| Version: | 2.0 |
| Date: | 2017-5-17 |
| Editor: | Eve Maler, ForgeRock |
| Authors: | Maciej Machulak, Self |
| Justin Richer, Bespoke Engineering | |
This specification defines a means for an UMA-enabled authorization server and resource server to be loosely coupled, or federated, in a resource owner context.
This document is a draft technical specification produced by the User-Managed Access Work Group. See the Kantara Initiative Operating Procedures for more information.
Copyright © 2017 Kantara Initiative and the persons identified as the document authors. All rights reserved.
This document is subject to the Kantara IPR Policy - Option Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND) (HTML version).
This specification extends and complements [UMAGrant] to loosely couple, or federate, the authorization process. This enables multiple resource servers operating in different domains to communicate with a single authorization server operating in yet another domain that acts on behalf of a resource owner. A service ecosystem can thus automate resource protection, and the resource owner can monitor and control authorization grant rules at a central service location over time. Further, with the use of token introspection, authorization grants can increase and decrease at the level of individual resources and scopes.
Building on the example provided in the introduction in [UMAGrant], bank customer (resource owner) Alice has a bank account service (resource server), a cloud file system (different resource server hosted elsewhere), and a dedicated sharing management service (authorization server) hosted by the bank. She can manage access to her various protected resources by spouse Bob, accounting professional Charline, bank account aggregation company DecideAccount, and neighbor Erik (requesting parties), all using different client applications, each of them variously to view account data, get access to payment or withdrawal functions, and see or edit files for a community project. Alice can use the same sharing management service to monitor and control these different levels of access.
This specification, together with [UMAGrant], constitutes UMA 2.0. This specification is OPTIONAL to use with the UMA grant, but if it is used, the authorization server and resource server MUST use it in its entirety.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Unless otherwise noted, all parameter names and values are case sensitive. JSON [RFC7159] data structures defined in this specification MAY contain extension parameters that are not defined in this specification. Any entity receiving or retrieving a JSON data structure SHOULD ignore extension parameters it is unable to understand. Extension names that are unprotected from collisions are outside the scope of this specification.
The UMA grant defined in [UMAGrant] enhances the abstract protocol flow of OAuth. This specification enhances the UMA grant by defining formal communications between the UMA-enabled authorization server and resource server as they act on behalf of the resource owner, responding to authorization and resource requests, respectively, by a client that is acting on behalf of a requesting party.
A summary of UMA 2.0 communications, combining the UMA grant with federated authorization, is shown in Figure 1.
+------------------+
| resource |
+------------manage (out of scope)----| owner |
| +------------------+
| |
| protection |
| API access control
| token (PAT) (out of scope)
| |
v v
+------------+ +----------+------------------+
| | |protection| |
| resource | | API | authorization |
| server |<-----protect-------| (needs | server |
| | | PAT) | |
+------------+ +----------+------------------+
| protected | | UMA |
| resource | | grant |
|(needs RPT) | requesting | (PCT optional) |
+------------+ party token +------------------+
^ (RPT) ^ persisted ^
| | claims |
| push token |
| claim (PCT) |
| tokens interact
| +--------+ for
+------------access--------------------| client | claims
+--------+ gathering
+---------------+
| requesting |
| party |
+---------------+
Figure 1: Federated Authorization Enhancements to UMA Grant Flow
This specification uses all of the terms and concepts in [UMAGrant]. This figure introduces the following new concepts:
This specification is designed for use with HTTP [RFC2616], and for interoperability and security in the context of loosely coupled services and applications operated by independent parties in independent domains. The use of UMA over any protocol other than HTTP is undefined. In such circumstances, it is RECOMMENDED to define profiles or extensions to achieve interoperability among independent implementations (see Section 4 of [UMAGrant]).
The authorization server MUST use TLS protection over its protection API endpoints, as governed by [BCP195], which discusses deployment and adoption characteristics of different TLS versions.
The authorization server MUST use OAuth and require a PAT to secure its protection API endpoints.
As defined in [UMAGrant], the resource owner -- the entity here authorizing PAT issuance -- MAY be an end-user (natural person) or a non-human entity treated as a person for limited legal purposes (legal person), such as a corporation. A PAT is unique to a resource owner, resource server used for resource management, and authorization server used for protection of those resources. The issuance of the PAT represents the authorization of the resource owner for the resource server to use the authorization server for protecting those resources.
Different grant types for PAT issuance may be appropriate for different types of resource owners; for example, the client credentials grant is useful in the case of an organization acting as a resource owner, whereas an interactive grant type is typically more appropriate for capturing the approval of an end-user resource owner. Where an identity token is desired in addition to an access token, it is RECOMMENDED to use [OIDCCore] in addition.
Federation of authorization for the UMA grant delivers a conceptual separation of responsibility and authority:
The separation of authorization decision making and authorization enforcement is similar to the architectural separation often used in enterprises between policy decision points and policy enforcement points. However, note that the resource server MAY apply additional authorization controls beyond those imposed by the authorization server. For example, even if an RPT provides sufficient permissions for a particular case, the resource server can choose to bar access to certain additional requesting parties.
Practical control of access among loosely coupled parties typically requires more than just messaging protocols. It is outside the scope of this specification to define more than the technical contract between UMA-conforming entities. Laws may govern authorization-granting relationships. It is RECOMMENDED for the resource owner, authorization server, and resource server to establish agreements about which parties are responsible for establishing and maintaining authorization grant rules and other authorization rules on a legal or contractual level, and parties operating entities claiming to be UMA-conforming should provide documentation of rights and obligations between and among them. See Section 4 of [UMAGrant] for more information.
The setting of policy conditions is outside the scope of this specification.
Except for PAT issuance, the resource owner-authorization server and resource owner-resource server interfaces are outside the scope of this specification. A variety of flows and user interfaces for policy condition setting involving user agents for both of these servers are possible, each with different privacy consequences for end-user resource owners. Some elements of the protection API enable the building of user interfaces for policy condition setting (see Section 3).
A variety of authorization, security, and time-to-live policies could be managed on a per-resource owner basis or a per-authorization server basis, as the entities see fit. Validity periods of PATs, RPTs, refresh tokens, permissions, caching periods for various responses, and even OAuth client credentials are all subject to management. Different time-to-live strategies may be suitable for different resources and scopes. These options are all outside the scope of this specification; where deployment ecosystems using independent implementations seek a consistent high level of security, profiling is RECOMMENDED (see Section 4 of [UMAGrant]).
The protection API defines the following endpoints:
Use of these endpoints assumes that the resource server has acquired OAuth client credentials from the authorization server by static or dynamic means, and has a valid PAT.
The authorization server SHOULD respond to each request from the resource server unless it detects a security concern, such as a suspected denial of service attack that can be mitigated by rate limiting.
Note: The resource server generally requires access to the protection API when an end-user resource owner is not available ("offline" access). Thus, the authorization server needs to manage the PAT in a way that ensures this outcome.
The authorization server MUST declare its endpoints in the discovery document (see Section 2).
A permission is (requested or granted) authorized access to a particular resource with one or more scopes bound to that resource. The concept of permissions is used in authorization assessment, results calculation, and RPT issuance in [UMAGrant]. This concept takes on greater significance in relation to the protection API.
The resource server's resource registration operations at the authorization server result in a set of resource owner-specific resource identifiers. When the client makes a tokenless (or failed-token) resource request, the resource server is responsible for interpreting that request and mapping it to a choice of authorization server, resource owner, resource identifier(s), and set of scopes for each identifier, in order to request one or more permissions -- resource identifiers and a set of scopes -- and obtain a permission ticket on the client's behalf. Finally, when the client has made a resource request accompanied by an RPT and token introspection is in use, it reveals the structure of permissions in the returned token introspection object, potentially including expiration of individual permissions.
This specification makes use of the authorization server discovery document structure and endpoint defined in [UMAGrant]. The resource server uses this discovery document to discover the endpoints it needs.
In addition to the metadata defined in that specification and [OAuthMeta], this specification defines the following metadata for inclusion in the discovery document:
Following are additional requirements related to metadata:
The authorization server SHOULD document any profiled or extended features it supports explicitly, ideally by supplying the URI identifying each UMA profile and extension as an uma_profiles_supported metadata array value (defined in [UMAGrant]), and by using extension metadata to indicate specific usage details as necessary.
The API available at the resource registration endpoint enables the resource server to put resources under the protection of an authorization server on behalf of the resource owner and manage them over time. Protection of a resource at the authorization server begins on successful registration and ends on successful deregistration.
The resource server uses a RESTful API at the authorization server's resource registration endpoint to create, read, update, and delete resource descriptions, along with retrieving lists of such descriptions. The descriptions consist of JSON documents that are maintained as web resources at the authorization server. (Note carefully the similar but distinct senses in which the word "resource" is used in this section.)
Figure 2 illustrates the resource registration API operations.
authorization resource resource
server server owner
| | |
| (ex. in request-to-grant phase) |
| | |
| *PROTECTION API: |
| *Resource registration endpoint |
| | |
| *Create resource | |
|<--------------------| |
| *Resource ID | |
|-------------------->| |
| | (Set policy conditions) |
|<- - - - - - - - - - - - - - - - - - - - - - - -|
| ... | |
| *Read/update with | |
| resource ID | |
|<--------------------| |
| *Response | |
|-------------------->| |
| ... | |
| *List all resources | |
|<--------------------| |
| *Response | |
|-------------------->| |
| ... | |
| *Delete resource | |
| with resource ID | |
|<--------------------| |
| *Response | |
|-------------------->| |
Figure 2: Resource Registration Endpoint and API
The resource server MAY protect any subset of the resource owner's resources using different authorization servers or other means entirely, or to protect some resources and not others. Additionally, the choice of protection regimes MAY be made explicitly by the resource owner or implicitly by the resource server. Any such partitioning by the resource server or owner is outside the scope of this specification.
The resource server MAY register a single resource for protection that, from its perspective, has multiple parts, or has dynamic elements such as the capacity for querying or filtering, or otherwise has internal complexity. The resource server alone is responsible for maintaining any required mappings between internal representations and the resource identifiers and scopes known to the authorization server.
Note: The resource server is responsible for managing the process and timing of registering resources, maintaining the registration of resources, and deregistering resources at the authorization server. Motivations for updating a resource might include, for example, new scopes added at a new API version or resource owner actions at a service provider that result in new resource description text. See [UMA-Impl] for a discussion of initial resource registration timing options. See Section 3.3 for a worked example illustrating all of the operations.
A resource description is a JSON document that describes the characteristics of a resource sufficiently for an authorization server to protect it. A resource description has the following parameters:
The resource server MAY encode human-readable strings using the pattern described in Section 2.2 of [RFC7591] for representing multiple languages and scripts, where language tags are added delimited by a "#" character. It is OPTIONAL for the authorization server to make use of this pattern, if present in registered resources, for run-time dynamic string display effects.
For example, this description characterizes a resource (a photo album) that can potentially be viewed or printed; the scope URI points to a scope description as defined in Section 3.1.1:
{
"name":"Photo Album",
"icon_uri":"http://www.example.com/icons/flower.png",
"scopes":[
"view",
"http://photoz.example.com/dev/scopes/print"
],
"type":"http://www.example.com/rsrcs/photoalbum"
}
A scope description is a JSON document that describes the characteristics of a scope sufficiently for an authorization server to protect the resource with this scope. A scope description has the following parameters:
The resource server MAY encode human-readable strings using the pattern described in Section 2.2 of [RFC7591] for representing multiple languages and scripts, where language tags are added delimited by a "#" character. It is OPTIONAL for the authorization server to make use of this pattern, if present in registered scopes, for run-time dynamic string display effects.
For example, this scope description characterizes a scope that involves viewing (as opposed to, say, creating or editing in some fashion):
{
"name":"View",
"icon_uri":"http://www.example.com/icons/reading-glasses"
}
See Section 3.3 for a long-form example of scope descriptions used in resource registration.
The authorization server is REQUIRED to support the following five registration options; any other operations are undefined by this specification. Here, rreguri stands for the resource registration endpoint and _id stands for the authorization server-assigned identifier for the web resource corresponding to the resource at the time it was created, included within the URL returned in the Location header. Each operation is defined in its own section below.
Within the JSON body of a successful response, the authorization server includes common parameters, possibly in addition to method-specific parameters, as follows:
If the request to the resource registration endpoint is incorrect, then the authorization server instead responds with an error message by including one of the following error codes with the response (see Section 6):
Adds a new resource description to the authorization server using the POST method. If the request is successful, the resource is thereby registered and the authorization server MUST respond with a status message that includes an _id parameter.
Form of a create request, with an access token in the header:
POST /rs/ HTTP/1.1 Content-Type: application/json
Authorization: Bearer MHg3OUZEQkZBMjcx
...
{
"name":"Tweedl Social Service",
"icon_uri":"http://www.example.com/icons/sharesocial.png",
"scopes":[
"read-public",
"post-updates",
"read-private",
"http://www.example.com/scopes/all"
],
"type":"http://www.example.com/rsrcs/socialstream/140-compatible"
}
Form of a successful response:
HTTP/1.1 201 Created
Content-Type: application/json
Location: /rs/KX3A-39WE
...
{
"_id":"KX3A-39WE",
"user_access_policy_uri":"http://as.example.com/rs/222/resource/KX3A-39WE/policy"
}
Reads a previously registered resource description using the GET method. If the request is successful, the authorization server MUST respond with a status message that includes a body containing the referenced resource description, along with an _id parameter.
Form of a read request, with an access token in the header:
GET /rs/KX3A-39WE HTTP/1.1 Authorization: Bearer MHg3OUZEQkZBMjcx ...
Form of a successful response:
HTTP/1.1 200 OK
Content-Type: application/json
...
{
"_id":"KX3A-39WE",
"name":"Tweedl Social Service",
"icon_uri":"http://www.example.com/icons/sharesocial.png",
"scopes":[
"read-public",
"post-updates",
"read-private",
"http://www.example.com/scopes/all"
],
"type":"http://www.example.com/rsrcs/socialstream/140-compatible"
}
If the referenced resource does not exist, the authorization server MUST produce an error response with an error parameter value of not_found, as defined in Section 3.2.
Updates a previously registered resource description, by means of a complete replacement of the previous resource description, using the PUT method. If the request is successful, the authorization server MUST respond with a status message that includes an _id parameter.
Form of an update request, with an access token in the header:
PUT /rs/9UQU-DUWW HTTP/1.1
Content-Type: application/json
Authorization: Bearer 204c69636b6c69
...
{
"name":"Photo Album",
"icon_uri":"http://www.example.com/icons/sky.png",
"scopes":[
"http://photoz.example.com/dev/scopes/view",
"public-read"
],
"type":"http://www.example.com/rsrcs/photoalbum"
}
Form of a successful response:
HTTP/1.1 200 OK
...
{
"_id":"9UQU-DUWW"
}
Deletes a previously registered resource description using the DELETE method. If the request is successful, the resource is thereby deregistered.
Form of a delete request, with an access token in the header:
DELETE /rs/9UQU-DUWW Authorization: Bearer 204c69636b6c69 ...
Form of a successful response:
HTTP/1.1 204 No content ...
If the referenced resource does not exist, the authorization server MUST produce an error response with an error parameter value of not_found, as defined in Section 3.2.
Lists all previously registered resource identifiers for this resource owner using the GET method. The authorization server MUST return the list in the form of a JSON array of {_id} string values.
The resource server uses this method as a first step in checking whether its understanding of protected resources is in full synchronization with the authorization server's understanding.
Form of a list request, with an access token in the header:
GET /rs/ HTTP/1.1 Authorization: Bearer 204c69636b6c69 ...
Form of a successful response:
HTTP/1.1 200 OK ... [ "KX3A-39WE", "9UQU-DUWW" ]
The following is a non-normative example of resource registration.
This example contains some steps that are exclusively in the realm of user experience to achieve realistic illustration. These steps are labeled "user experience only". Some other steps are exclusively internal to the operation of the entity being discussed. These are labeled "internal only".
A resource owner, Alice Adams, has just uploaded a photo of her new puppy to a resource server, Photoz.example.com, and wants to ensure that this specific photo is not publicly accessible.
Alice has already introduced this resource server to her authorization server, ShareHub.example.com. However, Alice has not previously instructed Photoz to use ShareHub to protect any photos of hers.
ShareHub has a "default-deny" setup, so until such time as Alice maps some other more permissive policies to any resources registered by Photoz, the policy is not to share them. Policies she may eventually map to particular photos or albums might be "Share only with husband@email.example.net" or "Share only with people in my 'family' group".
Photoz has a publicly documented application-specific API that offers two dozen different methods that apply to single photos, such as addTags and getSizes, but rolls them up into two photo-related scopes of access: "view" (consisting of various read-only operations) and "print" (consisting of various printing operations). It defines two scope descriptions that represent these scopes, which it is able to reuse for all of its users (not just Alice), and ensures that these scope description documents are available through HTTP GET requests that may be made by authorization servers.
Photoz constructs scope description documents for the scopes in order to provide data that will help them be displayed in user interfaces. (This means that any scope strings it supplies in resource registration descriptions will need to be URIs referring to these documents. The alternative would have been simple scope strings without the additional user interface data.)
The "name" parameter values in the scope descriptions are intended to be seen by Alice when she maps authorization constraints to specific resources and scopes while visiting ShareHub, such that Alice would see the strings "View Photo and Related Info" and "Print Photo", likely accompanied by the referenced icons, in the ShareHub interface. (Other users of Photoz might similarly see the same labels at ShareHub or whatever other authorization server they use. Photoz could distinguish natural-language labels per user if it wishes, by pointing to scopes with differently translated names.)
Example of the viewing-related scope description document available at http://photoz.example.com/dev/scopes/view:
{
"name":"View Photo and Related Info",
"icon_uri":"http://www.example.com/icons/reading-glasses.png"
}
Example of the scope description document available at http://photoz.example.com/dev/scopes/print:
{
"name":"Print Photo",
"icon_uri":"http://www.example.com/icons/printer.png"
}
While visiting Photoz, Alice selects a link or button that instructs the site to "Protect" or "Share" this single photo (user experience only; Photoz could have made this a default or preference setting).
As a result, Photoz defines for itself a resource that represents this photo (internal only; Photoz is the only application that knows how to map a particular photo to a particular resource). Photoz also prepares the following resource description, which is specific to Alice and her photo. The "name" parameter value is intended to be seen by Alice in mapping authorization policies to specific resources and scopes when she visits ShareHub. Alice would see the string "Steve the puppy!", likely accompanied by the referenced icon, in the ShareHub interface. The possible scopes of access on this resource are indicated with URI references to the scope descriptions, as shown just above.
{
"name":"Steve the puppy!",
"icon_uri":"http://www.example.com/icons/flower.png",
"scopes":[
"http://photoz.example.com/dev/scopes/view",
"http://photoz.example.com/dev/scopes/print"
]
}
Photoz uses the Create method of ShareHub's standard OAuth resource registration API, presenting its Alice-specific access token to use the API to register and assign an identifier to the resource description.
POST /rs/ HTTP/1.1
Content-Type: application/json
...
{
"name":"Steve the puppy!",
"icon_uri":"http://www.example.com/icons/flower.png",
"scopes":[
"http://photoz.example.com/dev/scopes/view",
"http://photoz.example.com/dev/scopes/print"
]
}
If the registration attempt succeeds, ShareHub responds in the following fashion.
HTTP/1.1 201 Created
Content-Type: application/json
...
{
"_id":"112210f47de98100",
"user_access_policy_uri":"http://as.example.com/rs/222/resource/112210f47de98100/policy"
}
At the time Alice indicates she would like this photo protected, Photoz can choose to redirect Alice to ShareHub for further policy setting, access auditing, and other authorization server-related tasks (user experience only).
Once it has successfully registered this description, Photoz is responsible for outsourcing protection to ShareHub for resource requests made to this photo.
Over time, as Alice uploads other photos and creates and organizes photo albums, Photoz can use additional methods of the resource registration API to ensure that ShareHub's understanding of Alice's protected resources matches its own.
For example, if Photoz suspects that somehow its understanding of the resource has gotten out of sync with ShareHub's, it can ask to read the resource description as follows.
GET /rs/112210f47de98100 HTTP/1.1 Host: as.example.com ...
ShareHub responds with the full content of the resource description, including its _id, as follows:
Example of an HTTP response to a "read resource description" request, containing a resource description from the authorization server:
HTTP/1.1 200 OK
Content-Type: application/json
...
{
"_id":"112210f47de98100",
"name":"Steve the puppy!",
"icon_uri":"http://www.example.com/icons/flower.png",
"scopes":[
"http://photoz.example.com/dev/scopes/view",
"http://photoz.example.com/dev/scopes/print"
]
}
If for some reason Photoz and ShareHub have gotten dramatically out of sync, Photoz can ask for the list of resource identifiers ShareHub currently knows about:
GET /rs/ HTTP/1.1 Host: as.example.com ...
ShareHub's response might look as follows:
HTTP/1.1 200 OK ... [ "112210f47de98100", "34234df47eL95300" ]
If Alice later changes the photo's title (user experience only) on Photoz from "Steve the puppy!" to "Steve on October 14, 2011", Photoz would use the Update method to ensure that Alice's experience of policy-setting at ShareHub remains consistent with what she sees at Photoz. Following is an example of this request. Note that the entire updated resource description has to be included in the PUT request.
PUT /rs/112210f47de98100 HTTP/1.1
Content-Type: application/json
Host: as.example.com
...
{
"name":"Steve on October 14, 2011",
"icon_uri":"http://www.example.com/icons/flower.png",
"scopes":[
"http://photoz.example.com/dev/scopes/view",
"http://photoz.example.com/dev/scopes/print"
]
}
ShareHub would respond as follows.
HTTP/1.1 201 Created
Content-Type: application/json
...
{
"_id":"112210f47de98100"
}
There are other reasons Photoz might want to update resource descriptions, having nothing to do with Alice's actions or wishes. For example, it might extend its API to include new features such as photo resizing, and want to add new scopes to all of Alice's and other users' resource descriptions.
if Alice later decides to entirely remove sharing protection (user experience only) on this photo while visiting Photoz, ensuring that the public can get access without any protection, Photoz is responsible for deleting the relevant resource registration, as follows:
DELETE /rs/112210f47de98100 HTTP/1.1 Host: as.example.com ...
ShareHub would respond as follows.
HTTP/1.1 204 No content ...
The permission endpoint defines a means for the resource server to request one or more permissions (resource identifiers and corresponding scopes) with the authorization server on the client's behalf, and to receive a permission ticket in return, in order to respond as indicated in Section 3.2 of [UMAGrant]. The resource server uses this endpoint on the following occasions:
The use of the permission endpoint is illustrated in Figure 3.
authorization resource client server server | (in request-to-grant phase) | | | | |Request resource (no token or | |insufficient token) | |--------------------------------------->| | | | | *PROTECTION API: | | *Permission endpoint | | | | | |*Request permissions | | |<--------------------| | | *Permission ticket | | |-------------------->| | | | |AS location, permission ticket | |<---------------------------------------| | . | . | | . | . | | . | . |
Figure 3: Permission Endpoint
The PAT provided in the API request enables the authorization server to map the resource server's request to the appropriate resource owner. It is possible to request permissions for access to the resources of only one resource owner, protected by only one authorization server, at a time.
In its response, the authorization server returns a permission ticket for the resource server to give to the client that represents the same permissions that the resource server requested.
Note: In order for the resource server to know which authorization server to approach and which PAT (representing a resource owner) and resource identifier to supply in its call to the permission endpoint, it needs to have structured the API where the resource request was made in such a way that it can derive all of the necessary information even when the resource request is tokenless. Commonly, this information can be passed through the URI, headers, or body of the client's request. Alternatively, the entire interface could be dedicated to the use of a single resource owner and protected by a single authorization server.
The process of choosing what permissions to request may require interpretation and mapping of the client's resource request. The resource server SHOULD request a permission that is appropriate for the client’s resource request. The resource server MAY request multiple permissions, and any permission MAY have zero scopes associated with it. Requesting multiple permissions may be appropriate, for example, in cases where the resource server expects the requesting party to need access to several related resources if they need access to any one of the resources. Requesting a permission with no scopes may be appropriate, for example, in cases where an access attempt involves an API call that is ambiguous without further context (role-based scopes such as user and admin may have this ambiguous quality, and an explicit client request for a particular scope at the token endpoint later can clarify the desired access). The resource server SHOULD document its intended pattern of permission requests in order to assist the client in pre-registering for and requesting appropriate scopes at the authorization server. See [UMA-Impl] for a discussion of permission request patterns.
The resource server uses the POST method at the permission endpoint. The body of the HTTP request message contains a JSON object (for a request containing a single resource identifier) or array of objects (for a request containing more than one resource identifier) providing the request, using a format derived from the resource description format specified in Section 3.1, as follows. The object used in both forms has the following parameters:
Example of an HTTP request for a single permission at the authorization server's permission endpoint, with a PAT in the header:
POST /host/rsrc HTTP/1.1
Content-Type: application/json
Host: as.example.com
Authorization: Bearer 204c69636b6c69
...
{
"resource_id":"112210f47de98100",
"resource_scopes":[
"view",
"http://photoz.example.com/dev/actions/print"
]
}
Example of an HTTP request for multiple permissions at the authorization server's permission endpoint, with a PAT in the header:
POST /host/rsrc HTTP/1.1
Content-Type: application/json
Host: as.example.com
Authorization: Bearer 204c69636b6c69
...
[
{
"resource_id":"7b727369647d",
"resource_scopes":[
"view",
"crop",
"lightbox"
]
},
{
"resource_id":"7b72736964327d",
"resource_scopes":[
"view",
"layout",
"print"
]
},
{
"resource_id":"7b72736964337d",
"resource_scopes":[
"http://www.example.com/scopes/all"
]
}
]
If the authorization server is successful in creating a permission ticket in response to the resource server's request, it responds with an HTTP 201 (Created) status code and includes the ticket parameter in the JSON-formatted body.
For example:
HTTP/1.1 201 Created
Content-Type: application/json
...
{
"ticket":"016f84e8-f9b9-11e0-bd6f-0021cc6004de"
}
If the resource server's permission registration request is authenticated properly but fails due to other reasons, the authorization server responds with an HTTP 400 (Bad Request) status code and includes one of the following error codes (see Section 6 for more information about error codes and responses):
When the client makes a resource request with an RPT, the resource server needs to determine whether the RPT is active and, if so, its associated permissions. Depending on the nature of the RPT and operative caching parameters, the resource server MAY take any of the following actions as appropriate to determine the RPT's status:
The use of the token introspection endpoint is illustrated in Figure 4.
authorization resource client server server | . | . | | . | . | | . | . | | (In token-to-resource phase) | | | | |Request resource with RPT | |--------------------------------------->| | | | | *PROTECTION API: | | *Introspection endpoint (optional) | | | | | | *Introspect RPT | | |<--------------------| | | *Return object | | |-------------------->| | | | |Protected resource | |<---------------------------------------|
Figure 4: Token Introspection Endpoint
Note: In order for the resource server to know which authorization server, PAT (representing a resource owner), and endpoint to use in making the token introspection API call, it may need to interpret the client's resource request.
Example of the resource server's request to the authorization server for introspection of an RPT, with a PAT in the header:
POST /rs/status HTTP/1.1 Host: as.example.com Authorization: Bearer 204c69636b6c69 ... token=sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv }
The authorization server's response to the resource server MUST use [RFC7662], responding with a JSON object with the structure dictated by that specification, extended as follows.
If the introspection object's active parameter has a Boolean value of true, then the object MUST NOT contain a scope parameter, and SHOULD contain an extension parameter named permissions that contains an array of objects, each one (representing a single permission) containing these parameters:
For interoperability, if the introspection object does not contain the permissions parameter, then an UMA extension SHOULD be defined as appropriate, with supporting authorization servers using uma_profiles_supported metadata to advertise their support of any alternative structure (see Section 4 of [UMAGrant]).
Example of a response containing the introspection object with the permissions parameter containing a single permission:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
...
{
"active":true,
"exp":1256953732,
"iat":1256912345,
"permissions":[
{
"resource_id":"112210f47de98100",
"resource_scopes":[
"view",
"http://photoz.example.com/dev/actions/print"
],
"exp":1256953732
}
]
}
If a request is successfully authenticated, but is invalid for another reason, the authorization server produces an error response by adding the following parameters to the entity body of the HTTP response:
This specification inherits the security considerations of [UMAGrant] and has the following additional security considerations.
In the context of federated authorization, a greater variety of parties may be operating and using UMA software entities, and thus have opportunities to establish agreements about the parties' rights and responsibilities on a legal or contractual level, as discussed in Section 5.4 of [UMAGrant].
The protection API is secured by means of OAuth (through the use of the PAT). Therefore, it is susceptible to OAuth threats.
This specification inherits the privacy considerations of [UMAGrant] and has the following additional privacy considerations.
In the context of federated authorization, a greater variety of parties may be operating and using UMA software entities, and thus have opportunities to establish agreements about mutual rights, responsibilities, and common interpretations of UMA constructs for consistent and expected software behavior, as discussed in Section 6.3 of [UMAGrant].
The authorization server comes to be in possession of resource information that may reveal information about the resource owner, which the authorization server's trust relationship with the resource server is assumed to accommodate. However, the client is a less-trusted party -- in fact, entirely untrustworthy until permissions are associated with its RPT. The more information about a resource that is registered, the more risk of privacy compromise there is through a less-trusted authorization server.
This document makes the following requests of IANA.
This specification registers OAuth 2.0 authorization server metadata defined in Section 2, as required by Section 7.1 of [OAuthMeta].
This specification registers the claim defined in Section 5.1.1, as required by [OIDCCore].
This specification registers the claim defined in Section 5.1.1, as required by Section 3.1 of [RFC7662].
The following people made significant text contributions to the specification:
Additional contributors to this specification include the Kantara UMA Work Group participants, a list of whom can be found at [UMAnitarians].
| [UMA-Impl] | Maler, E., “UMA Implementer's Guide”, 2017, <https://kantarainitiative.org/confluence/display/uma/UMA+Implementer%27s+Guide>. |
| [UMAnitarians] | Maler, E., “UMA Participant Roster”, 2017, <https://kantarainitiative.org/confluence/display/uma/Participant+Roster>. |
Eve Maler
(editor)
ForgeRock
EMail: eve.maler@forgerock.com
Maciej Machulak
Self
EMail: maciej.machulak@gmail.com
Justin Richer
Bespoke Engineering
EMail: justin@bspk.io