| Version: | 2.0 |
| Date: | 2017-2-6 |
| Editor: | Eve Maler, ForgeRock |
| Contributors: | Maciej Machulak, Self |
| Justin Richer, Bespoke Engineering | |
User-Managed Access (UMA) 2.0 makes use of OAuth 2.0 and related standards to enable a resource owner to control protected resource access by requesting parties and their clients in an asynchronous fashion. Resources reside on any number of resource servers and a central authorization server manages the resource owner's access grants over time.
This document is a draft technical specification produced by the User-Managed Access Work Group. See the Kantara Initiative Operating Procedures for more information.
Copyright © 2017 Kantara Initiative and the persons identified as the document authors. All rights reserved.
This document is subject to the Kantara IPR Policy - Option Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND) (HTML version).
User-Managed Access (UMA) 2.0 makes use of OAuth 2.0 [RFC6749] and related standards to enable additions to OAuth's abilities as follows:
For example, a bank customer (resource owner) named Alice with a bank account service (resource server) can use a dedicated sharing management service (authorization server) to manage access by a spouse Bob, an accounting professional Charline, and a tax professional David (requesting parties), all using different client applications, to view account data and to give each of them differential access to payment and withdrawal functions. Alice can use the same sharing management service to give out "read", "edit", or "print" access to documents residing in a cloud file system (a different resource server) residing in a different domain to friends Erik and Frances, with whom she is working on a residential community project. (A variety of use cases can be found in [UMA-usecases] and [UMA-casestudies].)
UMA uses the OAuth roles, defines enhanced versions of the roles in some cases, and also defines a new role, the requesting party:
Figure 1 shows the communications among the roles at a high level.
Roles and Communications
+------------------+
| resource |
+- - manage (out of scope) - - - | owner |
| +------------------+
| |
| protection control
| API access (out of scope)
| token (PAT)
| |
v v
+------------+ +----------+------------------+
| | |protection| |
| resource | | API | authorization |
| server |<---protect----| (needs | server |
| | | PAT) | |
+------------+ +----------+------------------+
| protected | | UMA |
| resource | | grant |
|(needs RPT) | | (PCT optional) |
+------------+ +------------------+
^ requesting ^ persisted ^
| party token | claims |
| (RPT) | token |
| push (PCT) |
| claims interact
| +--------+ for
+-------------access---------| client | claims
+--------+ gathering
+---------------+
| requesting |
| party |
+---------------+
Figure 1
The communications among the roles involve these concepts:
A resource owner manages resources at any number of resource servers, and works with an authorization server to set policy conditions that control access grants.
The authorization server presents a protection API (for more detail see Section 1.4.1) to the resource server to enable resource protection. (Except for taking part in PAT issuance, the resource owner's interactions with each server are out of scope of this specification.)
The authorization server supports the UMA grant type (for more detail see Section 1.4.2) to enable issuing grants to clients based on policy conditions in the form of a requesting party token (RPT).
The resource server presents a protected resource interface to the client (for more detail see Section 1.4.3), which enables for handling both initial resource requests by a client with no RPT and subsequent resource requests with an RPT.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in [RFC2119].
Unless otherwise noted, all protocol properties and values are case sensitive. JSON [RFC7159] data structures defined by this specification MAY contain extension properties that are not defined in this specification. Any entity receiving or retrieving a JSON data structure SHOULD ignore extension properties it is unable to understand. Extension names that are unprotected from collisions are outside the scope of this specification.
The federation of authorization in UMA results in a conceptual separation of responsibilities:
Practical control of access among loosely coupled parties typically requires more than just messaging protocols. It is out of scope for this specification to define more than the "technical contract" between UMA-conforming entities. The legally responsible parties representing these entities may form contracts for, and laws and regulations may govern, access-granting relationships. Parties that are operating entities claiming to be UMA-conforming should provide documentation of any rights and obligations between and among them; see Section 7.5 for more information.
Implementers have the opportunity to develop extensions and profiles (see Section 6) that specify and restrict various options, according to deployment and usage conditions.
This specification is designed for use with HTTP [RFC2616], and for interoperability and security in the context of loosely coupled services and applications operated by independent parties in multiple domains. Unless one or more of the profiles defined in Section 5 are in use, the following are REQUIRED:
The resource server is privy to information about resource semantics and structure, only a limited subset of which is exposed through resource registration and API documentation. Thus, certain responsibilities for resource and scope interpretation fall to the resource server.
The resource server MAY register a single resource for protection that, from its perspective, has multiple parts, or has dynamic elements such as the capacity for querying or filtering, or otherwise has internal complexity. The resource server alone is responsible for maintaining any required mappings between internal representations and the resource identifiers and scopes known to the authorization server. Because access attempts on resources by clients are resource identifier-unaware, the process of making a permission request may also require interpretation by the resource server in order to establish a suitable resource identifier, resource owner, and authorization server.
Figure 2 shows a sample high-level protocol flow that summarizes messaging options, illustrating success paths in a context of maximum variety. Section 3 provides detailed specifications of flows that correspond to all success and failure paths and provide all messaging options.
Protocol Flow Summary
resource resource authorization client requesting owner server server | party |Redir...|1 for PAT issuance| | | |<-------|*---------------->| | | | |2 Register resources (w/PAT) | | | |*---------------->| | | | | Attempt resource access w/no token 3| | | |<---------------------------------------#| | | |4 Request permission (w/PAT) | | | |*---------------->| | | | Permission ticket 5| | | | |<----------------*| | | | |6 Return AS location, permission ticket | | | |#--------------------------------------->| | | | Request RPT, send permission 7| | | | | ticket, push claims| | | | |<--------------------=| | | | Authorization 8|= - - -+ | | | | assessment|< - - -+ | | | | |9 Return need_info w/ | | | | |redirect_user, permission ticket | | |=-------------------->| | | | | |10 | | | | for interactive|Redir...| | | | claims gathering| | | | |<---------------------|=------>| | | | Request RPT, send 11| | | | | permission ticket| | | | |<--------------------=| | | | Authorization 8|= - - -+ | | | | assessment|< - - -+ | | | | |12 Issue RPT w/PCT (opt) | | | |=-------------------->| | | | Attempt resource access w/RPT 13| | | |<---------------------------------------#| | | |14 Introspect RPT (w/PAT) | | | |*---------------->| | | | | Return object 15| | | | |<----------------*| | | |Token 16|# - - -+ | | | assessment|< - - -+ | | | | |17 Return resource representation | | | |#--------------------------------------->| |
Figure 2
Steps 1, 2, 4-5, and 14-15 (arrows with an asterisk (*)) summarize communications between the authorization server and resource server that constitute the protection API and related resource owner actions (Section 1.4.1 provides a high-level definition).
Steps 7-12 (arrows with an equal sign (=); note that steps 7 and 8 are repeated) summarize communications between the authorization server and client that constitute the UMA grant and related authorization server and requesting party actions (Section 1.4.2 provides a high-level definition).
Steps 3, 6, 13, 16, and 17 (arrows with a number sign (#)) summarize communications between the resource server and client that constitute the protected resource interface and related resource server actions (Section 1.4.3 provides a high-level definition).
The authorization server MUST declare all of its endpoints in its configuration document (see Section 2).
Note: In step 3, the client attempts access to a protected resource with no token, and in step 4, the resource server requests permissions on behalf of that client at the authorization server. In order for the resource server to know which authorization server to approach and which PAT (representing a resource owner) and resource identifier to supply in that request, the API being accessed by the client needs to be structured in such a way that the resource server can derive this information from the client's token-free access attempt. Commonly, this information can be passed through the URI, headers, or body of the client's request. Alternatively, the entire interface could be dedicated to the use of a single resource owner and protected by a single authorization server.
The authorization server's protection API consists of three endpoints:
The resource server is the client of this API. As noted in Section 1.3, the authorization server MUST apply TLS and OAuth protection to this API. The authorization server MUST require a PAT for API access. Thus, the resource server is an OAuth client; it MUST have OAuth client credentials from the authorization server and the ability to obtain an OAuth access token with at least the scope uma_protection (that is, a PAT). If a request to a protection API endpoint fails due to an invalid, missing, or expired PAT, or requires higher privileges at this endpoint than provided by the PAT, the authorization server responds with an OAuth error.
The issuance of a PAT represents the authorization of the resource owner for the resource server to use the authorization server for protecting the resources that this resource server registers for protection. Any OAuth authorization grant type might be appropriate depending on circumstances; for example, the client credentials grant is useful in the case of an organization acting as a resource owner, whereas an interactive grant type is typically more appropriate for capturing the approval of an end-user resource owner.
Note: Except for PAT issuance, the resource owner-authorization server and resource owner-resource server interfaces are out of scope of this specification. A variety of flows and user interfaces for policy condition setting involving user agents for both of these servers are possible, each with different privacy consequences for end-user resource owners if the experiences encourage or discourage different access granting behaviors. Some discretionary elements of the resource registration API are available for use in such user interfaces.
The resource server MAY protect any subset of the resource owner's resources using different authorization servers or other means entirely, or to protect some resources and not others. Additionally, the choice of protection regimes MAY be made explicitly by the resource owner or implicitly by the resource server. Any such partitioning by the resource server or owner is out of scope for this specification.
Note: Because the resource server is responsible for managing internal resource complexity and because the resource owner-resource server interface is out of scope for this specification, the resource server is fully responsible for managing the process and timing of registering resources, maintaining the registration of resources, and deregistering resources at the authorization server.
As noted in Section 1.3, the resource server MUST expose its protected resources through an HTTP service unless the appropriate extensibility profile is in use. The digital resources MAY take any form (for example, API endpoints).
Once a resource is registered for protection, and until it has been deregistered, the resource server MUST require the client to present a valid RPT with sufficient permissions before giving access.
Note: The following aspects of the resource service-client relationship are out of scope for this specification:
The authorization server has the opportunity to manage the validity periods of access tokens that it issues, their corresponding refresh tokens where applicable, the individual permission components associated with RPTs where applicable, caching periods for responses, and even the OAuth client credentials that it issues. Different time-to-live strategies may be suitable for different resources and scopes of access, and the authorization server has the opportunity to give the resource owner control over lifetimes of tokens and permissions issued on their behalf through policy. These options are all outside the scope of this specification.
Note: Because of the asynchronous nature of resource owner interactions (to authorize issuance of the PAT) and resource server requests to the authorization server that require use of the PAT spurred by requesting-side communications (requesting permissions and introspecting tokens), and potentially for other reasons, the resource owner can frequently expected to be offline when the resource server needs to use a PAT. Therefore, the authorization server needs to manage PAT issuance and expiration and any corresponding refresh token appropriately to ensure that the resource server has access as needed.
The authorization server supplies configuration information in order to document its endpoints and the major conformance options it supports.
Where this specification does not already require optional features to be documented, it is RECOMMENDED that authorization server deployers document any profiled or extended features explicitly, ideally by supplying the URI identifying each UMA profile and extension in its uma_profiles_supported and claim_token_profiles_supported configuration properties, and by using extension configuration properties to indicate specific usage details as necessary.
The authorization server has configuration properties as follows.
The authorization server MUST make its configuration properties available in a JSON document at the path formed by concatenating the string /.well-known/uma2-configuration to the issuer configuration property value as defined in Section 2.1. The syntax and semantics of /.well-known are defined in [RFC5785] and apply to the issuer value when it contains no path component.
Any entity, such as a resource server or client, seeking an authorization server configuration document MUST query it using an HTTP GET request.
Example:
GET /.well-known/uma2-configuration HTTP/1.1 Host: example.com
If the issuer value contains a path component, the caller MUST remove any terminating slash before appending /.well-known/uma2-configuration.
For example, the caller would make the following request to the issuer https://example.com/issuer1, since the issuer value contains a path component:
GET /issuer1/.well-known/uma2-configuration HTTP/1.1 Host: example.com
A successful authorization server response to a configuration document query MUST use the HTTP 200 (OK) status code and return a JSON object using the application/json content type containing the configuration properties as defined in Section 2.1.
Example (note the use of https: for endpoints throughout):
HTTP/1.1 200 OK
Content-Type: application/json
...
{
"issuer":"https://example.com",
"claim_token_profiles_supported":[
"https://example.com/claims/formats/token1"
],
"registration_endpoint":"https://as.example.com/dyn_client_reg_uri",
"token_endpoint":"https://as.example.com/token_uri",
"authorization_endpoint":"https://as.example.com/authz_uri",
"claims_interaction_endpoint":"https://as.example.com/claims_uri",
"resource_registration_endpoint":"https://as.example.com/rs/rsrc_uri",
"introspection_endpoint":"https://as.example.com/rs/status_uri",
"permission_endpoint":"https://as.example.com/rs/perm_uri"
}
Throughout this section, non-normative correspondences to the steps in Figure 2 are noted where applicable.
The recipient of each request message SHOULD respond unless it detects a security concern, such as a suspected denial of service attack that can be mitigated by rate limiting.
In this process, the resource server obtains a PAT on the resource owner's behalf from the authorization server through an [RFC6749] grant flow.
This process assumes that the authorization server has provided the resource server with OAuth client credentials, either dynamically through [RFC7591] or [OIDCDynClientReg], or alternatively through a static process. This process corresponds to step 1 in Figure 2.
In an ongoing fashion, the resource server registers any resources with the authorization server to put them under protection, using the resource registration endpoint of the protection API (as defined by [OAuth-resource-reg]; see Section 7 in that specification for a worked example).
This process assumes that the resource server has discovered the authorization server's configuration document and endpoints as needed. This process corresponds to step 2 in Figure 2.
In this process, the client attempts access to a resource that the resource server considers protected, without having presented a token for authorized access.
This process corresponds to step 3 in Figure 2. This process assumes that the resource server has already registered any relevant resources for protection prior to the client's tokenless access attempt.
Note: This process does not assume that any policy conditions have already been defined at the authorization server. A variety of combinations of access attempt flows and resource owner policy condition-setting interfaces are possible.
After the client's access attempt, the resource server's next option to act is defined in Section 3.4 (requesting permissions, which involves the authorization server), and its next option to respond to the client is defined in Section 3.5.
Example of a client request at a protected resource carrying no token:
GET /users/alice/album/photo.jpg HTTP/1.1 Host: photoz.example.com ...
In this process, the resource server requests one or more permissions on the client's behalf at the authorization server's permission endpoint.
This process assumes that the client's request at the protected resource had no token (or had an invalid RPT or insufficient permissions associated with the RPT). The success path of this process corresponds to steps 4 and 5 in Figure 2.
The resource server requests one or more permissions (resource identifiers and corresponding scopes) with the authorization server on the client's behalf. Because the resource server is responsible for its own resource semantics and structure, the process of choosing what permissions to request may require mapping the client's access attempt to its own desired resource identifier(s), and their resource owner and authorization server, before proceeding.
The resource server MAY request permissions that would not suffice for the extent of the client's access attempt at that resource. However, doing so may result in excessive error communications among the entities later.
The PAT provided in the API request enables the authorization server to map the resource server's request to the appropriate resource owner. It is only possible to request permissions for access to the resources of one resource owner, protected by one authorization server, at a time.
In its response, the authorization server returns a permission ticket for the resource server to give to the client that represents the same permissions that the resource server requested.
After this process, if the resource server was requesting permissions due to a tokenless access attempt, its next option is defined in Section 3.5. (If it was requesting permissions due to an access attempt with an RPT, defined in Section 3.7, its next option is defined in Section 3.9.)
The resource server uses the POST method at the permission endpoint. The body of the HTTP request message contains a JSON object (for a request containing a single resource identifier) or array (for a request containing more than one resource identifier) providing the request, using a format derived from the resource description format specified in [OAuth-resource-reg], as follows. The object used in both forms has the following properties:
Example of an HTTP request for a single permission at the authorization server's permission endpoint, with a PAT in the header:
POST /host/rsrc_uri HTTP/1.1
Content-Type: application/json
Host: as.example.com
Authorization: Bearer 204c69636b6c69
...
{
"resource_id":"112210f47de98100",
"resource_scopes":[
"view",
"http://photoz.example.com/dev/actions/print"
]
}
Example of an HTTP request for multiple permissions at the authorization server's permission endpoint, with a PAT in the header:
POST /host/rsrc_uri HTTP/1.1
Content-Type: application/json
Host: as.example.com
Authorization: Bearer 204c69636b6c69
...
[
{
"resource_id":"7b727369647d",
"resource_scopes":[
"view",
"crop",
"lightbox"
]
},
{
"resource_id":"7b72736964327d",
"resource_scopes":[
"view",
"layout",
"print"
]
},
{
"resource_id":"7b72736964337d",
"resource_scopes":[
"http://www.example.com/scopes/all"
]
}
]
The authorization server uses a permission ticket to maintain the state of a set of requested permissions, initially conveyed on the client's behalf by the resource server at attempted resource access time, for the period of time that the client continues to seek authorization for that attempted access.
The authorization server MUST make permission ticket values unguessable by resource servers and clients. Within these constraints, however, the authorization server MAY format the ticket however it chooses, for example either as a random string that references data held on the server or by including data within the ticket itself.
Permission tickets MUST be single-use.
The authorization server MUST invalidate a permission ticket when the client presents the permission ticket either to the token endpoint or interactive claims endpoint; or when the permission ticket expires, whichever occurs first.
If the authorization server is successful in creating a permission ticket in response to the resource server's request, it responds with an HTTP 201 (Created) status code and includes the ticket property in the JSON-formatted body.
For example:
HTTP/1.1 201 Created
Content-Type: application/json
...
{
"ticket":"016f84e8-f9b9-11e0-bd6f-0021cc6004de"
}
If the resource server's permission registration request is authenticated properly but fails due to other reasons, the authorization server responds with an HTTP 400 (Bad Request) status code and includes one of the following UMA error codes (see Section 4.2 for more information about error codes and responses):
In this process, the resource server responds to the client's tokenless access attempt on a protected resource.
This process assumes that the resource server sought a permission ticket from the authorization server after a tokenless access attempt by the client. The success path of this process corresponds to step 6 in Figure 2.
After this process, assuming the client received a permission ticket, its next option is defined in Section 3.6.
If the resource server successfully obtained a permission ticket from the authorization server, it responds to the client by providing a WWW-Authenticate header with the authentication scheme UMA, with the issuer URI from the authorization server's configuration document in an as_uri parameter and the just-received permission ticket in a ticket parameter.
For example:
HTTP/1.1 401 Unauthorized WWW-Authenticate: UMA realm="example", as_uri="https://as.example.com", ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de" ...
If the resource server received an error of any kind when trying to request permissions such that it did not receive a permission ticket, then it is unable to create a WWW-Authenticate: UMA header and includes a header of the following form in its response to the client: Warning: 199 - "UMA Authorization Server Unreachable".
For example:
HTTP/1.1 403 Forbidden Warning: 199 - "UMA Authorization Server Unreachable" ...
In this process, the client attempts to access the protected resource, now in possession of an RPT.
This process assumes that the client has completed an authorization process. This process corresponds to step 12 in Figure 2.
After the client attempts access, the resource server's next option to act is defined in Section 3.8, and its next option to respond to the client is defined in Section 3.9.
Example of a client request at a protected resource carrying an RPT:
GET /users/alice/album/photo.jpg HTTP/1.1 Authorization: Bearer vF9dft4qmT Host: photoz.example.com ...
In this process, the resource server determines the status of the RPT brought to it by the client in an access attempt.
This process assumes that the client's access attempt bore an RPT. One version of this process corresponds to steps 14-15 in Figure 2.
The resource server determines whether the RPT is active and, if so, its associated permissions. Depending on the nature of the RPT and operative caching parameters, the resource server MAY take any of the following actions as appropriate to determine the RPT's status:
After determining the RPT status, the resource server's next option to respond is defined in Section 3.9.
The resource server's request for introspection of an RPT MUST use the OAuth token introspection endpoint (defined by [RFC7662]) declared by the authorization server in its configuration document. The authorization server MUST require requests to this endpoint to be accompanied by a PAT. The PAT provides resource-owner context to the authorization server as well as demonstrating authorized access.
Note: The act of using the token introspection endpoint may require the resource server to interpret which authorization server to consult and in the context of which resource owner, in order to select which PAT to use to make the API call.
Example of the resource server's request to the authorization server for introspection of an RPT, with a PAT in the header:
POST /rs/status_uri HTTP/1.1 Host: as.example.com Authorization: Bearer 204c69636b6c69 ... token=sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv }
The authorization server's response to the resource server MUST use [RFC7662], responding with a JSON object with the structure dictated by that specification, extended as follows.
If the active property has a Boolean value of true, then the introspection object MUST NOT contain a scope claim, and SHOULD contain an extension property with the name permissions that contains an array of one or more values, each of which is an object consisting of these properties:
For interoperability, if the introspection object does not contain the permissions property, then an UMA extension SHOULD be defined as appropriate, with supporting authorization servers using the uma_profiles_supported configuration property to advertise their support of any alternative structures (see Section 6 for more information).
Example of a response containing the introspection object with the permissions property:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
...
{
"active":true,
"exp":1256953732,
"iat":1256912345,
"permissions":[
{
"resource_id":"112210f47de98100",
"resource_scopes":[
"view",
"http://photoz.example.com/dev/actions/print"
],
"exp":1256953732
}
]
}
In this process, the resource server responds to the client's access attempt on a protected resource that bore an RPT.
This process assumes that the resource server has determined the status of the RPT. The success path of this process corresponds to steps 16-17 in Figure 2.
The first part of this process is an internal assessment. The second is a response to the client.
This process concludes UMA's protocol flow.
The resource server assesses the permissions associated with the RPT, whether obtained through token introspection or otherwise, and compares them with the RPT-accompanied client's access attempt to a protected resource.
Note: The act of assessment may require the resource server to interpret which resource, resource owner, authorization server, and scope to map to the client's access attempt.
The purpose of this assessment is to determine sufficiency of authorization. The resource server MAY apply additional authorization controls when determining how to respond. For example, if the resource owner's policy conditions at the authorization server have led to issuance of an RPT with sufficient permissions for a particular case, the resource server deployer can choose to bar access to certain additional requesting parties.
To ensure the integrity of the ecosystem in which the resource server, authorization server, and resource owner are participating, it is RECOMMENDED for the parties to establish agreements about access rules on a legal or contractual level. See Section 7.5 for more information.
The resource server MUST NOT give access in the case of an invalid RPT or an RPT associated with insufficient authorization.
The client's presentation of a valid RPT associated with sufficient permissions indicates that the policy conditions have been met for access to the protected resource.
Example of the resource server's response to the client on sufficiency of authorization:
HTTP/1.1 200 OK
Content-Type: application/json
...
{
"f_number":"f/5.6",
"exposure":"1/320",
"focal_length_mm":150,
"iso":400,
"flash":false
}
The client's presentation of an invalid RPT or an RPT associated with insufficient permissions for access indicates that the policy conditions have not been met for access to the protected resource.
In this case, the resource server's next option to act is defined in Section 3.4 (requesting permissions, which involves the authorization server), and its next option to respond to the client is defined in Section 3.5, exactly as if the client had attempted to access the protected resource with no RPT. Because the resource server is responsible for its own resource semantics and structure, it may need to map the client's access attempt to a suitable resource identifier (and thus resource owner and authorization server) before proceeding.
Both OAuth and UMA errors can occur.
As described in Section 1.4.1, the protection API requires a PAT for access. PATs are simply OAuth access tokens with appropriate scope. If a request to an endpoint in this API fails due to an invalid, missing, or expired access token, or requires higher privileges at this endpoint than provided by the token supplied, the authorization server responds with an OAuth error.
If a request triggers no OAuth error, but is invalid for another reason as defined throughout this specification, the authorization server or resource server responds with an UMA error, sometimes along with a specified HTTP status code, by supplying the following properties in a JSON-encoded object in the body of the HTTP response:
The following is a common error code that applies to several UMA-specified request messages:
For example:
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
...
{
"error":"invalid_request",
"error_description":"Request is missing a required parameter.",
"error_uri":"https://as.example.com/errors/bad_uma_request"
}
In some circumstances, it may be desirable to couple UMA software entity roles tightly. For example, an authorization server application might also need to act as a client application in order to retrieve protected resources so that it can present to resource owners a dashboard-like user interface that accurately guides the setting of policy; it might need to access itself-as-authorization server for that purpose. For another example, the same organization might operate both an authorization server and a resource server that communicate only with each other behind a firewall, and it might seek more efficient communication methods between them.
In other circumstances, it may be desirable to bind UMA flows to transport mechanisms other than HTTP even if entities remain loosely coupled. For example, in Internet of Things scenarios, Constrained Application Protocol (CoAP) may be preferred over HTTP.
This section defines profiles that allow inter-role communications channels and methods to vary in these circumstances. This specification still REQUIRES authorization servers to issue PATs, and RPTs and associate permissions with RPTs, and REQUIRES resource servers not to give access in the case of an invalid RPT or an RPT associated with insufficient authorization. This is because, although tokens might not always appear on the wire in the normal fashion, the tokens may represent sets of expected behaviors of additional parties unable to take part in these optimization opportunities.
Where alternate communications channels are being used between independently implemented system entities, it is RECOMMENDED, for reasons of implementation interoperability, to define concrete extension profiles that build on these extensibility profiles (see Section 6).
This section defines a profile for UMA where the authorization server and resource server roles either reside in the same system entity or otherwise have a privileged or specialized communications channel between them. Following is a summary:
Using this profile, the resource server MAY use means other than the HTTP-based protection API that is protected by TLS and OAuth (or an OAuth-based authentication protocol) to communicate with the authorization server in all respects, including using software interfaces and methods rather than network interfaces and APIs. The authorization server MUST still issue PATs and RPTs and associate permissions with RPTs, and the resource server still MUST NOT give clients access in the case of invalid RPTs or RPTs that are associated with insufficient permissions. Interactions with entities other than the authorization server or resource server MUST be preserved exactly as they would have if either of them were using standardized UMA APIs, unless other extensibility profiles are also in use.
An authorization server using any of the opportunities afforded by this profile MUST declare use of this profile by supplying its identifying URI for one of its uma_profiles_supported values in its configuration document (see Section 2).
Same-entity communication or a tight integration of entities has the opportunity to make deployments more secure by reducing possible attack vectors. However, if the entities do not use TLS but communicate across a transport layer, it is RECOMMENDED to use an alternate means of transport-layer security, for example, using DTLS in the case of a CoAP-based UMA profile.
Same-entity communication or a tight integration of entities has the potential to compromise privacy by promoting the freer exchange of personal information within a deployment ecosystem. It is RECOMMENDED to account for privacy impacts in each deployment scenario.
This section defines a profile for UMA where the authorization server and client roles either reside in the same system entity or otherwise have a privileged or specialized communications channel between them. Following is a summary:
Using this profile, the client MAY use means other than the HTTP-based authorization API that is protected by TLS and OAuth (or an OAuth-based authentication protocol) to communicate with the authorization server in all respects, including using software interfaces and methods rather than network interfaces and APIs. The authorization server MUST still issue PATs and RPTs and associate permissions with RPTs, and the resource server still MUST NOT give clients access in the case of invalid RPTs or RPTs that are associated with insufficient permissions. Interactions with entities other than the authorization server or client MUST be preserved exactly as they would have if either of them were using standardized UMA APIs, unless other extensibility profiles are also in use.
An authorization server using any of the opportunities afforded by this profile MUST declare use of this profile by supplying its identifying URI for one of its uma_profiles_supported values in its configuration document (see Section 2).
Same-entity communication or a tight integration of entities has the opportunity to make deployments more secure by reducing possible attack vectors. However, if the entities do not use TLS but communicate across a transport layer, it is RECOMMENDED to use an alternate means of transport-layer security, for example, using DTLS in the case of a CoAP-based UMA profile.
Same-entity communication or a tight integration of entities has the potential to compromise privacy by promoting the freer exchange of personal information within a deployment ecosystem. It is RECOMMENDED to account for privacy impacts in each deployment scenario.
This section defines a profile for UMA where the resource server and client roles either reside in the same system entity or otherwise have a privileged or specialized communications channel between them. Following is a summary:
Using this profile, the resource server MAY use means other than an HTTP-based resource interface to communicate with the authorization server in all respects, including using software interfaces and methods rather than network interfaces and APIs. The resource server still MUST NOT give clients access in the case of invalid RPTs or RPTs that are associated with insufficient permissions. Interactions with entities other than the resource server or client MUST be preserved exactly as they would have if either of them were using standardized UMA APIs, unless other extensibility profiles are also in use.
An authorization server involved in deployments where resource servers and clients are known to be using opportunities afforded by the resource interface extensibility profile MAY declare use of this profile by supplying its identifying URI for one of its uma_profiles_supported values in its configuration document (see Section 2).
Same-entity communication or a tight integration of entities has the opportunity to make deployments more secure by reducing possible attack vectors. However, if the entities do not use TLS but communicate across a transport layer, it is RECOMMENDED to use an alternate means of transport-layer security, for example, using DTLS in the case of a CoAP-based UMA profile.
Same-entity communication or a tight integration of entities has the potential to compromise privacy by promoting the freer exchange of personal information within a deployment ecosystem. It is RECOMMENDED to account for privacy impacts in each deployment scenario.
This specification defines a protocol that has a variety of optional features. For implementation interoperability and to serve particular deployment scenarios, including sector-specific ones such as healthcare or e-government, third parties may want to define profiles of UMA that restrict these options.
Further, this specification builds in specific extensibility points so that third parties can define profiles of companion technologies to fit interoperably within the UMA framework. For example, third parties can define claim token profiles (see Section 3.6.2) using whatever identity assertion or claim token technology is appropriate for their ecosystems. Third parties can also build on the API extensibility profiles (see Section 5) to define their own "API extension profiles".
Finally, this specification uses the natural extensibility within its messaging formats, "application/x-www-form-urlencoded" and JSON, to enable third parties to define extensions that serve adjacent use cases. For example, if necessary, it is possible to substitute a different token introspection object structure to change the dividing line between authorization server and resource server responsibilities in controlling access.
It is not practical for this specification to standardize all such variations of UMA. However, to serve overall interoperability goals, this section provides guidelines for third parties that wish to specify UMA-related profiles and extensions.
It is RECOMMENDED that authorization server deployers document any profiled or extended features explicitly (see Section 2 for details).
In all cases, it is RECOMMENDED that profiles and extensions document the following information:
This specification relies mainly on OAuth 2.0 security mechanisms as well as transport-level encryption. Thus, implementers are strongly advised to read [BCP195] and the security considerations in [RFC6749] (Section 10) and [RFC6750] (Section 5) along with the security considerations of any other OAuth token-defining specifications in use, along with the entire [RFC6819] specification, and apply the countermeasures described therein. As well, implementers should take into account the security considerations in all other normatively referenced specifications.
The following sections describe additional security considerations.
This section discusses threats related to UMA's nature as a protocol enabling party-to-party sharing of protected resource access; that is, enabling requesting parties who are not the resource owner to gain authorized access to protected resources.
For privacy considerations related to requesting parties, see Section 8.2.
Like ordinary OAuth redirection, UMA redirection for the purpose of gathering claims from an end-user requesting party (described in Section 3.6.3) creates the potential for cross-site request forgery (CSRF) through an open redirect if the authorization server does not force the client to pre-register its claims redirection endpoint, and server-side artifact tampering if the client does not avail itself of the state parameter. The client SHOULD check that the ticket value returned by an authorization server after a claims redirect is completed has not been maliciously changed, for example by a man in the browser, by using the state parameter. (See [UMA-Impl] for advice on ways to accomplish this.) Sections 4.4.1.8, 4.4.2.5, and 5.3.5 of [RFC6819] are apropos for the UMA claims-gathering redirection flow as well.
When a client redirects an end-user requesting party to the claims interaction endpoint, the client provides no a priori context to the authorization server about which user is appearing at the endpoint, other than implicitly through the permission ticket. Since the authorization server is free to gather any claims it wishes, the effect is to "late-bind" them to the permission ticket and the state string provided by the client, with the effect of enabling the authorization server not to trust client-asserted claims. This is a desirable result and reflects one reason why the authorization server might choose to demand use of the redirect flow over the push flow. However, the client has the opportunity to switch end-users -- say, enabling malicious end-user Carlos to impersonate the original end-user Bob, who might be represented by a PCT already in that client's possession and might even have authorized the issuance of that PCT -- after the redirect completes and before it returns to the token endpoint to seek permissions.
Another issue concerns the exposure of an RPT to a requesting party, which could maliciously pass the token to an unauthorized party.
To mitigate requesting-party switching and RPT exposure threats, consider the following strategies.
A PCT is similar to a refresh token in that it carries extra power over the usage of an RPT. The authorization server and client MUST keep PCTs confidential in transit and storage, and MUST NOT share any PCT with any other entity other than the issuer or issued client, respectively. The authorization server MUST maintain the binding between a PCT and the client to which it was issued.
Given that a PCT represents a set of requesting party claims, a client supplying a PCT in its RPT request MUST make a best effort to ensure that the requesting party using the client now is the same as the requesting party that was associated with the PCT when it was issued. Different clients will have different capabilities in this respect; for example, some applications are single-user and perform no local authentication, associating all PCTs with the "current user", while others might have more sophisticated authentication and user mapping capabilities.
This section discusses security considerations related to UMA's use of OAuth and OpenID Connect.
Along with requiring TLS, UMA requires OAuth, or any OAuth-based authentication protocol, as the security mechanism for its protection API. The resource server thus acts in the role of an OAuth client at the authorization server's protection API. While it is possible to use any profile of OAuth for this protection, it is RECOMMENDED for the authorization server to use OpenID Connect, and to use its mechanisms for stronger client authentication at the token endpoint, in order to strengthen the authentication of OAuth clients. Section 16 of [OIDCCore] provides more information on OpenID Connect security considerations.
Clients using the OAuth implicit grant type carry particular vulnerabilities in OAuth, and using OpenID Connect is of no help in this circumstance. This is true where a resource server is used as an OAuth client for obtaining a PAT on a resource owner's behalf, and also where an authorization server is gathering claims from a requesting party through OAuth.
For example, an "implicit client" might require the retrieval of PATs more frequently, for each browser on each platform. An attacker can initiate a spear phishing attack on the resource owner with a link to a malicious website, relying on the resource owner to authenticate to the authorization server through an email-based identity provider in order to receive the PAT. The site can impersonate the resource owner using the browser client's client ID in an OpenID Connect implicit request to the authorization server. If the resource owner had previously authorized a PAT to be issued, this attempt will likely succeed. The subsequently issued PAT could be used for resource registration and other protection API tasks.
A number of mitigation strategies are possible.
The authorization server MUST prevent attackers from guessing permission tickets and PCTs.
This specification defines a number of data formats based on [RFC7159]. As a subset of the JavaScript scripting language, JSON data SHOULD be consumed through a process that does not dynamically execute it as code, to avoid malicious code execution. One way to achieve this is to use a JSON parser rather than the built-in JavaScript eval() function.
Parties that are operating and using UMA software entities have opportunities to establish agreements about the parties' rights and responsibilities on a legal or contractual level, along with common interpretations of UMA constructs for consistent and expected software behavior. These agreements can be used to improve the parties' respective security postures, and written profiles are a key mechanism for conveying and enforcing these agreements. Section 6 discusses profiling. Section 5 discusses profiling for extensibility. Finally, see [UMA-legal] to learn about tools to assist in the legal and contractual elements of deploying UMA-enabled services.
This section discusses the threats surrounding client claim pushing (see Section 3.6.2).
Because claim tokens of any format typically contain audience restrictions and an authorization server would typically not be in the primary audience for a claim token held or generated by a client, it is RECOMMENDED to document how the client, authorization server, and any additional ecosystem entities and parties will establish a trust relationship and communicate any required keying material in a claim token profile, as described in Section 6. Authorization servers are RECOMMENDED not to accept claim tokens pushed by untrusted clients and not to ignore audience restrictions found in claim tokens pushed by clients.
In the special circumstance when an authorization server is colocated with an OpenID Provider for the requesting parties within a deployment ecosystem, then it is able to act as an OpenID Relying Party for itself. This circumstance presents an opportunity for a technical optimization of the requirement for trust because the authorization server itself issued the OAuth client credentials for the client in question, and could reasonably be the singular aud value target in an OpenID Connect ID Token pushed by the client to the token endpoint.
UMA has the following privacy considerations.
The authorization server comes to be in possession of resource information that may reveal information about the resource owner, which the authorization server's trust relationship with the resource server is assumed to accommodate. However, the client is a less-trusted party -- in fact, entirely untrustworthy until permissions are associated with its RPT. The more information about a resource that is registered, the more risk of privacy compromise there is through a less-trusted authorization server.
The primary privacy duty of UMA's design is to the resource owner. However, privacy considerations affect the requesting party as well, having to do with the nature of claims. Claims are likely to contain personal, personally identifiable, and sensitive information, particularly in the case of requesting parties who are end-users.
If the authorization server supports persisting claims for any length of time (for example, to support issuance of PCTs), then it SHOULD provide a secure and privacy-protected means of storing claim data. It is also RECOMMENDED for the authorization server to use an interactive claims-gathering flow to ask an end-user requesting party for authorization to persist their claims before issuing a PCT. A requesting party who provides claims to an authorization server once having been redirected there is less susceptible to privacy-destroying behavior. Otherwise, certain flows such as claim pushing and interactive federated sign-in with automatic login will tend to be invisible to the user if they have not consciously authorized the possibility.
Parties that are operating and using UMA software entities have opportunities to establish agreements about mutual rights, responsibilities, and common interpretations of UMA constructs for consistent and expected software behavior. These agreements can be used to improve the parties' respective privacy postures. See Section 7.5 for more information. Additional considerations related to Privacy by Design concepts are discussed in [UMA-PbD].
This document makes the following requests of IANA.
This specification registers the claim defined in Section 3.8.2.
This specification registers the claim defined in Section 3.8.2.
This specification registers the well-known URI defined in Section 2.
This specification registers the parameters defined in Section 3.6.1.
The following people made significant text contributions to the specification:
Additional contributors to this specification include the Kantara UMA Work Group participants, a list of whom can be found at [UMAnitarians].
| [UMA-casestudies] | Maler, E., “UMA Case Studies”, 2016, <https://kantarainitiative.org/confluence/display/uma/Case+Studies>. |
| [UMA-Impl] | Maler, E., “UMA Implementer's Guide”, 2016, <https://kantarainitiative.org/confluence/display/uma/UMA+Implementer%27s+Guide>. |
| [UMA-PbD] | Maler, E., “Privacy by Design Implications of UMA”, December 2013, <https://kantarainitiative.org/confluence/display/uma/Privacy+by+Design+Implications+of+UMA>. |
| [UMA-usecases] | Maler, E., “UMA Scenarios and Use Cases”, October 2010, <https://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases>. |
| [UMAnitarians] | Maler, E., “UMA Participant Roster”, 2016, <https://kantarainitiative.org/confluence/display/uma/Participant+Roster>. |
| [UMA-legal] | Maler, E., “UMA Legal”, November 2016, <http://kantarainitiative.org/confluence/display/uma/UMA+Legal>. |
Eve Maler
(editor)
ForgeRock
EMail: eve.maler@forgerock.com
Maciej Machulak
Self
EMail: maciej.machulak@gmail.com
Justin Richer
Bespoke Engineering
EMail: justin@bspk.io