Version: | 2.0 |
Date: | 2016-8-18 |
Editor: | Eve Maler, ForgeRock |
Contributors: | Maciej Machulak, iWelcome |
Justin Richer, Bespoke Engineering |
User-Managed Access (UMA) 2.0 is a federated authorization framework that defines an extension OAuth 2.0 grant type and uses OAuth and federated identity technologies in various other ways. It defines how resource owners can control protected-resource access by clients used by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policies.
This document is a draft technical specification produced by the User-Managed Access Work Group. See the Kantara Initiative Operating Procedures for more information.
Copyright © 2016 Kantara Initiative and the persons identified as the document authors. All rights reserved.
This document is subject to the Kantara IPR Policy - Option Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND) (HTML version).
User-Managed Access (UMA) 2.0 is a federated authorization framework that defines an extension OAuth 2.0 [RFC6749] grant type and uses OAuth and federated identity technologies in various other ways. It defines how resource owners can control protected-resource access by clients used by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policies.
UMA serves numerous use cases where a resource owner uses a dedicated service to manage authorization for access to their resources, potentially even without the run-time presence of the resource owner. A typical example is the following: a web user (an end-user resource owner) can authorize a web or native app (a client) to gain one-time or ongoing access to a protected resource containing his home address stored at a "personal data store" service (a resource server), by telling the resource server to respect access entitlements issued by his chosen cloud-based authorization service (an authorization server). The requesting party operating the client might be the resource owner, where the app is run by an e-commerce company that needs to know where to ship a purchased item, or the requesting party might be resource owner's friend who is using an online address book service to collect contact information, or the requesting party might be a survey company that uses an autonomous web service to compile population demographics. A variety of use cases can be found in [UMA-usecases] and [UMA-casestudies].
Practical control of access among loosely coupled parties requires more than just messaging protocols. This specification defines only the "technical contract" between UMA-conforming entities. Work is ongoing to define recommendations for developing agreements about the rights and responsibilities of parties operating and using these entities on a contractual or legal level (see, for example, [UMA-obligations]). Parties operating entities that claim to be UMA-conforming should provide documentation of any rights and obligations between and among them; see Section 7.4 for more information.
In enterprise settings, application access management sometimes involves letting back-office applications serve only as policy enforcement points (PEPs), depending entirely on access decisions coming from a central policy decision point (PDP) to govern the access they give to requesters. This separation eases auditing and allows policy administration to scale in several dimensions. UMA makes use of a separation similar to this, letting the resource owner serve as a policy administrator crafting authorization strategies for resources under their control.
In order to increase interoperable communication among the authorization server, resource server, and client, UMA leverages two purpose-built APIs related to the outsourcing of authorization, themselves protected by OAuth (or an OAuth-based authentication protocol) in embedded fashion.
The UMA protocol has three broad phases, as shown in Figure 1.
The Three Phases of the UMA Profile of OAuth
+--------------+ | resource | +---------manage (A)------------ | owner | | +--------------+ | Phase 1: | | protect a control (C) | resource | v v +------------+ +----------+--------------+ | | |protection| | | resource | | API | authorization| | server |<-protect (B)--| (needs | server | | | | PAT) | | +------------+ +----------+--------------+ | protected | | authorization| | resource | | API | |(needs RPT) | | (needs AAT) | +------------+ +--------------+ ^ | | Phases 2 and 3: authorize (D) | get authorization, | | access a resource v | +--------------+ +---------access (E)-------------| client | +--------------+ requesting party
Figure 1
[DISCUSS: 153/154/ed: Need to fix line breaks. Authorization API needs to become authorization interface/UMA grant. (needs AAT) needs to be removed. But more broadly, should we consider how we discuss the phases entirely, e.g. renaming/renumbering them?] The phases work as follows:
Implementers have the opportunity to develop profiles (see Section 6) that specify and restrict various UMA protocol, RPT, and identity claim format options, according to deployment and usage conditions.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in [RFC2119].
Unless otherwise noted, all protocol properties and values are case sensitive. JSON [RFC7159] data structures defined by this specification MAY contain extension properties that are not defined in this specification. Any entity receiving or retrieving a JSON data structure SHOULD ignore extension properties it is unable to understand. Extension names that are unprotected from collisions are outside the scope of this specification.
UMA introduces the following new terms and enhancements of OAuth term definitions.
The software components that fill the roles of UMA authorization servers, resource servers, and clients respectively are intended to work in an interoperable fashion when each is operated by an independent party (for example, different organizations). For this reason, UMA specifies communications channels that the authorization server MUST implement as HTTP-based APIs that MUST use TLS and OAuth (or OAuth-based authentication protocol) protection, and that the resource server MUST implement as an HTTP-based interface. UMA's use of TLS is governed by [BCP195], which discusses deployment and adoption characteristics of different TLS versions.
For those OAuth protection use cases where an identity token is desired in addition to an access token, it is RECOMMENDED that an OAuth-based authentication protocol such as OpenID Connect [OIDCCore] be used.
It is also REQUIRED, in turn, for resource servers and clients on the requesting side of UMA interactions to use these channels, unless a profile is being used that enables API extensibility. The profiles that enable such alternatives are provided in Section 5.
The authorization server MUST present an HTTP-based protection API, protected by TLS and OAuth (or an OAuth-based authentication protocol), for use by resource servers. The authorization server thus has an OAuth token endpoint and authorization endpoint. The authorization server MUST declare all of its protection API endpoints in its configuration data (see Section 1.4).
The protection API consists of three endpoints:
An entity seeking protection API access MUST be an OAuth client with client credentials and the scope uma_protection. An access token with at least this scope is called a protection API token (PAT). Because an UMA resource server needs to access the protection API, it therefore MUST be an OAuth client. If a request to an endpoint fails due to an invalid, missing, or expired PAT, or requires higher privileges at this endpoint than provided by the PAT, the authorization server responds with an OAuth error. A single entity can serve in both UMA resource server and UMA client roles.
The authorization server MUST support the OAuth bearer token profile for PAT issuance, and MAY support other OAuth token profiles. The authorization server MUST declare all supported token profiles for PAT issuance in its configuration data.[UMA-Impl] discusses grant options further.
A PAT binds a resource owner, a resource server the owner uses for resource management, and an authorization server the owner uses for protection of resources at this resource server. It is not specific to any client or requesting party. The issuance of a PAT represents the approval of the resource owner for this resource server to use this authorization server for protecting some or all of the resources belonging to this resource owner. Any OAuth authorization grant type might be appropriate depending on circumstances; for example, the client credentials grant is useful in the case of an organization acting as a resource owner, whereas an interactive grant type is typically more appropriate for capturing the approval of an end-user resource owner. The authorization server MUST declare all supported grant types for PAT issuance in its configuration data.
Note: The PAT is used in registering a requested permission on a client's behalf (as described in Section 3.2). One circumstance precipitating this action is when the client has attempted access without an RPT (as described in Section 3.1.1). In order for the resource server to know which authorization server to approach and which PAT (representing a resource owner) and resource set identifier to supply, the resource server's API needs be structured in such a way that it can derive this information from the client's RPT-free access attempt. In practice, this information likely needs to be passed through the URI, headers, or body of the client's request.
The authorization server has the opportunity to manage the validity periods of access tokens that it issues, their corresponding refresh tokens where applicable, the individual authorization data components associated with RPTs where applicable, and even the client credentials that it issues. Different time-to-live strategies may be suitable for different resource sets and scopes of access, and the authorization server has the opportunity to give the resource owner control over lifetimes of tokens and authorization data issued on their behalf through policy. These options are all outside the scope of this specification.
The authorization server MUST provide configuration data in a JSON document that resides in an /uma-configuration directory at its host-meta [RFC6415] location. The configuration data documents endpoints and major conformance options supported by the authorization server.
The configuration data has the following properties.
Example of authorization server configuration data that resides at https://example.com/.well-known/uma-configuration (note the use of https: for endpoints throughout):
{ "issuer":"https://example.com", "pat_profiles_supported":["bearer"], "rpt_profiles_supported": ["https://docs.kantarainitiative.org/uma/profiles/uma-token-bearer-1.0"], "pat_grant_types_supported":["authorization_code"], "claim_token_profiles_supported":["https://example.com/claims/formats/token1"], "dynamic_client_endpoint":"https://as.example.com/dyn_client_reg_uri", "token_endpoint":"https://as.example.com/token_uri", "authorization_endpoint":"https://as.example.com/authz_uri", "requesting_party_claims_endpoint":"https://as.example.com/rqp_claims_uri", "resource_set_registration_endpoint":"https://as.example.com/rs/rsrc_uri", "introspection_endpoint":"https://as.example.com/rs/status_uri", "permission_registration_endpoint":"https://as.example.com/rs/perm_uri" }
Where this specification does not already require optional features to be documented, it is RECOMMENDED that authorization server deployers document any profiled or extended features explicitly and use configuration data to indicate their usage.
The resource owner, resource server, and authorization server perform the following actions to put resources under protection. This list assumes that the resource server has discovered the authorization server's configuration data and endpoints as needed.
Note: The resource server is free to offer the option to protect any subset of the resource owner's resources using different authorization servers or other means entirely, or to protect some resources and not others. Additionally, the choice of protection regimes can be made explicitly by the resource owner or implicitly by the resource server. Any such partitioning by the resource server or owner is outside the scope of this specification.
Once a resource set has been placed under authorization server protection through the registration of a resource set description for it, and until such a description's deletion by the resource server, the resource server MUST limit access to corresponding resources, requiring sufficient authorization data associated with client-presented RPTs by the authorization server (see Section 3.3.1).
Note: The PAT that the resource server uses to register resource sets must also be used later during client access attempts, for example, in registering a requested permission on a client's behalf (as described in Section 3.2). One circumstance precipitating this action is when the client has attempted access without an RPT (as described in Section 3.1.1). In order for the resource server to know which authorization server to approach and which PAT (representing a resource owner) and resource set identifier to supply, the resource server's API needs be structured in such a way that it can derive this information from the client's RPT-free access attempt. In practice, this information likely needs to be passed through the URI, headers, or body of the client's request.
An authorization server orchestrates and controls clients' access on their requesting parties' behalf to a resource owner's protected resources at a resource server, under conditions specified by that resource owner through policy.
The process of getting authorization and accessing a resource always begins with the client attempting access at a protected resource endpoint at the resource server. Several aspects of the client's behavior are out of scope for this specification:
In brief, the entire process is as follows.
The recipient of each request message SHOULD respond unless it detects a security concern, such as a suspected denial of service attack that can be mitigated by rate limiting.
This interaction assumes that the resource server has already registered any relevant resource sets prior to the client's access attempt at any resource that is intended to be UMA-protected.
Example of a client request at a protected resource carrying no RPT:
GET /users/alice/album/photo.jpg HTTP/1.1 Host: photoz.example.com ...
If the resource server chooses to respond, it next registers a requested permission (see Section 3.2).
Example of a client request at a protected resource carrying an RPT using the UMA Bearer RPT profile:
GET /users/alice/album/photo.jpg HTTP/1.1 Authorization: Bearer vF9dft4qmT Host: photoz.example.com ...
If the resource server chooses to respond, it next determines the RPT's status (see Section 3.4).
If the client's request at the protected resource has no RPT, or has an invalid RPT or insufficient authorization data associated with the RPT as determined through RPT status checking (see Section 3.4), then assuming the resource server chooses to respond to the client, it MUST use the protection API's permission registration endpoint to register a requested permission with the corresponding authorization server. The extent of the requested permission MUST suffice for the extent of the client's access attempt at that resource.
Note: The resource server is free to choose the extent of the requested permission that it registers, as long as it minimally suffices for the access attempted by the client. For example, it can choose to register a permission that covers several scopes or a resource set that is greater in extent than the specific resource that the client attempted to access.
The PAT provided in the API request enables the authorization server to map the requested permission to the appropriate resource owner. The authorization server returns a permission ticket in its response for the resource server to give to the client that represents the same extent of requested access that the resource server registered.
The resource server uses the POST method at the permission registration endpoint. The body of the HTTP request message contains a JSON object providing the requested permission, using a format derived from the resource set description format specified in [OAuth-resource-reg], as follows. The object has the following properties:
Example of an HTTP request that registers a requested permission at the authorization server's permission registration endpoint, with a PAT in the header:
POST /host/rsrc_uri HTTP/1.1 Content-Type: application/json Host: as.example.com Authorization: Bearer 204c69636b6c69 { "resource_set_id": "112210f47de98100", "scopes": [ "view", "http://photoz.example.com/dev/actions/print" ] }
The authorization server uses a permission ticket to maintain the state of requested permission information, initially conveyed on the client's behalf by the resource server at attempted resource access time, for the period of time that the client continues to seek authorization for that attempted access.
The permission ticket is a short-lived correlation handle generated by the authorization server that is intended to be opaque to resource servers and clients. The authorization server therefore MUST ensure that the ticket is securely random, much as it would for authorization codes and access tokens. Within these constraints, however, the authorization server MAY format the ticket however it chooses, for example either as a random string that references data held on the server or by including data within the ticket itself.
Since permission tickets are used only by clients bearing an AAT at the authorization server, the authorization server can associate a permission ticket with both a client and a requesting party at the time the client first makes a request at the RPT endpoint. If the authorization server observes that a permission ticket is used by multiple different clients, it SHOULD attempt to revoke any RPT already granted based on the compromised permission ticket. [DISCUSS: 153/154/ed: This para should come out entirely as now being overcome by events due to #154, but also #239/#252, right?]
Permission tickets MUST NOT be single-use; this is in order to allow the client to interact with the authorization server during the claims-gathering flow, which may require multiple interactions, either direct or through redirection of a requesting party.
The authorization server MUST invalidate a permission ticket when an RPT is successfully granted to a client based on this permission ticket or when the permission ticket expires, whichever occurs first.
See [UMA-Impl] for more information about permission ticket management.
If the authorization server is successful in creating a permission ticket in response to the resource server's request, it responds with an HTTP 201 (Created) status code and includes the ticket property in the JSON-formatted body.
For example:
HTTP/1.1 201 Created Content-Type: application/json ... { "ticket": "016f84e8-f9b9-11e0-bd6f-0021cc6004de" }
If the resource server's permission registration request is authenticated properly but fails due to other reasons, the authorization server responds with an HTTP 400 (Bad Request) status code and includes one of the following UMA error codes (see Section 4.2 for more information about error codes and responses):
If the resource server chooses to respond to the client's access attempt, it has three possible paths.
If the client's request at a protected resource has no RPT, or has an invalid RPT or insufficient authorization data associated with the RPT as determined through RPT status checking (see Section 3.4), and the resource server successfully registered a requested permission and received a permission ticket (see Section 3.2), then assuming the resource server chooses to respond to the client with an UMA response, it MUST provide a WWW-Authenticate header with the authentication scheme UMA, with the issuer URI from the authorization server's configuration data in an as_uri parameter and the just-received permission ticket in a ticket parameter.
If the resource server responds with the HTTP status code 403 (Forbidden), it MAY also return the same permission ticket in the body in a JSON-encoded ticket property. Note: The appearance of the permission ticket in a response body is deprecated and will be removed in a future UMA version. It is included here for backwards compatibility.
Example of the resource server's response to a client after having registered a requested permission and received a ticket:
HTTP/1.1 401 Unauthorized WWW-Authenticate: UMA realm="example", as_uri="https://as.example.com", ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de" ...
Alternate example illustrating a response with HTTP status code 403 (Forbidden):
HTTP/1.1 403 Forbidden WWW-Authenticate: UMA realm="example", as_uri="https://as.example.com", error="insufficient_scope", ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de" { "ticket": "016f84e8-f9b9-11e0-bd6f-0021cc6004de" }
On receiving a response from the resource server with permission ticket and authorization server location information, the client next seeks authorization (see Section 3.5).
If the client's request at the protected resource has no RPT, or has an invalid RPT or insufficient authorization data associated with the RPT as determined through RPT status checking (see Section 3.4), and the resource server received an error of any kind from the authorization server when trying to register a requested permission such that it did not receive a permission ticket, then assuming the resource server chooses to respond to the client, it is unable to create a WWW-Authenticate: UMA header and MUST include a header of the following form in its response to the client: Warning: 199 - "UMA Authorization Server Unreachable".
For example:
HTTP/1.1 403 Forbidden Warning: 199 - "UMA Authorization Server Unreachable" ...
The client's presentation of a valid RPT associated with sufficient authorization data as determined through RPT status checking (see Section 3.4) indicates that the resource owner's policies have been met for access to the protected resource. The resource server MAY apply additional authorization controls when determining how to respond.
Example of the resource server's response to the client:
HTTP/1.1 200 OK Content-Type: application/json ... { "f_number": "f/5.6", "exposure": "1/320", "focal_length_mm": 150, "iso": 400, "flash": false }
The resource server MUST NOT give access in the case of an invalid RPT or an RPT associated with insufficient authorization. To ensure the integrity of the ecosystem in which the resource server, authorization server, and resource owner are participating, it is RECOMMENDED for the parties to establish agreements about access rules in this case on a legal or contractual level. See Section 7.4 for more information.
If a client's request at a protected endpoint has an RPT, and the resource server chooses to respond to the client, then it MUST determine the RPT's status, including whether it is active and, if so, its associated authorization data indicating whether the client is authorized for access before taking next actions.
This specification makes one type of RPT REQUIRED for the authorization server to support: the UMA bearer token profile, as defined in Section 3.4.2. Implementers MAY define and use other RPT profiles.
The RPT's nature and format are dictated by its profile; the profile might allow it to be self-contained, such that the resource server is able to introspect its status and associated authorization data locally, or might require or allow the resource server to make a run-time introspection request of the authorization server that issued the token.
Within any RPT profile, when a resource server needs to introspect a token in a non-self-contained way to determine its status, it MAY require, allow, or prohibit use of the OAuth token introspection endpoint (defined by [RFC7662]) that is part of the protection API, and MAY profile its usage.
This section defines the UMA bearer token profile. Following is a summary:
An example of a client making a request with an RPT using the Bearer scheme appears in Section 3.1.2.
On receiving an RPT with the Bearer scheme in an authorization header from a client making an access attempt, the resource server introspects the token by using the token introspection endpoint of the protection API. The PAT used by the resource server to make the introspection request provides resource-owner context to the authorization server.
The authorization server responds with a JSON object with the structure dictated by [RFC7662]. If the active property has a Boolean value of true, then the JSON object MUST NOT contain a scope claim, and MUST contain an extension property with the name permissions that contains an array of zero or more values, each of which is an object consisting of these properties:
Example:
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store { "active": true, "exp": 1256953732, "iat": 1256912345, "permissions": [ { "resource_set_id": "112210f47de98100", "scopes": [ "view", "http://photoz.example.com/dev/actions/print" ], "exp" : 1256953732 } ] }
If the client received a need_info error in response to its request for authorization, it has the opportunity to continue seeking authorization by engaging in follow-on flows with the authorization server, either directly or through redirection of an end-user requesting party. This process is sometimes known as "trust elevation".
If an error_details object was also returned with the error, then the contents of that object indicate the flow options.
On receiving an authentication_context hint, the client has the option to redirect the requesting party to the authorization server to reauthenticate, as if for an AAT, in a manner anticipated to be more successful for gaining access. Such an action is sometimes referred to as "step-up" authentication.
If the authorization server can accept pushed claims (for example, as it might have indicated by providing requesting_party_claims hints illustrated in Section 3.5.4), the client has the option to push claim tokens to the RPT endpoint. The claim token can reflect the client's role as a federated identity provider, a federated relying party, or an application integrated with a native identity repository.
If the client is aware of the authorization server's requirements for claims through an out-of-band relationship, the client MAY push claim tokens in an initial interaction with the RPT endpoint.
The client supplies claim tokens in the body of the authorization data request message by providing, in addition to the rpt and ticket properties, the following property:
Example:
POST /rpt_authorization HTTP/1.1 Host: www.example.com Authorization: Bearer jwfLG53^sad$#f ... { "rpt": "sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv", "ticket": "016f84e8-f9b9-11e0-bd6f-0021cc6004de", "claim_tokens": [ { "format": "http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken", "token": "..." } ] }
This specification provides a framework for extensibility through claim token format profiling. The authorization server MAY support any number of claim token profiles, and SHOULD document the claim token profiles it supports in its configuration data.
If the authorization server has declared a requesting party claims endpoint in its configuration data, or if the authorization server requires direct interaction with the requesting party as part of its claims-gathering process (for example, as it might have indicated through the redirect_user hint illustrated in Section 3.5.4), the client has the option to redirect an end-user requesting party to the requesting party claims endpoint. In this case, the authorization server might be a relying party in a federated identity interaction, or it might connect to a directory or other user repository, or even interact with the user in other ways, such as presenting a questionnaire in a web form. After this process completes, the authorization server redirects the end-user requesting party back to the client.
The client constructs the request URI by adding the following parameters to the query component of the requesting party claims endpoint URI using the application/x-www-form-urlencoded format:
Example of a request issued by a client application (line breaks are shown only for display convenience):
GET /rqp_claims?client_id=some_client_id&state=abc &ticket=016f84e8-f9b9-11e0-bd6f-0021cc6004de &claims_redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fredirect_claims HTTP/1.1 Host: as.example.com
At the conclusion of its interaction with the requesting party, the authorization server returns the user agent to the client adding the following parameters to the query component of the claims redirection URI using the application/x-www-form-urlencoded format:
The client MUST ignore unrecognized response parameters. If the request fails due to a missing, invalid, or mismatching claims redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user agent to the invalid redirection URI. If the request fails for reasons other than a missing or invalid claims redirection URI, the authorization server informs the client by adding an error parameter to the query component of the claims redirection URI using the application/x-www-form-urlencoded format, containing one of the following ASCII error codes:
Example of a response issued by an authorization server (line breaks are shown only for display convenience):
GET /redirect_claims?&state=abc &authorization_state=claims_submitted HTTP/1.1 Host: client.example.com
The authorization server MAY gather consent from an end-user requesting party for subsequent direct client engagement in the trust elevation process, and then MAY subsequently represent this consent as a saved consent token when returning an RPT to the client if the authorization is successful (see Section 3.5.3.1 for information on generating and using the saved consent token).
A consent-gathering interaction could be combined with other interactions as necessary in the particular service ecosystem. For example, the authorization server might present an opportunity for the requesting party to create or manage a login account for more persistent storage of gathered claims over time.
Both OAuth and UMA errors can occur.
As described in Section 1.3.1, the protection API requires a PAT for access. PATs are simply OAuth access tokens with appropriate scope. If a request to an endpoint in this API fails due to an invalid, missing, or expired access token, or requires higher privileges at this endpoint than provided by the token supplied, the authorization server responds with an OAuth error.
If a request triggers no OAuth error, but is invalid for another reason as defined throughout this specification, the authorization server or resource server responds with an UMA error, sometimes along with a specified HTTP status code, by supplying the following properties in a JSON-encoded object in the body of the HTTP response:
The following is a common error code that applies to several UMA-specified request messages:
For example:
HTTP/1.1 400 Bad Request Content-Type: application/json Cache-Control: no-store ... { "error": "invalid_request", "error_description": "Request is missing a required parameter.", "error_uri": "https://as.example.com/errors/bad_uma_request" }
In some circumstances, it may be desirable to couple UMA software entity roles tightly. For example, an authorization server application might also need to act as a client application in order to retrieve protected resources so that it can present to resource owners a dashboard-like user interface that accurately guides the setting of policy; it might need to access itself-as-authorization server for that purpose. For another example, the same organization might operate both an authorization server and a resource server that communicate only with each other behind a firewall, and it might seek more efficient communication methods between them.
In other circumstances, it may be desirable to bind UMA flows to transport mechanisms other than HTTP even if entities remain loosely coupled. For example, in Internet of Things scenarios, Constrained Application Protocol (CoAP) may be preferred over HTTP.
This section defines profiles that allow inter-role communications channels and methods to vary in these circumstances. This specification still REQUIRES authorization servers to issue PATs, and RPTs and associate authorization data with RPTs, and REQUIRES resource servers not to give access in the case of an invalid RPT or an RPT associated with insufficient authorization. This is because, although tokens might not always appear on the wire in the normal fashion, the tokens may represent sets of expected behaviors of additional parties unable to take part in these optimization opportunities.
Where alternate communications channels are being used between independently implemented system entities, it is RECOMMENDED, for reasons of implementation interoperability, to define concrete extension profiles that build on these extensibility profiles (see Section 6.1).
This section defines a profile for UMA where the authorization server and resource server roles either reside in the same system entity or otherwise have a privileged or specialized communications channel between them. Following is a summary:
Using this profile, the resource server MAY use means other than the HTTP-based protection API that is protected by TLS and OAuth (or an OAuth-based authentication protocol) to communicate with the authorization server in all respects, including using software interfaces and methods rather than network interfaces and APIs. The authorization server MUST still issue PATs and RPTs and associate authorization data with RPTs, and the resource server still MUST NOT give clients access in the case of invalid RPTs or RPTs that are associated with insufficient authorization data. Interactions with entities other than the authorization server or resource server MUST be preserved exactly as they would have if either of them were using standardized UMA APIs, unless other extensibility profiles are also in use.
An authorization server using any of the opportunities afforded by this profile MUST declare use of this profile by supplying its identifying URI for one of its uma_profiles_supported values in its configuration data (see Section 1.4).
Same-entity communication or a tight integration of entities has the opportunity to make deployments more secure by reducing possible attack vectors. However, if the entities do not use TLS but communicate across a transport layer, it is RECOMMENDED to use an alternate means of transport-layer security, for example, using DTLS in the case of a CoAP-based UMA profile.
Same-entity communication or a tight integration of entities has the potential to compromise privacy by promoting the freer exchange of personal information within a deployment ecosystem. It is RECOMMENDED to account for privacy impacts in each deployment scenario.
This section defines a profile for UMA where the authorization server and client roles either reside in the same system entity or otherwise have a privileged or specialized communications channel between them. Following is a summary:
Using this profile, the client MAY use means other than the HTTP-based authorization API that is protected by TLS and OAuth (or an OAuth-based authentication protocol) to communicate with the authorization server in all respects, including using software interfaces and methods rather than network interfaces and APIs. The authorization server MUST still issue PATs and RPTs and associate authorization data with RPTs, and the resource server still MUST NOT give clients access in the case of invalid RPTs or RPTs that are associated with insufficient authorization data. Interactions with entities other than the authorization server or client MUST be preserved exactly as they would have if either of them were using standardized UMA APIs, unless other extensibility profiles are also in use.
An authorization server using any of the opportunities afforded by this profile MUST declare use of this profile by supplying its identifying URI for one of its uma_profiles_supported values in its configuration data (see Section 1.4).
Same-entity communication or a tight integration of entities has the opportunity to make deployments more secure by reducing possible attack vectors. However, if the entities do not use TLS but communicate across a transport layer, it is RECOMMENDED to use an alternate means of transport-layer security, for example, using DTLS in the case of a CoAP-based UMA profile.
Same-entity communication or a tight integration of entities has the potential to compromise privacy by promoting the freer exchange of personal information within a deployment ecosystem. It is RECOMMENDED to account for privacy impacts in each deployment scenario.
This section defines a profile for UMA where the resource server and client roles either reside in the same system entity or otherwise have a privileged or specialized communications channel between them. Following is a summary:
Using this profile, the resource server MAY use means other than an HTTP-based resource interface to communicate with the authorization server in all respects, including using software interfaces and methods rather than network interfaces and APIs. The resource server still MUST NOT give clients access in the case of invalid RPTs or RPTs that are associated with insufficient authorization data. Interactions with entities other than the resource server or client MUST be preserved exactly as they would have if either of them were using standardized UMA APIs, unless other extensibility profiles are also in use.
An authorization server involved in deployments where resource servers and clients are known to be using opportunities afforded by the resource interface extensibility profile MAY declare use of this profile by supplying its identifying URI for one of its uma_profiles_supported values in its configuration data (see Section 1.4).
Same-entity communication or a tight integration of entities has the opportunity to make deployments more secure by reducing possible attack vectors. However, if the entities do not use TLS but communicate across a transport layer, it is RECOMMENDED to use an alternate means of transport-layer security, for example, using DTLS in the case of a CoAP-based UMA profile.
Same-entity communication or a tight integration of entities has the potential to compromise privacy by promoting the freer exchange of personal information within a deployment ecosystem. It is RECOMMENDED to account for privacy impacts in each deployment scenario.
This specification defines a protocol that has optional features. For implementation interoperability and to serve particular deployment scenarios, including sector-specific ones such as healthcare or e-government, third parties may want to define profiles of UMA that restrict these options.
Further, this specification creates extensibility points for RPT profiles and claim token profiles, and third parties may likewise want to define their own. Different RPT profiles could be used, for example, to change the dividing line between authorization server and resource server responsibilities in controlling access. Different claim token profiles could be used to customize sector-specific or population-specific (such as individual vs. employee) claim types that drive the types of policies resource owners could set.
It is not practical for this specification to standardize all desired profiles. However, to serve overall interoperability goals, this section provides guidelines for third parties that wish to specify UMA-related profiles. In all cases, it is RECOMMENDED that profiles document the following information:
It is RECOMMENDED that profiles of UMA additionally document the following information:
See Section 5 for examples.
It is RECOMMENDED that RPT profiles additionally document the following information:
See Section 3.4.2 for an example.
It is RECOMMENDED that claim token format profiles additionally document the following information:
As a profile of OAuth, this specification relies mainly on OAuth security mechanisms as well as transport-level encryption. Thus, implementers are strongly advised to read [BCP195] and the security considerations in [RFC6749] (Section 10) and [RFC6750] (Section 5) along with the security considerations of any other OAuth token-defining specifications in use, along with the entire [RFC6819] specification, and apply the countermeasures described therein. As well, since this specification builds on [OAuth-resource-reg], implementers should also take into account the security considerations in that specification.
The following sections describe additional security considerations.
This section discusses threats related to UMA's nature as an protocol enabling autonomous (non-resource-owner) requesting parties to gain authorized access to sensitive resources, including through the process of claims-gathering redirection.
Like ordinary OAuth redirection, UMA redirection for the purpose of gathering claims from an end-user requesting party (described in Section 3.6.3) creates the potential for cross-site request forgery (CSRF) through an open redirect if the authorization server does not force the client to pre-register its claims redirection endpoint, and server-side artifact tampering if the client does not avail itself of the state parameter. The client SHOULD check that the ticket value returned by an authorization server after a claims redirect is completed has not been maliciously changed, for example by a man in the browser (MITB), by using the state parameter. (See [UMA-Impl] for advice on ways to accomplish this.) Sections 4.4.1.8, 4.4.2.5, and 5.3.5 of [RFC6819] are apropos for the UMA claims-gathering redirection flow as well.
When a client redirects an end-user requesting party to the requesting party claims endpoint, the client provides no a priori context to the authorization server about which user is appearing at the endpoint, other than implicitly through the permission ticket. Since the authorization server is free to gather any claims it wishes, the effect is to "late-bind" them to the permission ticket and the state string provided by the client, with the effect of enabling the authorization server not to trust client-asserted claims. This is a desirable result and reflects one reason why the authorization server might choose to demand use of the redirect flow over the push flow. However, the client has the opportunity to switch end-users -- say, enabling malicious end-user Carlos to impersonate the original end-user Bob who authorized the issuance of the AAT -- after the redirect completes and before it returns to the RPT endpoint to seek authorization data.
Another issue concerns the exposure of a Bearer-type RPT to an autonomous requesting party, which could maliciously pass the token to an unauthorized party.
To mitigate requesting-party switching and RPT exposure threats, consider the following strategies.
Along with TLS, UMA requires OAuth, or any OAuth-based authentication protocol, as the security mechanism for its standardized APIs. The UMA resource server acts in the role of an OAuth client at the authorization server's protection API, and the UMA client acts in the role of an OAuth client at the authorization server's authorization API. While it is possible to use any profile of OAuth for this protection, it is RECOMMENDED for the authorization server to use OpenID Connect, and to use its mechanisms for stronger client authentication at the token endpoint, in order to strengthen the authentication of OAuth clients. Section 16 of [OIDCCore] provides more information on OpenID Connect security considerations.
Clients using the OAuth implicit grant type carry particular vulnerabilities in OAuth, and OpenID Connect is of no help in this circumstance. UMA scenarios are vulnerable as well. For example, an "implicit client" might require the retrieval of AATs more frequently, for each browser on each platform. An attacker can initiate a spear phishing attack on the requesting party with a link to a malicious website, relying on the requesting party to authenticate to the authorization server through an email-based identity provider in order to receive the AAT. The site can impersonate the requesting party using the browser client's client ID in an OpenID Connect implicit request to the UMA authorization server. If the requesting party had previously given consent for an AAT to be issued, this attempt will likely succeed. The subsequently issued AAT and permission ticket for an attempted resource access could potentially be used for RPT retrieval and authorization data issuance.
A number of mitigation strategies are possible.
This specification defines a number of data formats based on [RFC7159]. As a subset of the JavaScript scripting language, JSON data SHOULD be consumed through a process that does not dynamically execute it as code, to avoid malicious code execution. One way to achieve this is to use a JSON parser rather than the built-in JavaScript eval() function.
Parties operating and using UMA software entities have opportunities to establish agreements about the parties' rights and responsibilities on a legal or contractual level, along with common interpretations of UMA constructs for consistent and expected software behavior. These agreements can be used to improve the parties' respective security postures, and written profiles are a key mechanism for conveying and enforcing these agreements. Section 6 discusses profiling. Section 5 discusses profiling for extensibility.
In contrast to the threats discussed in Section 7.1, regarding the requesting party redirection model for claims-gathering (see Section 3.6.3), this section discusses the threats surrounding the model for claims-gathering where the client is the direct source of claims (see Section 3.6.2).
Because claim tokens of any format typically contain audience restrictions and an authorization server would typically not be in the primary audience for a claim token held or generated by a client, it is RECOMMENDED to document how the client, authorization server, and any additional ecosystem entities and parties will establish a trust relationship and communicate any required keying material in a claim token format profile, as described in Section 6 and Section 6.3. Authorization servers are RECOMMENDED not to accept claim tokens pushed by untrusted clients and not to ignore audience restrictions found in claim tokens pushed by clients.
In the special circumstance when an authorization server is colocated with an OpenID Provider for the requesting parties within a deployment ecosystem, then it is able to act as an OpenID Relying Party for itself. This circumstance presents an opportunity for a technical optimization of the requirement for trust because the authorization server itself issued the client credentials for the client in question, and could reasonably be the singular aud value target in an OpenID Connect ID Token pushed by the client to the RPT endpoint.
UMA has the following privacy considerations.
The authorization server comes to be in possession of resource set information that may reveal information about the resource owner, which the authorization server's trust relationship with the resource server is assumed to accommodate. However, the client is a less-trusted party -- in fact, entirely untrustworthy until authorization data is associated with its RPT. The more information about a resource set that is registered, the more risk of privacy compromise there is through a less-trusted authorization server.
The primary privacy duty of UMA's design is to the resource owner. However, privacy considerations affect the requesting party as well. This can be seen in the issuance of an AAT, which represents the approval of a requesting party for a client to engage with an authorization server to perform tasks needed for obtaining authorization, possibly including pushing claim tokens. Claim tokens are likely to contain personally identifiable and possibly very sensitive information, and much like identity attributes exchanged during single sign-on, the process of claim token pushing will tend to be invisible to an end-user requesting party if they have not consciously acknowledged and authorized the possibility. A requesting party who provides claims to an authorization server once redirected there is less susceptible to privacy-destroying behavior.
Parties operating and using UMA software entities have opportunities to establish agreements about mutual rights, responsibilities, and common interpretations of UMA constructs for consistent and expected software behavior. These agreements can be used to improve the parties' respective privacy postures. See Section 7.4 for more information. Additional considerations related to Privacy by Design concepts are discussed in [UMA-PbD].
This document makes the following requests of IANA.
This specification registers the claim defined in Section 3.4.2.
This specification registers the claim defined in Section 3.4.2.
This specification registers the well-known URI defined in Section 1.4.
The following people made significant text contributions to the specification:
Additional contributors to this specification include the Kantara UMA Work Group participants, a list of whom can be found at [UMAnitarians].
[UMA-casestudies] | Maler, E., “UMA Case Studies”, 2016, <https://kantarainitiative.org/confluence/display/uma/Case+Studies>. |
[UMA-Impl] | Maler, E., “UMA Implementer's Guide”, 2016, <https://kantarainitiative.org/confluence/display/uma/UMA+Implementer%27s+Guide>. |
[UMA-obligations] | Maler, E., “Binding Obligations on UMA Participants”, January 2013, <https://docs.kantarainitiative.org/uma/draft-uma-trust.html>. |
[UMA-PbD] | Maler, E., “Privacy by Design Implications of UMA”, December 2013, <https://kantarainitiative.org/confluence/display/uma/Privacy+by+Design+Implications+of+UMA>. |
[UMA-usecases] | Maler, E., “UMA Scenarios and Use Cases”, October 2010, <https://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases>. |
[UMAnitarians] | Maler, E., “UMA Participant Roster”, 2016, <https://kantarainitiative.org/confluence/display/uma/Participant+Roster>. |
Eve Maler
(editor)
ForgeRock
EMail: eve.maler@forgerock.com
Maciej Machulak
iWelcome
EMail: maciej.machulak@iwelcome.com
Justin Richer
Bespoke Engineering
EMail: justin@bspk.io