...
The UMA interfaces diagram maps out the relationships of UMA entities to OAuth entities, and UMA APIs to clients that call them.
The UMA Implementations page catalogues some known implementations, including open source.
The generic low-level UMA flow swimlane swimlane illustrates a sample realistic flow and points off to specific UMA specification sections.
The UMA Implementations page catalogues some known implementations, including open source.
Here is the source code:
participant "resource\nowner (RO)" as ROparticipant "resource\nserver (RS)" as RSparticipant "authorization\nserver (AS)" as ASparticipant "client\napp (C)" as Cparticipant "requesting\nparty (RqP)" as RqPnote over RO, RS, AS, C, RqPSample low-level UMA flow with photo access scenario; V1.0.1 spec referencesend noteRS-->RS: OOB Learn AS locationRS->AS: UMA1.4 Retrieve AS config dataAS->RS: UMA1.4 Return AS config dataAS->RS: UMA2 Issue client creds\n(can be dynamic)RS->RO: UMA1.3.1 Redirect to AS...RO->AS: ...to log in and consent to...AS->RS: ...PAT issuance (OAuth scope="uma_protection")\n(can use any grant flow, e.g. implicit or client creds)RO-->RS: OOB Choose resources to protectRO-->AS: OOB Configure policies (can happen after client attempts access)note over RS,ASAssume one static photo resource, simple scope stringsend noteRS->AS: RSR2.2.1 POST /resource_set\nat RSR endpoint with "view" and "print" scopesAS->RS: RSR2.2.1 201 Created; _id in body has {rsid}RqP-->C: OOB Provision protected resource locationC->RS: UMA3.1.1 Attempt GET /photo.jpg (view) at resource endpointRS->AS: UMA3.2.1 POST requested permission with “view”\nat permission registration endpointAS->RS: UMA3.2.3 Return permission ticketRS->C: UMA3.3.1 Return as_uri and permission ticketC->AS: UMA1.4 Retrieve AS configuration dataAS->C: UMA1.4 Return AS config dataAS->C: UMA2 Issue client creds\n(can be dynamic)C->RqP: UMA1.3.2 Redirect to AS...RqP->AS: ...to log in and consent to...AS->C: ...AAT issuance (OAuth scope="uma_authorization")\n(can use any grant flow, e.g. implicit or client creds)note over C,ASAssume complex interaction for argument's sakeend noteC->AS: UMA3.5.1 POST plain authz data request with\npermission ticket at RPT endpointAS-->AS: UMA3.5.2 Assess requestAS->C: UMA3.5.4 Return need_info with error_details hints:\nauthentication_context and claimsC->RqP: UMA3.6.1 Redirect to AS...RqP->AS: ...for...AS->C: ...step-up authenticationC->AS: UMA3.5.1 POST claim token with permission ticket\nat RPT endpointAS->C: UMA3.5.4 Return need_info with claims\nand redirect_userC->RqP: UMA3.6.3 Redirect to AS...RqP->AS: ...to provide claims in person...AS->C: ...until AS reports claims_submittedC->AS: UMA3.5.1 POST plain authz data request with\npermission ticket at RPT endpointAS->C: UMA3.5.3 Return success and RPTC->RS: UMA3.1.2 Attempt resource access with RPTnote over RS,AS: Assume default RPT profile and happy pathRS->AS: UMA3.4.2 POST to token introspection endpointAS->RS: UMA3.4.2 Return extended introspection objectRS-->RS: UMA3.3.3 Assess access attempt against\npermissions; has "view" scopeRS->C: UMA3.3.3 Enable photo viewingC->RS: UMA3.1.2 Attempt POST /photo.jpg (print) at resource endpoint with RPTnote over RS: Assume cache is allowed and freshRS-->RS: OOB Consult RPT cache; no “print” scopeRS->AS: UMA3.2.1 POST requested permission with “print”\nat permission registration endpointAS->RS: UMA3.2.3 Return permission ticketRS->C: UMA3.3.1 Return as_uri and permission ticketnote over C: Assume cache is allowed and freshC-->C: OOB Consult AS config data cachenote over C,ASAssume simple interaction\nfor argument's sake;\ncached claims OK for “print”;\nAS chooses to refresh RPT stringend noteC->AS: UMA3.5.1 POST plain authz data\nrequest with permission ticket\nat RPT endpointAS-->AS: UMA3.5.2 Assess requestAS->C: UMA3.5.3 Return success and new RPTC->RS: UMA3.1.2 Attempt resource access with RPTRS->AS: UMA3.4.2 POST to token introspection endpointAS->RS: UMA3.4.2 Return Return extended introspection objectRS-->RS: UMA3.3.3 Assess access attempt against\npermissions; has "print” scopeRS->C: UMA3.3.3 Enable photo printing