Introduction to UMA

Owned by Eve Maler
Last updated: Oct 16, 2015
3 min read

This page aggregates links and information that helps various audiences understand what UMA is for and how to use it.

For General Audiences

The UMA FAQ page succinctly answers a variety of questions.

The WG's webinar series has treated various topics and audiences:

  • Webinar from 16 May 2015: slides in PDF
  • Webinar from 3 Nov 2014: slides in PDF
  • IIW session from Oct 2014: slides in PDF
  • Webinar from 19 Jun 2014: slides in PPTX, slides in PDF
  • Enterprise UMA session from IRM Summit 3 Jun 2014: slides in PPTX
  • Webinar from 20 Mar 2014: slides in PPTX, slides in PDF
  • UMA 101 webinar from 29 Oct 2013: slides in PPTX, slides in PDF

For Managers, Deployers, and Legal Staff

The Case Studies page lists a variety of use cases, including enterprise, healthcare, consumer, and more.

The UMA Legal: Business Models page discusses some business models that differ in terms of their "deployment topologies". Several other "UMA Legal" pages on the GitHub wiki discuss the current state of our efforts to reduce friction in the setting up of "access federations".

For Integrators, Implementers, and Developers

The UMA Implementer's Guide provides non-normative current and best practice information on implementation where there are specification choices.

The UMA interfaces diagram maps out the relationships of UMA entities to OAuth entities, and UMA APIs to clients that call them.

The UMA Implementations page catalogues some known implementations, including open source.

The generic low-level UMA flow swimlane illustrates a sample realistic flow and points off to specific UMA specification sections. Here is the source code:

participant "resource\nowner (RO)" as RO
participant "resource\nserver (RS)" as RS
participant "authorization\nserver (AS)" as AS
participant "client\napp (C)" as C
participant "requesting\nparty (RqP)" as RqP
note over RO, RS, AS, C, RqP
Sample low-level UMA flow with photo access scenario; V1.0.1 spec references
end note
RS-->RS: OOB Learn AS location
RS->AS: UMA1.4 Retrieve AS config data
AS->RS: UMA1.4 Return AS config data
AS->RS: UMA2 Issue client creds\n(can be dynamic)
RS->RO: UMA1.3.1 Redirect to AS...
RO->AS: ...to log in and consent to...
AS->RS: ...PAT issuance (OAuth scope="uma_protection")\n(can use any grant flow, e.g. implicit or client creds)
RO-->RS: OOB Choose resources to protect
RO-->AS: OOB Configure policies (can happen after client attempts access)
note over RS,AS
Assume one static photo resource, simple scope strings
end note
RS->AS: RSR2.2.1 POST /resource_set\nat RSR endpoint with "view" and "print" scopes
AS->RS: RSR2.2.1 201 Created; _id in body has {rsid}
RqP-->C: OOB Provision protected resource location
C->RS: UMA3.1.1 Attempt GET /photo.jpg (view) at resource endpoint
RS->AS: UMA3.2.1 POST requested permission with “view”\nat permission registration endpoint
AS->RS: UMA3.2.3 Return permission ticket
RS->C: UMA3.3.1 Return as_uri and permission ticket
C->AS: UMA1.4 Retrieve AS configuration data
AS->C: UMA1.4 Return AS config data
AS->C: UMA2 Issue client creds\n(can be dynamic)
C->RqP: UMA1.3.2 Redirect to AS...
RqP->AS: ...to log in and consent to...
AS->C: ...AAT issuance (OAuth scope="uma_authorization")\n(can use any grant flow, e.g. implicit or client creds)
note over C,AS
Assume complex interaction for argument's sake
end note
C->AS: UMA3.5.1 POST plain authz data request with\npermission ticket at RPT endpoint
AS-->AS: UMA3.5.2 Assess request
AS->C: UMA3.5.4 Return need_info with error_details hints:\nauthentication_context and claims
C->RqP: UMA3.6.1 Redirect to AS...
RqP->AS: ...for...
AS->C: ...step-up authentication
C->AS: UMA3.5.1 POST claim token with permission ticket\nat RPT endpoint
AS->C: UMA3.5.4 Return need_info with claims\nand redirect_user
C->RqP: UMA3.6.3 Redirect to AS...
RqP->AS: ...to provide claims in person...
AS->C: ...until AS reports claims_submitted
C->AS: UMA3.5.1 POST plain authz data request with\npermission ticket at RPT endpoint
AS->C: UMA3.5.3 Return success and RPT
C->RS: UMA3.1.2 Attempt resource access with RPT
note over RS,AS: Assume default RPT profile and happy path
RS->AS: UMA3.4.2 POST to token introspection endpoint
AS->RS: UMA3.4.2 Return extended introspection object
RS-->RS: UMA3.3.3 Assess access attempt against\npermissions; has "view" scope
RS->C: UMA3.3.3 Enable photo viewing
C->RS: UMA3.1.2 Attempt POST /photo.jpg (print) at resource endpoint with RPT
note over RS: Assume cache is allowed and fresh
RS-->RS: OOB Consult RPT cache; no “print” scope
RS->AS: UMA3.2.1 POST requested permission with “print”\nat permission registration endpoint
AS->RS: UMA3.2.3 Return permission ticket
RS->C: UMA3.3.1 Return as_uri and permission ticket
note over C: Assume cache is allowed and fresh
C-->C: OOB Consult AS config data cache
note over C,AS
Assume simple interaction\nfor argument's sake;\ncached claims OK for “print”;\nAS chooses to refresh RPT string
end note
C->AS: UMA3.5.1 POST plain authz data\nrequest with permission ticket\nat RPT endpoint
AS-->AS: UMA3.5.2 Assess request
AS->C: UMA3.5.3 Return success and new RPT
C->RS: UMA3.1.2 Attempt resource access with RPT
RS->AS: UMA3.4.2 POST to token introspection endpoint
AS->RS: UMA3.4.2 Return Return extended introspection object
RS-->RS: UMA3.3.3 Assess access attempt against\npermissions; has "print” scope
RS->C: UMA3.3.3 Enable photo printing