/
UMA Roadmap for 2016

UMA Roadmap for 2016

Jan 04, 2017

UMA Roadmap for 2016

Having pushed its first major release (Version 1.0) and its first patch release (Version 1.0.1) out the door in 2015, in 2016 the UMA Work Group has been examining developer, deployer, and user demand for improvements; the business and legal elements in the "access federation" equation; and implications of the newest trends, such as smart contracts, IoT, and blockchain.

The following matrix represents the prioritized workload of the 2016 effort of the WG. The "hashtags" in the use-case column headers are labels in our GitHub issues list (#trust was the only existing one prior to 2016). The general #V2.0 label represents GitHub issues targeted for closure with the UMA V2.0 specs in early 2017.

If you are interested to contribute to the Work Group's efforts, we are happy to welcome you – see the wiki home page for information on joining as a participant. Note that we have a Legal Subgroup as well.

 

priorities

3

5

5

2 (includes legal)

2 (includes legal)

2

2 (includes legal)

1

2

4

GitHub issues

use
cases

technical
issues/
proposals

#IoT: IoT (constrained
entities, offline
entities, etc.)

#APIsec: API
security
(enterprise RO,
AS-RS tight)

#fedauthz:
federated
authorization
(enterprise RO,
AS-RS loose) 

#RSctrl: RS can
throttle access
beyond AS-imposed
limits

#ROctrl: RO can
meaningfully
throttle access
that RS gives

#wideeco: wide
ecosystem:
RO's AS and
RqP's IdP never
met before, etc. 

#trust: UMA model
text for access
federations and
tools for building
agreements and
receipts 

#security: fix
security bugs 

#simplify: simplify
the protocol and make
it work more like OAuth
(thus includes feature
addition too) 

#shoebox:
consent and notice and
information
sharing matters

153, 154

AAT burden [DONE]

X

 

 

X

 

X

 

 

X

 

153, 238

OAuth token endpoint realignment [DONE]

 

X

 

 

 

X

 

 

X

 

51

self-contained token validation [DONE]

X

 

 

 

 

 

 

 

 

 

152

permission registration [DONE]

 

 

 

 

 

 

 

 

 

 

157, 159

discovery document alignment [DONE]

 

X

 

 

 

 

 

 

X

 

167, 205 (closed), 239 (closed)

session fixation attack in claims-gathering protocol and similar [DONE]

 

 

 

 

 

 

 

X

 

 

155

RSR endpoint URL has extraneous parts [DONE]

 

 

 

 

 

 

 

 

X

 

158

"scopes" is confusing in introspection response [DONE]

 

 

 

 

 

 

 

 

X

 

165

client can't specify scopes [DONE]

 

 

 

 

 

 

 

 

X

 

167, 237

simplify "need_info" and
claims-gathering endpoint provisioning [DONE]

 

 

 

 

 

 

 

 

X

 

254

Hashed claims discovery [consider]

 

 

 

 

 

 

 

 

 

 

260

Cascading authorization servers [consider]

 

 

X

X

X

 

 

 

 

 

24, 224

audit whether RS gave access per permissions / "shoebox" endpoint [consider]

 

 

 

X

X

 

X

 

 

X

20, 154

client-to-AS-first efficiency [keep in backlog]

 

X

X

 

 

 

 

 

 

 

95

multiple-AS protection over a single resource set [keep in backlog]

 

X

X

 

 

 

X