Version: | 2.0 |
Date: | 2017-4-17 |
Editor: | Eve Maler, ForgeRock |
Authors: | Maciej Machulak, Self |
Justin Richer, Bespoke Engineering |
User-Managed Access (UMA) 2.0 makes use of OAuth 2.0 and related standards to enable a resource owner to control protected resource access by requesting parties and their clients in an asynchronous fashion. Resources reside on any number of resource servers and a central authorization server manages the resource owner's access grants over time.
This document is a draft technical specification produced by the User-Managed Access Work Group. See the Kantara Initiative Operating Procedures for more information.
Copyright © 2017 Kantara Initiative and the persons identified as the document authors. All rights reserved.
This document is subject to the Kantara IPR Policy - Option Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND) (HTML version).
User-Managed Access (UMA) 2.0 makes use of OAuth 2.0 [RFC6749] and related standards to enable additions to OAuth's abilities as follows:
For example, a bank customer (resource owner) named Alice with a bank account service (resource server) can use a dedicated sharing management service (authorization server) to manage access by a spouse Bob, an accounting professional Charline, and a tax professional David (requesting parties), all using different client applications, to view account data and to give each of them differential access to payment and withdrawal functions. Alice can use the same sharing management service to give out "read", "edit", or "print" access to documents residing in a cloud file system (a different resource server) residing in a different domain to friends Erik and Frances, with whom she is working on a residential community project. (A variety of use cases can be found in [UMA-usecases] and [UMA-casestudies].)
UMA uses the OAuth roles, enhancing the definitions in some cases, and also defines a new role, the requesting party:
Figure 1 shows the communications among the roles at a high level.
+------------------+ | resource | +- - manage (out of scope) - - - | owner | | +------------------+ | | | protection control | API access (out of scope) | token (PAT) | | v v +------------+ +----------+------------------+ | | |protection| | | resource | | API | authorization | | server |<---protect----| (needs | server | | | | PAT) | | +------------+ +----------+------------------+ | protected | | UMA | | resource | | grant | |(needs RPT) | | (PCT optional) | +------------+ +------------------+ ^ requesting ^ persisted ^ | party token | claims | | (RPT) | token | | push (PCT) | | claims interact | +--------+ for +-------------access---------| client | claims +--------+ gathering +---------------+ | requesting | | party | +---------------+
Figure 1: Roles and Communications
The communications among the roles involve these concepts:
A resource owner manages resources at any number of resource servers, and works with an authorization server to set policy conditions that control access grants.
The authorization server presents a protection API (for more detail see Section 1.4.1) to the resource server to enable resource protection. (Except for taking part in PAT issuance, the resource owner's interactions with each server are out of scope of this specification.)
The authorization server supports the UMA grant type (for more detail see Section 1.4.2) to enable issuing grants to clients based on policy conditions in the form of a requesting party token (RPT).
The resource server presents a protected resource interface to the client (for more detail see Section 1.4.3), which enables for handling both initial resource requests by a client with no RPT and subsequent resource requests with an RPT.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Unless otherwise noted, all protocol properties and values are case sensitive. JSON [RFC7159] data structures defined by this specification MAY contain extension properties that are not defined in this specification. Any entity receiving or retrieving a JSON data structure SHOULD ignore extension properties it is unable to understand. Extension names that are unprotected from collisions are outside the scope of this specification.
The federation of authorization in UMA results in a conceptual separation of responsibilities:
Implementers have the opportunity to develop extensions and profiles (see Section 5) that specify and restrict various options, according to deployment and usage conditions.
Practical control of access among loosely coupled parties typically requires more than just messaging protocols. It is out of scope of this specification to define more than the "technical contract" between UMA-conforming entities. The legally responsible parties representing these entities may form contracts for, and laws and regulations may govern, access-granting relationships. Parties that are operating entities claiming to be UMA-conforming should provide documentation of any rights and obligations between and among them; see Section 6.7 for more information.
This specification is designed for use with HTTP [RFC2616], and for interoperability and security in the context of loosely coupled services and applications operated by independent parties in multiple domains. The following are REQUIRED:
The use of UMA over any protocol other than HTTP is undefined. In such circumstances, it is RECOMMENDED to define profiles or extensions to achieve interoperability among independent implementations (see Section 5).
The resource server is privy to information about resource semantics and structure, of which it exposes only a subset through resource registration and API documentation. Thus, it is responsible for certain resource and scope interpretation tasks.
The resource server MAY register a single resource for protection that, from its perspective, has multiple parts, or has dynamic elements such as the capacity for querying or filtering, or otherwise has internal complexity. The resource server alone is responsible for maintaining any required mappings between internal representations and the resource identifiers and scopes known to the authorization server.
Because access attempts on resources by clients are unaware of resource identifiers, the process of making a permission request also requires interpretation by the resource server in order to establish a suitable resource identifier, resource owner, and authorization server. Section 1.4 discusses relevant requirements on the protected resources given this resource server task, and Section 3.4 discusses how the resource server should communicate expectations regarding permission requests to the client.
For its part, in order for the client to have a scope considered by the authorization server as part of an authorization assessment calcultion, it MUST pre-register for the scope at the authorization server (at which point the client acts on its own behalf) and also request the scope during an RPT request at the token endpoint (at which point it acts on the requesting party's behalf).
A variety of authorization, security, and time-to-live policies could be managed on a per-resource owner basis or a per-authorization server basis, as the entities see fit. Validity periods of PATs, RPTs, refresh tokens, permissions, caching periods for responses, and even OAuth client credentials are all subject to management. Different time-to-live strategies may be suitable for different resources and scopes of access. These options are all outside the scope of this specification; where deployment ecosystems using independent implementations seek a consistent high level of security, profiling is RECOMMENDED (see Section 5).
Note: The resource server generally requires access to the protection API when an end-user resource owner is not available (that is, "offline" access). Thus, the authorization server needs to manage the PAT in a way that ensures this outcome.
Figure 2 shows a sample high-level protocol flow that summarizes messaging options, illustrating success paths with maximum variety. Section 1.4.1, Section 1.4.2, and Section 1.4.3 summarize key requirements of the three interfaces and related entity actions being illustrated. Section 3 provides detailed specifications of messaging flows and options that correspond to all possible success and failure paths.
resource resource authorization client requesting owner server server | party |Redir...|1 for PAT issuance| | | |<-------|*---------------->| | | | |2 Register resources (w/PAT) | | | |*---------------->| | | | | Attempt resource access w/no token 3| | | |<---------------------------------------#| | | |4 Request permission (w/PAT) | | | |*---------------->| | | | Permission ticket 5| | | | |<----------------*| | | | |6 Return AS location, permission ticket | | | |#--------------------------------------->| | | | Request RPT, send permission 7| | | | | ticket, push claims| | | | |<--------------------=| | | | Authorization 8|= - - -+ | | | | assessment|< - - -+ | | | | |9 Return need_info w/ | | | | |redirect_user, permission ticket | | |=-------------------->| | | | | |10 | | | | for interactive|Redir...| | | | claims gathering| | | | |<---------------------|=------>| | | | Request RPT, send 11| | | | | permission ticket| | | | |<--------------------=| | | | Authorization 8|= - - -+ | | | | assessment|< - - -+ | | | | |12 Issue RPT w/PCT (opt) | | | |=-------------------->| | | | Attempt resource access w/RPT 13| | | |<---------------------------------------#| | | |14 Introspect RPT (w/PAT) | | | |*---------------->| | | | | Return token 15| | | | introspection object| | | | |<----------------*| | | |+- - - #|16 Permissions | | | |+- - - >|assessment | | | | |17 Return resource representation | | | |#--------------------------------------->| |
Figure 2: Protocol Flow Summary
Steps 1, 2, 4-5, and 14-15 (arrows with an asterisk (*)) summarize communications between the authorization server and resource server that constitute the protection API and related resource owner actions. Section 1.4.1 provides a high-level definition.
Steps 7-12 (arrows with an equal sign (=); note that steps 7 and 8 are repeated) summarize communications between the authorization server and client that constitute the UMA grant and related authorization server and requesting party actions, Section 1.4.2 provides a high-level definition.
Steps 3, 6, 13, 16, and 17 (arrows with a number sign (#)) summarize communications between the resource server and client that constitute the protected resource interface and related resource server actions. Section 1.4.3 provides a high-level definition.
The authorization server presents a configuration document discovery endpoint used by both the resource server and the client, as defined by Section 2.2. The authorization server MUST declare all of its endpoints, other than the configuration document discovery endpoint itself, in the configuration document (see Section 2).
Note: In step 3, the client attempts access to a protected resource with no token, and in step 4, the resource server requests permissions on behalf of that client at the authorization server. In order for the resource server to know which authorization server to approach and which PAT (representing a resource owner) and resource identifier to supply in that request, the API being accessed by the client needs to be structured in such a way that the resource server can derive this information from the client's token-free access attempt. Commonly, this information can be passed through the URI, headers, or body of the client's request. Alternatively, the entire interface could be dedicated to the use of a single resource owner and protected by a single authorization server.
The authorization server's protection API consists of three endpoints:
The resource server is the client of this API. As noted in Section 1.3, the authorization server MUST apply TLS and OAuth protection to this API. The authorization server MUST require a PAT for API access. Thus, the resource server is an OAuth client; it MUST have OAuth client credentials from the authorization server and the ability to obtain an OAuth access token with at least the scope uma_protection (that is, a PAT). If a request to a protection API endpoint fails due to an invalid, missing, or expired PAT, or requires higher privileges at this endpoint than provided by the PAT, the authorization server responds with an OAuth error.
The PAT binds the resource owner, the resource server used for resource management, and the authorization server used for protection of those resources. The issuance of the PAT represents the authorization of the resource owner for the resource server to use the authorization server for protecting those resources. A different OAuth authorization grant type for PAT issuance may be appropriate for different types of resource owners; for example, the client credentials grant is useful in the case of an organization acting as a resource owner, whereas an interactive grant type is typically more appropriate for capturing the approval of an end-user resource owner.
The resource server MAY protect any subset of the resource owner's resources using different authorization servers or other means entirely, or to protect some resources and not others. Additionally, the choice of protection regimes MAY be made explicitly by the resource owner or implicitly by the resource server. Any such partitioning by the resource server or owner is out of scope of this specification.
Note: Except for PAT issuance, the resource owner-authorization server and resource owner-resource server interfaces are out of scope of this specification. A variety of flows and user interfaces for policy condition setting involving user agents for both of these servers are possible, each with different privacy consequences for end-user resource owners. Some elements of the resource registration API and its data formats enable the building of user interfaces for policy condition setting.
Note: The resource server is responsible for managing the process and timing of registering resources, maintaining the registration of resources, and deregistering resources at the authorization server. See [UMA-Impl] for a discussion of resource registration options.
As noted in Section 1.3, this specification defines flows for protecting resources exposed only in the form of an HTTP service. The digital resources MAY take any form (for example, API endpoints).
Once a resource is registered for protection, and until it has been deregistered, the resource server MUST require the client to present a valid RPT with sufficient permissions before giving access.
Note: The following aspects of the resource server-client relationship are out of scope of this specification:
The authorization server supplies configuration information in order to document its endpoints and the major conformance options it supports.
Where this specification does not already require optional features to be documented, it is RECOMMENDED that authorization server deployers document any profiled or extended features explicitly, ideally by supplying the URI identifying each UMA profile and extension in its uma_profiles_supported configuration property, and by using extension configuration properties to indicate specific usage details as necessary.
The authorization server has configuration properties as follows.
The authorization server MUST make its configuration properties available in a JSON document at a discovery endpoint formed by concatenating the string /.well-known/uma2-configuration to the issuer configuration property value as defined in Section 2.1. The syntax and semantics of /.well-known are defined in [RFC5785] and apply to the issuer value when it contains no path component.
Any entity, such as a resource server or client, seeking an authorization server configuration document MUST query it using an HTTP GET request.
Example:
GET /.well-known/uma2-configuration HTTP/1.1 Host: example.com
If the issuer value contains a path component, the caller MUST remove any terminating slash before appending /.well-known/uma2-configuration.
For example, the caller would make the following request to the issuer https://example.com/issuer1, since the issuer value contains a path component:
GET /issuer1/.well-known/uma2-configuration HTTP/1.1 Host: example.com
A successful authorization server response to a configuration document query MUST use the HTTP 200 (OK) status code and return a JSON object using the application/json content type containing the configuration properties as defined in Section 2.1.
Example of a configuration document returned in response to a query (note the use of https: for endpoints throughout):
HTTP/1.1 200 OK Content-Type: application/json ... { "issuer":"https://example.com", "registration_endpoint":"https://as.example.com/dyn_client_reg", "token_endpoint":"https://as.example.com/token", "authorization_endpoint":"https://as.example.com/authz", "claims_interaction_endpoint":"https://as.example.com/claims", "resource_registration_endpoint":"https://as.example.com/rs/rsrc", "introspection_endpoint":"https://as.example.com/rs/status", "permission_endpoint":"https://as.example.com/rs/perm" }
Example of a configuration document response containing the uma_profiles_supported configuration property indicating that the authorization server supports an UMA profile related to the OpenID Connect-based claim token format:
HTTP/1.1 200 OK Content-Type: application/json ... { "issuer":"https://example.com", "uma_profiles_supported":"http://openid.net/specs/openid-connect-core-1_0.html#IDToken", "registration_endpoint":"https://as.example.com/dyn_client_reg", "token_endpoint":"https://as.example.com/token", "authorization_endpoint":"https://as.example.com/authz", "claims_interaction_endpoint":"https://as.example.com/claims", "resource_registration_endpoint":"https://as.example.com/rs/rsrc", "introspection_endpoint":"https://as.example.com/rs/status", "permission_endpoint":"https://as.example.com/rs/perm" }
Throughout this section, non-normative correspondences to the steps in Figure 2 are noted where applicable.
The recipient of each request message SHOULD respond unless it detects a security concern, such as a suspected denial of service attack that can be mitigated by rate limiting.
In this process, the resource server obtains a PAT on the resource owner's behalf from the authorization server through an [RFC6749] grant flow.
This process assumes that the authorization server has provided the resource server with OAuth client credentials, either dynamically through [RFC7591] or [OIDCDynClientReg], or alternatively through a static process. This process corresponds to step 1 in Figure 2.
After the resource server obtains a PAT, its next step is defined in Section 3.2.
In an ongoing fashion, the resource server registers any resources with the authorization server to put them under protection as required, using the resource registration endpoint of the protection API as defined by [OAuth-resource-reg]. (See that specification for a worked example, and see [UMA-Impl] for a discussion of timing of resource registration.)
This process assumes that the resource server has discovered the authorization server's configuration document and endpoints as needed. This process corresponds to step 2 in Figure 2.
Once the resource server has put a resource under protection, the next option to act is defined in Section 3.3.
In this process, the client attempts access to a resource that the resource server considers protected, without having presented a token for authorized access.
This process corresponds to step 3 in Figure 2. This process assumes that the resource server has already registered any relevant resources for protection prior to the client's tokenless access attempt.
Note: This process does not assume that any policy conditions have already been defined at the authorization server. A variety of combinations of access attempt flows and resource owner policy condition-setting interfaces are possible.
Example of a client request at a protected resource carrying no token:
GET /users/alice/album/photo.jpg HTTP/1.1 Host: photoz.example.com ...
After the client's access attempt, the resource server's next option to act is defined in Section 3.4 (requesting permissions, which involves the authorization server), and its next option to respond to the client is defined in Section 3.5.
In this process, the resource server requests one or more permissions on the client's behalf at the authorization server's permission endpoint.
This process assumes that the client's request at the protected resource had no token (or had an invalid RPT or insufficient permissions associated with the RPT). The success path of this process corresponds to steps 4 and 5 in Figure 2.
The resource server requests one or more permissions (resource identifiers and corresponding scopes) with the authorization server on the client's behalf. The process of choosing what permissions to request may require mapping the client's access attempt to its own desired resource identifier(s), and their resource owner and authorization server, before proceeding. The resource server SHOULD request a permission that is appropriate for the client’s access attempt. The resource server MAY request multiple permissions, and any permission MAY have zero scopes associated with it. Requesting multiple permissions may be appropriate, for example, in cases where the resource server expects the requesting party to need access to several related resources if they need access to any one of the resources. Requesting a permission with no scopes may be appropriate, for example, in cases where an access attempt involves an API call that is ambiguous without further context (role-based scopes such as user and admin may have this ambiguous quality, and an explicit client request for a particular scope at the token endpoint later can clarify the desired access). The resource server SHOULD document its intended pattern of permission requests in order to assist the client in pre-registering for and requesting appropriate scopes at the authorization server. See [UMA-Impl] for a discussion of permission request patterns.
The PAT provided in the API request enables the authorization server to map the resource server's request to the appropriate resource owner. It is only possible to request permissions for access to the resources of one resource owner, protected by one authorization server, at a time.
In its response, the authorization server returns a permission ticket for the resource server to give to the client that represents the same permissions that the resource server requested.
After this process, if the resource server was requesting permissions due to a tokenless access attempt, its next option is defined in Section 3.5. (If it was requesting permissions due to an access attempt with an RPT, defined in Section 3.7, its next option is defined in Section 3.9.)
The resource server uses the POST method at the permission endpoint. The body of the HTTP request message contains a JSON object (for a request containing a single resource identifier) or array (for a request containing more than one resource identifier) providing the request, using a format derived from the resource description format specified in [OAuth-resource-reg], as follows. The object used in both forms has the following properties:
Example of an HTTP request for a single permission at the authorization server's permission endpoint, with a PAT in the header:
POST /host/rsrc HTTP/1.1 Content-Type: application/json Host: as.example.com Authorization: Bearer 204c69636b6c69 ... { "resource_id":"112210f47de98100", "resource_scopes":[ "view", "http://photoz.example.com/dev/actions/print" ] }
Example of an HTTP request for multiple permissions at the authorization server's permission endpoint, with a PAT in the header:
POST /host/rsrc HTTP/1.1 Content-Type: application/json Host: as.example.com Authorization: Bearer 204c69636b6c69 ... [ { "resource_id":"7b727369647d", "resource_scopes":[ "view", "crop", "lightbox" ] }, { "resource_id":"7b72736964327d", "resource_scopes":[ "view", "layout", "print" ] }, { "resource_id":"7b72736964337d", "resource_scopes":[ "http://www.example.com/scopes/all" ] } ]
The authorization server uses a permission ticket to maintain the state of a set of requested permissions, initially conveyed on the client's behalf by the resource server at attempted resource access time, for the period of time that the client continues to seek authorization for that attempted access.
The authorization server MUST make permission ticket values unguessable by resource servers and clients. Within these constraints, however, the authorization server MAY format the ticket however it chooses, for example either as a random string that references data held on the server or by including data within the ticket itself.
Permission tickets MUST be single-use. This prevents susceptibility to a session fixation attack.
The authorization server MUST invalidate a permission ticket when the client presents the permission ticket to either the token endpoint or the interactive claims endpoint; or when the permission ticket expires, whichever occurs first.
If the authorization server is successful in creating a permission ticket in response to the resource server's request, it responds with an HTTP 201 (Created) status code and includes the ticket property in the JSON-formatted body.
For example:
HTTP/1.1 201 Created Content-Type: application/json ... { "ticket":"016f84e8-f9b9-11e0-bd6f-0021cc6004de" }
If the resource server's permission registration request is authenticated properly but fails due to other reasons, the authorization server responds with an HTTP 400 (Bad Request) status code and includes one of the following UMA error codes (see Section 4 for more information about error codes and responses):
In this process, the resource server responds to the client's tokenless access attempt on a protected resource.
This process assumes that the resource server sought a permission ticket from the authorization server after a tokenless access attempt by the client. The success path of this process corresponds to step 6 in Figure 2.
After the resource server responds to the client's access attempt, assuming the client received a permission ticket, the client's next option is defined in Section 3.6.
If the resource server successfully obtained a permission ticket from the authorization server, it responds to the client by providing a WWW-Authenticate header with the authentication scheme UMA, with the issuer URI from the authorization server's configuration document in an as_uri parameter and the just-received permission ticket in a ticket parameter.
For example:
HTTP/1.1 401 Unauthorized WWW-Authenticate: UMA realm="example", as_uri="https://as.example.com", ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de" ...
If the resource server received an error of any kind when trying to request permissions such that it did not receive a permission ticket, then it is unable to create a WWW-Authenticate: UMA header and includes a header of the following form in its response to the client: Warning: 199 - "UMA Authorization Server Unreachable".
For example:
HTTP/1.1 403 Forbidden Warning: 199 - "UMA Authorization Server Unreachable" ...
In this process, the client attempts to access the protected resource, now in possession of an RPT.
This process assumes that the client has completed an authorization process. This process corresponds to step 12 in Figure 2.
After the client attempts access, the resource server's next option to act is defined in Section 3.8, and its next option to respond to the client is defined in Section 3.9.
Example of a client request at a protected resource carrying an RPT:
GET /users/alice/album/photo.jpg HTTP/1.1 Authorization: Bearer sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv Host: photoz.example.com ...
In this process, the resource server determines the status of the RPT brought to it by the client in an access attempt.
This process assumes that the client's access attempt bore an RPT. One version of this process corresponds to steps 14-15 in Figure 2.
The resource server determines whether the RPT is active and, if so, its associated permissions. Depending on the nature of the RPT and operative caching parameters, the resource server MAY take any of the following actions as appropriate to determine the RPT's status:
After determining the RPT status, the resource server's next option to respond is defined in Section 3.9.
The resource server's request for introspection of an RPT MUST use the OAuth token introspection endpoint (defined by [RFC7662]) declared by the authorization server in its configuration document. The authorization server MUST require requests to this endpoint to be accompanied by a PAT. The PAT provides resource-owner context to the authorization server as well as demonstrating authorized access.
Note: The act of using the token introspection endpoint may require the resource server to interpret which authorization server to consult and in the context of which resource owner, in order to select which PAT to use to make the API call.
Example of the resource server's request to the authorization server for introspection of an RPT, with a PAT in the header:
POST /rs/status HTTP/1.1 Host: as.example.com Authorization: Bearer 204c69636b6c69 ... token=sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv }
The authorization server's response to the resource server MUST use [RFC7662], responding with a JSON object with the structure dictated by that specification, extended as follows.
If the active property has a Boolean value of true, then the introspection object MUST NOT contain a scope claim, and SHOULD contain an extension property with the name permissions that contains an array of one or more values, each of which is an object consisting of these properties:
For interoperability, if the introspection object does not contain the permissions property, then an UMA extension SHOULD be defined as appropriate, with supporting authorization servers using the uma_profiles_supported configuration property to advertise their support of any alternative structures (see Section 5 for more information).
Example of a response containing the introspection object with the permissions property:
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store ... { "active":true, "exp":1256953732, "iat":1256912345, "permissions":[ { "resource_id":"112210f47de98100", "resource_scopes":[ "view", "http://photoz.example.com/dev/actions/print" ], "exp":1256953732 } ] }
In this process, the resource server responds to the client's access attempt on a protected resource that bore an RPT.
This process assumes that the resource server has determined the status of the RPT. The success path of this process corresponds to steps 16-17 in Figure 2.
The first part of this process is an internal assessment. The second is a response to the client.
This process concludes UMA's protocol flow.
The resource server assesses the permissions associated with the RPT, whether obtained through token introspection or otherwise, and compares them with the RPT-accompanied client's access attempt to a protected resource.
Note: The act of assessment may require the resource server to interpret which resource, resource owner, authorization server, and scope to map to the client's access attempt.
The purpose of this assessment is to determine sufficiency of authorization. The resource server MAY apply additional authorization controls when determining how to respond. For example, even if an RPT provides sufficient permissions for a particular case, the resource server deployer can choose to bar access to certain additional requesting parties.
To ensure the integrity of the ecosystem in which the resource server, authorization server, and resource owner are participating, it is RECOMMENDED for the parties to establish agreements about access rules on a legal or contractual level. See Section 6.7 for more information.
The resource server MUST NOT give access in the case of an invalid RPT or an RPT associated with insufficient authorization.
The client's presentation of a valid RPT associated with sufficient permissions indicates that the policy conditions have been met for access to the protected resource.
Example of the resource server's response to the client on sufficiency of authorization:
HTTP/1.1 200 OK Content-Type: application/json ... { "f_number":"f/5.6", "exposure":"1/320", "focal_length_mm":150, "iso":400, "flash":false }
The client's presentation of an invalid RPT or an RPT associated with insufficient permissions for access indicates that the policy conditions have not been met for access to the protected resource.
In this case, the resource server's next option to act is defined in Section 3.4 (requesting permissions, which involves the authorization server), and its next option to respond to the client is defined in Section 3.5, exactly as if the client had attempted to access the protected resource with no RPT. Because the resource server is responsible for its own resource semantics and structure, it may need to map the client's access attempt to a suitable resource identifier (and thus resource owner and authorization server) before proceeding.
As noted in Section 3.6.5, when issuing an RPT, the authorization server MAY also issue a refresh token.
In a typical access token refreshing flow, providing the scope parameter in the request has a token downscoping effect. However, if the client includes the scope parameter when providing a refresh token that is associated with an RPT, the effect is undefined.
If the authorization server presents a token revocation endpoint as defined by [RFC7009], the client MAY use the endpoint to request revocation of an RPT (access token), refresh token, or PCT previously issued to it on behalf of a requesting party. This specification defines the following token type hint value:
If a request triggers no OAuth error, but is invalid for another reason as defined throughout this specification, the authorization server or resource server responds with an UMA error, sometimes along with a specified HTTP status code, by supplying the following properties in a JSON-encoded object in the body of the HTTP response:
The following is a common error code that applies to several UMA-specified request messages:
For example:
HTTP/1.1 400 Bad Request Content-Type: application/json Cache-Control: no-store ... { "error":"invalid_request", "error_description":"Request is missing a required parameter.", "error_uri":"https://as.example.com/errors/bad_uma_request" }
For implementation interoperability and to serve particular deployment scenarios, including sector-specific ones such as healthcare or e-government, third parties may want to define profiles of UMA that restrict its available options.
Further, third parties may want to define profiles of companion technologies to fit interoperably within the UMA framework, for example, claim token formats suitable for claim pushing (see Section 3.6.1) or protocol alternatives to HTTP.
Finally, this specification uses the natural extensibility within its messaging formats, "application/x-www-form-urlencoded" and JSON, to enable third parties to define extensions that serve adjacent use cases. For example, if necessary, it is possible to substitute a different token introspection object structure to change the dividing line between authorization server and resource server responsibilities in controlling access.
It is not practical for this specification to standardize all such variations of UMA. However, to serve overall interoperability goals, this section provides guidelines for third parties that wish to specify UMA-related profiles and extensions.
It is RECOMMENDED that authorization server deployers document any profiled or extended features explicitly (see Section 2 for details).
In all cases, it is RECOMMENDED that profiles and extensions document the following information:
This specification relies mainly on OAuth 2.0 security mechanisms as well as transport-level encryption. Thus, implementers are strongly advised to read [BCP195] and the security considerations in [RFC6749] (Section 10) and [RFC6750] (Section 5) along with the security considerations of any other OAuth token-defining specifications in use, along with the entire [RFC6819] specification, and apply the countermeasures described therein. As well, implementers should take into account the security considerations in all other normatively referenced specifications.
The following sections describe additional security considerations.
This section discusses threats related to UMA's nature as a protocol enabling party-to-party sharing of protected resource access; that is, enabling requesting parties who are not the resource owner to gain authorized access to protected resources.
For privacy considerations related to requesting parties, see Section 7.2.
Like ordinary OAuth redirection, UMA redirection for the purpose of gathering claims from an end-user requesting party (described in Section 3.6.2) creates the potential for cross-site request forgery (CSRF) through an open redirect if the authorization server does not force the client to pre-register its claims redirection endpoint, and server-side artifact tampering if the client does not avail itself of the state parameter. The client SHOULD check that the ticket value returned by an authorization server after a claims redirect is completed has not been maliciously changed, for example by a man in the browser, by using the state parameter. (See [UMA-Impl] for advice on ways to accomplish this.) Sections 4.4.1.8, 4.4.2.5, and 5.3.5 of [RFC6819] are apropos for the UMA claims-gathering redirection flow as well.
When a client redirects an end-user requesting party to the claims interaction endpoint, the client provides no a priori context to the authorization server about which user is appearing at the endpoint, other than implicitly through the permission ticket. Since the authorization server is free to gather any claims it wishes, the effect is to "late-bind" them to the permission ticket and the state string provided by the client, with the effect of enabling the authorization server not to trust client-asserted claims. This is a desirable result and reflects one reason why the authorization server might choose to demand use of the redirect flow over the push flow. However, the client has the opportunity to switch end-users -- say, enabling malicious end-user Carlos to impersonate the original end-user Bob, who might be represented by a PCT already in that client's possession and might even have authorized the issuance of that PCT -- after the redirect completes and before it returns to the token endpoint to seek permissions.
Another issue concerns the exposure of an RPT to a requesting party, which could maliciously pass the token to an unauthorized party.
To mitigate requesting-party switching and RPT exposure threats, consider the following strategies.
A PCT is similar to a refresh token in that it carries extra power over the usage of an RPT. The authorization server and client MUST keep PCTs confidential in transit and storage, and MUST NOT share any PCT with any other entity other than the issuer or issued client, respectively. The authorization server MUST maintain the binding between a PCT and the client to which it was issued.
Given that a PCT represents a set of requesting party claims, a client supplying a PCT in its RPT request MUST make a best effort to ensure that the requesting party using the client now is the same as the requesting party that was associated with the PCT when it was issued. Different clients will have different capabilities in this respect; for example, some applications are single-user and perform no local authentication, associating all PCTs with the "current user", while others might have more sophisticated authentication and user mapping capabilities.
After the client's access attempt on a protected resource, assuming the client sent an RPT of the bearer style such as those defined by [RFC6750], the resource server will have received from the client the entire secret portion of the token. This specification assumes only bearer-type tokens because they are the only type standardized as of this writing. However, to strengthen protection for RPTs using a proof-of-possession approach, the resource server could receive an RPT that consists of only a cryptographically signed token identifier, and then to validate the signature, it could submit the token identifier to the token introspection endpoint to obtain the necessary key information. The details of this usage are out of scope of this specification.
Along with requiring TLS, UMA requires OAuth, or any OAuth-based authentication protocol, as the security mechanism for its protection API. The resource server thus acts in the role of an OAuth client at the authorization server's protection API. While it is possible to use any profile of OAuth for this protection, it is RECOMMENDED for the authorization server to use OpenID Connect, and to use its mechanisms for stronger client authentication at the token endpoint, in order to strengthen the authentication of OAuth clients. Section 16 of [OIDCCore] provides more information on OpenID Connect security considerations.
Clients using the OAuth implicit grant type carry particular vulnerabilities in OAuth, and using OpenID Connect is of no help in this circumstance. This is true where a resource server is used as an OAuth client for obtaining a PAT on a resource owner's behalf, and also where an authorization server is gathering claims from a requesting party through OAuth.
For example, an "implicit client" might require the retrieval of PATs more frequently, for each browser on each platform. An attacker can initiate a spear phishing attack on the resource owner with a link to a malicious website, relying on the resource owner to authenticate to the authorization server through an email-based identity provider in order to receive the PAT. The site can impersonate the resource owner using the browser client's client ID in an OpenID Connect implicit request to the authorization server. If the resource owner had previously authorized a PAT to be issued, this attempt will likely succeed. The subsequently issued PAT could be used for resource registration and other protection API tasks.
A number of mitigation strategies are possible.
The authorization server MUST prevent attackers from guessing permission tickets and PCTs.
This specification defines a number of data formats based on [RFC7159]. As a subset of the JavaScript scripting language, JSON data SHOULD be consumed through a process that does not dynamically execute it as code, to avoid malicious code execution. One way to achieve this is to use a JSON parser rather than the built-in JavaScript eval() function.
Parties that are operating and using UMA software entities have opportunities to establish agreements about the parties' rights and responsibilities on a legal or contractual level, along with common interpretations of UMA constructs for consistent and expected software behavior. These agreements can be used to improve the parties' respective security postures, and written profiles are a key mechanism for conveying and enforcing these agreements. Section 5 discusses profiling. See [UMA-legal] to learn about tools to assist in the legal and contractual elements of deploying UMA-enabled services.
This section discusses the threats surrounding client claim pushing (see Section 3.6.1).
Because claim tokens of any format typically contain audience restrictions and an authorization server would typically not be in the primary audience for a claim token held or generated by a client, it is RECOMMENDED to document how the client, authorization server, and any additional ecosystem entities and parties will establish a trust relationship and communicate any required keying material in a claim token profile, as described in Section 5. Authorization servers are RECOMMENDED not to accept claim tokens pushed by untrusted clients and not to ignore audience restrictions found in claim tokens pushed by clients.
In the special circumstance when an authorization server is colocated with an OpenID Provider for the requesting parties within a deployment ecosystem, then it is able to act as an OpenID Relying Party for itself. This circumstance presents an opportunity for a technical optimization of the requirement for trust because the authorization server itself issued the OAuth client credentials for the client in question, and could reasonably be the singular aud value target in an OpenID Connect ID Token pushed by the client to the token endpoint.
UMA has the following privacy considerations.
The authorization server comes to be in possession of resource information that may reveal information about the resource owner, which the authorization server's trust relationship with the resource server is assumed to accommodate. However, the client is a less-trusted party -- in fact, entirely untrustworthy until permissions are associated with its RPT. The more information about a resource that is registered, the more risk of privacy compromise there is through a less-trusted authorization server.
The primary privacy duty of UMA's design is to the resource owner. However, privacy considerations affect the requesting party as well, having to do with the nature of claims. Claims are likely to contain personal, personally identifiable, and sensitive information, particularly in the case of requesting parties who are end-users.
If the authorization server supports persisting claims for any length of time (for example, to support issuance of PCTs), then it SHOULD provide a secure and privacy-protected means of storing claim data. It is also RECOMMENDED for the authorization server to use an interactive claims-gathering flow to ask an end-user requesting party for authorization to persist their claims before issuing a PCT. A requesting party who provides claims to an authorization server once having been redirected there is less susceptible to privacy-destroying behavior. Otherwise, certain flows such as claim pushing and interactive federated sign-in with automatic login will tend to be invisible to the user if they have not consciously authorized the possibility.
Since the initial request for a resource is made in an unauthorized and unauthenticated context, such requests are by definition open to all users. The response of that request includes a pointer to the authorization server to query for an access token and present claims. If it is known out of band that authorization server is owned and controlled by a single user, or visiting the authorization server contains other identifying information, then an unauthenticated and unauthorized client would be able to tell which resource owner is associated with a given resource. Other information about the resource owner, such as organizational affiliation or group membership, may be gained from this transaction as well.
Parties that are operating and using UMA software entities have opportunities to establish agreements about mutual rights, responsibilities, and common interpretations of UMA constructs for consistent and expected software behavior. These agreements can be used to improve the parties' respective privacy postures. See Section 6.7 for more information. Additional considerations related to Privacy by Design concepts are discussed in [UMA-PbD].
This document makes the following requests of IANA.
This specification registers the well-known URI defined in Section 2, as required by Section 5.1 of [RFC5785].
This specification registers the claim defined in Section 3.8.2, as required by [OIDCCore].
This specification registers the claim defined in Section 3.8.2, as required by Section 3.1 of [RFC7662].
This specification registers the parameters defined in Section 3.6.1, as required by Section 11.2 of [RFC6749].
This specification registers the errors defined in Section 3.6.6, as required by Section 11.4 of [RFC6749].
This specification registers the errors defined in Section 3.11, as required by Section 4.1.2 of [RFC7009].
The following people made significant text contributions to the specification:
Additional contributors to this specification include the Kantara UMA Work Group participants, a list of whom can be found at [UMAnitarians].
[UMA-casestudies] | Maler, E., “UMA Case Studies”, 2015, <https://kantarainitiative.org/confluence/display/uma/Case+Studies>. |
[UMA-Impl] | Maler, E., “UMA Implementer's Guide”, 2017, <https://kantarainitiative.org/confluence/display/uma/UMA+Implementer%27s+Guide>. |
[UMA-PbD] | Maler, E., “Privacy by Design Implications of UMA”, 2013, <https://kantarainitiative.org/confluence/display/uma/Privacy+by+Design+Implications+of+UMA>. |
[UMA-usecases] | Maler, E., “UMA Scenarios and Use Cases”, 2010, <https://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases>. |
[UMAnitarians] | Maler, E., “UMA Participant Roster”, 2017, <https://kantarainitiative.org/confluence/display/uma/Participant+Roster>. |
[UMA-legal] | Maler, E., “UMA Legal”, 2017, <http://kantarainitiative.org/confluence/display/uma/UMA+Legal>. |
Eve Maler
(editor)
ForgeRock
EMail: eve.maler@forgerock.com
Maciej Machulak
Self
EMail: maciej.machulak@gmail.com
Justin Richer
Bespoke Engineering
EMail: justin@bspk.io