal" from a privacy, consent, and agency standpoint?
- UMA Binding Obligations framework
- Blog post: UMA: Trust in a distributed authorization system
...
We are aware of several major implementations.
Further reading:
- Implementations page
- UMA and Personal Clouds webinar on 19 June 2014 (slides, SlideShare, recording)
- SMARTAM implementation FAQ
- Fraunhofer AISEC implementation FAQ
- OpenUMA project page
Have there been any usability studies on UMA?
...
- UMA and Personal Clouds webinar on 19 June 2014 (slides, SlideShare, recording)
- SMARTAM implementation FAQ
Why externalize authorization?
...