UMA Roadmap for 2016

UMA Roadmap for 2016

Having pushed its first major release (Version 1.0) and its first patch release (Version 1.0.1) out the door in 2015, in 2016 the UMA Work Group has been examining developer, deployer, and user demand for improvements; the business and legal elements in the "access federation" equation; and implications of the newest trends, such as smart contracts, IoT, and blockchain.

The following matrix represents the prioritized workload of the 2016 effort of the WG. The "hashtags" in the use-case column headers are labels in our GitHub issues list (#trust was the only existing one prior to 2016). The general #V2.0 label represents GitHub issues targeted for closure with the UMA V2.0 specs in early 2017.

If you are interested to contribute to the Work Group's efforts, we are happy to welcome you – see the wiki home page for information on joining as a participant. Note that we have a Legal Subgroup as well.

 priorities3552 (includes legal)

2 (includes legal)

22 (includes legal)124
GitHub issues

use
cases

technical
issues/
proposals

#IoT: IoT (constrained
entities, offline
entities, etc.)
#APIsec: API
security
(enterprise RO,
AS-RS tight)
#fedauthz:
federated
authorization
(enterprise RO,
AS-RS loose) 

#RSctrl: RS can
throttle access
beyond AS-imposed
limits

#ROctrl: RO can
meaningfully
throttle access
that RS gives
#wideeco: wide
ecosystem:
RO's AS and
RqP's IdP never
met before, etc. 
#trust: UMA model
text for access
federations and
tools for building
agreements and
receipts 
#security: fix
security bugs 
#simplify: simplify
the protocol and make
it work more like OAuth
(thus includes feature
addition too) 

#shoebox:
consent and notice and
information
sharing matters

153, 154AAT burden [DONE]X  X X  X 
153, 238OAuth token endpoint realignment [DONE] X   X  X 
51self-contained token validation [DONE]X         
152permission registration [DONE]          
157, 159discovery document alignment [DONE] X      X 
167, 205 (closed), 239 (closed)

session fixation attack in claims-gathering protocol and similar [DONE]

       X  
155RSR endpoint URL has extraneous parts [DONE]        X 
158"scopes" is confusing in introspection response [DONE]        X 
165client can't specify scopes [DONE]        X 
167, 237simplify "need_info" and
claims-gathering endpoint provisioning [DONE]
        X 
254Hashed claims discovery [consider]          
260Cascading authorization servers [consider]  XXX     
24, 224audit whether RS gave access per permissions / "shoebox" endpoint [consider]   XX X  X
20, 154client-to-AS-first efficiency [keep in backlog] XX       
95multiple-AS protection over a single resource set [keep in backlog] XX   X