{"type":"doc","content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://en.wikipedia.org/wiki/User-Managed_Access"}},{"text":" ","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Fix links, and first 2 sections","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Revist other sections","type":"text"}]}]}]},{"type":"paragraph"},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"{{Cite web|url=","type":"text"},{"text":"http://kantarainitiative.org/confluence/display/uma/Charter|title","type":"text","marks":[{"type":"link","attrs":{"href":"http://kantara.atlassian.net/wiki/display/uma/Charter%7Ctitle"}}]},{"text":" = Charter - WG - User Managed Access - Kantara Initiative}}","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"{{Cite web|url=","type":"text"},{"text":"https://kantarainitiative.org/confluence/display/LC/User+Managed+Access|title","type":"text","marks":[{"type":"link","attrs":{"href":"https://kantara.atlassian.net/wiki/display/LC/User+Managed+Access%7Ctitle"}}]},{"text":" = User Managed Access - Leadership Council - Kantara Initiative}}","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"{{Cite web|url=","type":"text"},{"text":"http://kantarainitiative.org/confluence/display/uma/Case+Studies|title","type":"text","marks":[{"type":"link","attrs":{"href":"http://kantara.atlassian.net/wiki/display/uma/Case+Studies%7Ctitle"}}]},{"text":" = Case Studies - WG - User Managed Access - Kantara Initiative}}","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"","type":"text"},{"text":"http://kantara.atlassian.net/wiki/display/uma/Home","type":"text","marks":[{"type":"link","attrs":{"href":"http://kantara.atlassian.net/wiki/display/uma/Home"}}]},{"text":" UMA Work Group Wiki","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"","type":"text"},{"text":"http://kantara.atlassian.net/wiki/display/uma/Meetings+and+Minutes?src=contextnavchildmode","type":"text","marks":[{"type":"link","attrs":{"href":"http://kantara.atlassian.net/wiki/display/uma/Meetings+and+Minutes?src=contextnavchildmode"}}]},{"text":" UMA workgroup meeting minutes","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"{{Cite web|url=","type":"text"},{"text":"http://kantara.atlassian.net/wiki/display/uma/Home|title","type":"text","marks":[{"type":"link","attrs":{"href":"http://kantara.atlassian.net/wiki/display/uma/Home%7Ctitle"}}]},{"text":" = Home - WG - User Managed Access - Kantara Initiative}}","type":"text"}]},{"type":"paragraph"}]}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"{{Cleanup bare URLs|date=August 2022}}","type":"text"},{"type":"hardBreak"},{"text":"'''User-Managed Access''' (UMA) is an [[OAuth#OAuth 2.0|OAuth]]-based access management protocol standard that “enables a resource owner to control the authorization of [[Data shaping|data sharing]] and other protected-resource access made between online services on the owner’s behalf or with the owner’s authorization by an autonomous requesting party”[1]","type":"text"}]},{"type":"paragraph","content":[{"text":"Version 2.0 of the standard was approved by the [[Kantara Initiative]] on ","type":"text"},{"text":"March 23, 2015","type":"text","marks":[{"type":"textColor","attrs":{"color":"#bf2600"}},{"type":"strong"}]},{"text":".[2]","type":"text"}]},{"type":"paragraph"},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"UMA has privacy and consent implications for web and mobile applications","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"fine-grained control","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"async policy management","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"privacy and consent needs","type":"text"},{"type":"hardBreak"},{"type":"hardBreak"},{"text":"including use-cases in Health and Financial sectors, as explored by the collection of case studies contributed by participants in the standards group.[3]","type":"text"}]}]}]},{"type":"paragraph"},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"== History and background ==","type":"text"}]},{"type":"paragraph","content":[{"text":"The [[Kantara Initiative|Kantara Initiative's]] UMA Work Group[4] held its first meeting[5] on August 6, 2009. UMA's design principles and technical design have been informed by previous work by Sun Microsystems employees, begun in March 2008, on a protocol called ProtectServe. In turn, ProtectServe was influenced by the goals of the [[Vendor Relationship Management]] movement and an offshoot effort called feeds-based VRM.","type":"text"}]},{"type":"paragraph","content":[{"text":"ProtectServe and UMA's earliest versions leveraged the [[OAuth]] 1.0 protocol. As OAuth underwent significant change through the publication of the Web Resource Authorization Protocol (WRAP) specification and, subsequently, drafts of OAuth 2.0, the UMA specification has kept pace, and it now uses the OAuth 2.0 family of specifications for several key protocol flows.","type":"text"}]},{"type":"paragraph","content":[{"text":"Version 1.0 of the standard was approved by the [[Kantara Initiative]] on ","type":"text"},{"text":"March 23, 2015","type":"text","marks":[{"type":"textColor","attrs":{"color":"#bf2600"}},{"type":"strong"}]},{"text":".[X] and was updated to Version 2.0 on ","type":"text"},{"text":"DATE","type":"text","marks":[{"type":"strong"}]},{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"UMA is open to any means of user identification as required by the use case, and does not depend on OpenID Connect. However, it optionally uses the OpenID Connect protocol as a means of collecting identity claims from a requesting party in order to attempt to satisfy the authorizing user's access policy.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"should this also reference VCs as a means to collect claims?","type":"text"},{"type":"hardBreak"},{"text":" UMA does not use or depend on OpenID Connect as a means of user identification. However, it optionally uses the OpenID Connect protocol as a means of collecting identity claims from a requesting party in order to attempt to satisfy the authorizing user's access policy.","type":"text","marks":[{"type":"strike"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"},{"text":"UMA does not dictate policy format, as policy evaluation is performed internally to the authorization server (AS) from the UMA perspective. ","type":"text"},{"type":"hardBreak"},{"text":"UMA also does not use or depend on the eXtensible Access Control Markup Language ([[XACML]]) as a means of encoding user policy or requesting policy decisions. However, XACML could be used to implement the policies inside the AS. Its implementation is out-of-scope of UMA. The UMA protocol flows for requesting access permission have some features in common with the XACML protocol. ","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"maybe not need to call out XACML, there are lots of ways to model fine-grained policies at the AS and it’s up the the implementation","type":"text"},{"type":"hardBreak"}]}]}]},{"type":"paragraph","content":[{"text":"== Standardization status ==","type":"text"}]},{"type":"paragraph","content":[{"text":"The UMA group conducts its work in the Kantara Initiative[6] and has also contributed a series of Internet-Draft specifications to the [[Internet Engineering Task Force]] (IETF) as an eventual home for UMA standardization work. To this end, the WG has contributed several individual Internet-Drafts to the IETF for consideration. One of these, a specification for OAuth dynamic client registration,","type":"text"},{"type":"inlineCard","attrs":{"url":"http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg"}},{"text":" Internet Draft: OAuth 2.0 Dynamic Client Registration Core Protocol served as input for the more generalized mechanism ultimately developed for OAuth.{{Cite journal|url=","type":"text"},{"text":"https://tools.ietf.org/html/rfc7591|title","type":"text","marks":[{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc7591%7Ctitle"}}]},{"text":" = OAuth 2.0 Dynamic Client Registration Protocol|date = July 2015|last1 = Richer|first1 = Justin|last2 = Jones|first2 = Michael|last3 = Bradley|first3 = John|last4 = Machulak|first4 = Maciej|last5 = Hunt|first5 = Phil| editor-first1=J | editor-last1=Richer | doi=10.17487/RFC7591 |doi-access = free}}","type":"text"},{"type":"hardBreak"},{"text":"UMA was presented to the OAuth Working Group{{Cite web|url=","type":"text"},{"text":"https://datatracker.ietf.org/wg/oauth/about/|title","type":"text","marks":[{"type":"link","attrs":{"href":"https://datatracker.ietf.org/wg/oauth/about/%7Ctitle"}}]},{"text":" = Home - WG - Web Authorization Protocol (Oauth) - IETF}} at the IETF 104 conference in March 2019,{{Cite web|url=","type":"text"},{"text":"https://datatracker.ietf.org/meeting/104/materials/minutes-104-oauth-00|title","type":"text","marks":[{"type":"link","attrs":{"href":"https://datatracker.ietf.org/meeting/104/materials/minutes-104-oauth-00%7Ctitle"}}]},{"text":" = IETF104 - oauth WG - meeting minutes }} but that did not result in any UMA specifications being adopted by the IETF.","type":"text"}]},{"type":"paragraph","content":[{"text":"== Implementation and adoption status ==","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"this section needs verification of the references, UMA 2 only?","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"subsection for UK Pensions Dashboard? other production use-cases?","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"The UMA core protocol has several implementations,{{Cite web|url=","type":"text"},{"text":"http://kantara.atlassian.net/wiki/display/uma/UMA+Implementations|title","type":"text","marks":[{"type":"link","attrs":{"href":"http://kantara.atlassian.net/wiki/display/uma/UMA+Implementations%7Ctitle"}}]},{"text":" = UMA Implementations - WG - User Managed Access - Kantara Initiative}} including several open source implementations. Sources of active and available open-source implementations include [[ForgeRock]],{{Cite web|url=","type":"text"},{"text":"http://forgerock.org/openuma/|title","type":"text","marks":[{"type":"link","attrs":{"href":"http://forgerock.org/openuma/%7Ctitle"}}]},{"text":" = Digital Identity for Consumers and Workforce | ForgeRock}} Gluu,","type":"text"},{"text":"http://www.gluu.org/open-source/open-source-vs-on-demand/","type":"text","marks":[{"type":"link","attrs":{"href":"http://www.gluu.org/open-source/open-source-vs-on-demand/"}}]},{"text":" {{Webarchive|url=","type":"text"},{"text":"https://web.archive.org/web/20140209133913/http://www.gluu.org/open-source/open-source-vs-on-demand/","type":"text","marks":[{"type":"link","attrs":{"href":"https://web.archive.org/web/20140209133913/http://www.gluu.org/open-source/open-source-vs-on-demand/"}}]},{"text":" |date=2014-02-09 }} Gluu OSS implementation of UMA IDENTOS Inc.,","type":"text"},{"type":"inlineCard","attrs":{"url":"https://identos.com/"}},{"text":" IDENTOS Inc. Federated Privacy Exchange (FPX) MITREid Connect,","type":"text"},{"type":"inlineCard","attrs":{"url":"https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/tree/uma%7B%7BDead"}},{"text":" link|date=July 2018 |bot=InternetArchiveBot |fix-attempted=yes }} [[Atricore]], Node-UMA,","type":"text"},{"type":"inlineCard","attrs":{"url":"https://github.com/atricore/node-uma/"}},{"text":" [[Atricore]] OSS implementation of UMA for Node.js Roland Hedberg,{{Cite web|url=","type":"text"},{"type":"inlineCard","attrs":{"url":"https://github.com/rohe/pyuma%7Ctitle"}},{"text":" = Rohe/Pyuma|website = [[GitHub]]|date = 22 January 2018}} [[Keycloak]],{{Cite web |url=","type":"text"},{"text":"http://www.keycloak.org/docs/4.0/release_notes/index.html","type":"text","marks":[{"type":"link","attrs":{"href":"http://www.keycloak.org/docs/4.0/release_notes/index.html"}}]},{"text":" |title=Keycloak 4.0.0.Final |access-date=2019-03-05 |archive-date=2019-03-06 |archive-url=","type":"text"},{"text":"https://web.archive.org/web/20190306234830/https://www.keycloak.org/docs/4.0/release_notes/index.html","type":"text","marks":[{"type":"link","attrs":{"href":"https://web.archive.org/web/20190306234830/https://www.keycloak.org/docs/4.0/release_notes/index.html"}}]},{"text":" |url-status=dead }} and [[WSO2 Identity Server]].{{Cite web|url=","type":"text"},{"text":"https://docs.wso2.com/display/IS580/User+Managed+Access|title","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.wso2.com/display/IS580/User+Managed+Access%7Ctitle"}}]},{"text":" = User Managed Access - Identity Server 5.8.0 latest - WSO2 Documentation}} A Kantara Initiative group is working on developing \"free and open-source software (FOSS), in several popular programming languages, that empowers developers to incorporate UMA protection and authorization API enablement into applications, services, and devices\".{{Cite web |url=","type":"text"},{"text":"http://kantarainitiative.org/confluence/display/umadev/Home","type":"text","marks":[{"type":"link","attrs":{"href":"http://kantarainitiative.org/confluence/display/umadev/Home"}}]},{"text":" |title=Home - WG - User-Managed Access Developer Resources - Kantara Initiative |access-date=2015-08-13 |archive-date=2016-02-16 |archive-url=","type":"text"},{"text":"https://web.archive.org/web/20160216134803/http://kantarainitiative.org/confluence/display/umadev/Home","type":"text","marks":[{"type":"link","attrs":{"href":"https://web.archive.org/web/20160216134803/http://kantarainitiative.org/confluence/display/umadev/Home"}}]},{"text":" |url-status=dead }}","type":"text"}]},{"type":"paragraph","content":[{"text":"UMA-enabled products are available from Gluu,{{Cite web |url=","type":"text"},{"text":"http://www.gluu.org/gluu-server/access-management/","type":"text","marks":[{"type":"link","attrs":{"href":"http://www.gluu.org/gluu-server/access-management/"}}]},{"text":" |title=Web Access Management | the Gluu Server for SSO, WAM, & 2FA | Gluu |access-date=2015-08-13 |archive-date=2015-08-05 |archive-url=","type":"text"},{"text":"https://web.archive.org/web/20150805132945/http://www.gluu.org/gluu-server/access-management/","type":"text","marks":[{"type":"link","attrs":{"href":"https://web.archive.org/web/20150805132945/http://www.gluu.org/gluu-server/access-management/"}}]},{"text":" |url-status=dead }} Jericho Systems,<","type":"text"},{"text":"https://www.jerichosystems.com/company/pr04082015.html>","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.jerichosystems.com/company/pr04082015.html%3C/ref%3E%3E"}}]},{"text":" ForgeRock,{{Cite web|url=","type":"text"},{"text":"https://www.forgerock.com/platform/user-managed-access/|title","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.forgerock.com/platform/user-managed-access/%7Ctitle"}}]},{"text":" = User-Managed Access (UMA) - ForgeRock}} IDENTOS Inc.{{Cite web|url=","type":"text"},{"text":"https://identos.com/products-federated-privacy-exchange-fpe/|title=Federated","type":"text","marks":[{"type":"link","attrs":{"href":"https://identos.com/products-federated-privacy-exchange-fpe/%7Ctitle=Federated"}}]},{"text":" Privacy Exchange - by IDENTOS}} and WSO2 Identity Server ","type":"text"}]},{"type":"paragraph","content":[{"text":"== Comparison to OAuth 2.0 ==","type":"text"}]},{"type":"paragraph","content":[{"text":"[[File:User Managed Access entities and relationships.png|thumb|This diagram provides a high level overview of the entities and relationships involved in the UMA specification.]]","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"this diagram needs an update to UMA 2. Could use the version from UMA Fedz. Add some numbers for protocol flow?","type":"text"}]}]}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"The diagram (see right) highlights key additions that UMA makes to OAuth 2.0.","type":"text"}]},{"type":"paragraph","content":[{"text":"In a typical OAuth flow, a human resource owner (RO) operating a client application is redirected to an authorization server (AS) to log in and consent to the issuance of an access token so that the client application can gain access to the resource server (RS) on the RO’s behalf in future, likely in a scoped (limited) fashion. The RS and AS are in all likelihood operating within the same security domain, and any communication between them is not standardized by the main OAuth specification.","type":"text"}]},{"type":"paragraph","content":[{"text":"UMA adds three main concepts and corresponding structures and flows. First, it defines a standardized API at the AS, called the protection API, that the RS speaks to; this enables multiple RS’s to communicate with one AS and vice versa, and because the API is itself secured with OAuth, allows for formal trust establishment between each pair. This also allows an AS to present an RO with a centralized user interface. Second, UMA defines a formal notion of a requesting party (RqP) that is autonomous from an RO, enabling party-to-party sharing and delegation of access authorization. An RO need not consent to token issuance at run time but can set policy at an AS, allowing an RqP to attempt access asynchronously. Third, UMA enables access attempts to result in successful issuance of tokens associated with authorization data based on a process of trust elevation in the RqP, for example, gathering identity claims or other claims from them.","type":"text"}]},{"type":"paragraph","content":[{"text":"== Applicable use cases ==","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph"},{"type":"paragraph"}]}]},{"type":"paragraph","content":[{"text":"UMA's architecture can serve a variety of consumer-facing and enterprise-facing use cases. The UMA group collects case studies on its wiki.","type":"text"}]},{"type":"paragraph","content":[{"text":"One example set of use cases is in healthcare IT and consumer health. In the OpenID Foundation organization, a working group called Health Relationship Trust (HEART){{Cite web|url=","type":"text"},{"text":"http://openid.net/wg/heart/|title=HEART","type":"text","marks":[{"type":"link","attrs":{"href":"http://openid.net/wg/heart/%7Ctitle=HEART"}}]},{"text":" WG | OpenID|date=27 October 2014}} is working to \"harmonize and develop a set of privacy and security specifications that enable an individual to control the authorization of access to RESTful health-related data sharing APIs\", building upon, among other standards, UMA.","type":"text"}]},{"type":"paragraph","content":[{"text":"Another example set of use cases, which originally influenced UMA's development, is in the area of \"personal data stores\" in the fashion of [[vendor relationship management]]. In this conception, an individual can choose an operator of an authorization service that accepts connections from a variety of consumer-facing digital resource hosts in order to offer a dashboard with resource sharing management capabilities.","type":"text"}]},{"type":"paragraph","content":[{"text":"== References ==","type":"text"},{"type":"hardBreak"},{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"== External links ==","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[","type":"text"},{"text":"http://kantara.atlassian.net/wiki/display/uma/UMA+FAQ","type":"text","marks":[{"type":"link","attrs":{"href":"http://kantara.atlassian.net/wiki/display/uma/UMA+FAQ"}}]},{"text":" UMA FAQ]","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[","type":"text"},{"type":"inlineCard","attrs":{"url":"https://docs.kantarainitiative.org/uma/rec-uma-core.html"}},{"text":" User-Managed Access (UMA) Profile of OAuth 2.0 Recommendation]","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[","type":"text"},{"type":"inlineCard","attrs":{"url":"https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg.html"}},{"text":" OAuth 2.0 Resource Set Registration Recommendation]","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[","type":"text"},{"text":"http://kantara.atlassian.net/wiki/display/uma/UMA+Implementations","type":"text","marks":[{"type":"link","attrs":{"href":"http://kantara.atlassian.net/wiki/display/uma/UMA+Implementations"}}]},{"text":" UMA Implementations]","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"[[Category:Cloud standards]]","type":"text"},{"type":"hardBreak"},{"text":"[[Category:Computer access control]]","type":"text"},{"type":"hardBreak"},{"text":"[[Category:Identity management]]","type":"text"},{"type":"hardBreak"},{"text":"[[Category:Federated identity]]","type":"text"},{"type":"hardBreak"},{"text":"[[Category:Identity management systems]]","type":"text"}]},{"type":"paragraph"},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"Other","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"could OAuth or OpenID pages have a reference to UMA?","type":"text"},{"type":"hardBreak"}]}]}]},{"type":"paragraph"}],"version":1}

Browser not supported