UMA Roadmap for 2016
UMA Roadmap for 2016
Having pushed its first major release (Version 1.0) and its first patch release (Version 1.0.1) out the door in 2015, in 2016 the UMA Work Group has been examining developer, deployer, and user demand for improvements; the business and legal elements in the "access federation" equation; and implications of the newest trends, such as smart contracts, IoT, and blockchain.
The following matrix represents the prioritized workload of the 2016 effort of the WG. The "hashtags" in the use-case column headers are labels in our GitHub issues list (#trust was the only existing one prior to 2016). The general #V2.0 label represents GitHub issues targeted for closure with the UMA V2.0 specs in early 2017.
If you are interested to contribute to the Work Group's efforts, we are happy to welcome you – see the wiki home page for information on joining as a participant. Note that we have a Legal Subgroup as well.
| priorities | 3 | 5 | 5 | 2 (includes legal) | 2 (includes legal) | 2 | 2 (includes legal) | 1 | 2 | 4 | |
| GitHub issues | use technical | #IoT: IoT (constrained entities, offline entities, etc.) | #APIsec: API security (enterprise RO, AS-RS tight) | #fedauthz: federated authorization (enterprise RO, AS-RS loose) | #RSctrl: RS can | #ROctrl: RO can meaningfully throttle access that RS gives | #wideeco: wide ecosystem: RO's AS and RqP's IdP never met before, etc. | #trust: UMA model text for access federations and tools for building agreements and receipts | #security: fix security bugs | #simplify: simplify the protocol and make it work more like OAuth (thus includes feature addition too) | #shoebox: |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 153, 154 | AAT burden [DONE] | X | X | X | X | ||||||
| 153, 238 | OAuth token endpoint realignment [DONE] | X | X | X | |||||||
| 51 | self-contained token validation [DONE] | X | |||||||||
| 152 | permission registration [DONE] | ||||||||||
| 157, 159 | discovery document alignment [DONE] | X | X | ||||||||
| 167, 205 (closed), 239 (closed) | session fixation attack in claims-gathering protocol and similar [DONE] | X | |||||||||
| 155 | RSR endpoint URL has extraneous parts [DONE] | X | |||||||||
| 158 | "scopes" is confusing in introspection response [DONE] | X | |||||||||
| 165 | client can't specify scopes [DONE] | X | |||||||||
| 167, 237 | simplify "need_info" and claims-gathering endpoint provisioning [DONE] | X | |||||||||
| 254 | Hashed claims discovery [consider] | ||||||||||
| 260 | Cascading authorization servers [consider] | X | X | X | |||||||
| 24, 224 | audit whether RS gave access per permissions / "shoebox" endpoint [consider] | X | X | X | X | ||||||
| 20, 154 | client-to-AS-first efficiency [keep in backlog] | X | X | ||||||||
| 95 | multiple-AS protection over a single resource set [keep in backlog] | X | X | X |