User-Managed Access

From Wikipedia, the free encyclopedia
Jump to: navigation, search

User-Managed Access (UMA) is an OAuth-based web-based access management protocol. The protocol is defined in a draft version 1.0 specification. A corresponding specification defines obligations of legally responsible parties that engage in UMA-conforming interactions. The effort to incubate the development of UMA as a web standard is taking place in the Kantara Initiative organization.

UMA explores several hypotheses. One is that run-time consent is a weak and inconvenient tool for exercising user control over the sharing of sensitive information. Another is that managing data-sharing connections between a single server and a single client app at a time does not scale broadly to Internet usage. Another is that individual empowerment and privacy enhancement require control over and visibility into data sharing with a variety of parties, not just applications that the individual himself or herself uses.

Accordingly, UMA's design focuses on defining how a web user makes use of a web application called an authorization server (AS) to coordinate protection and sharing of web resources that are under that user's control. The web resources might reside at any number of servers, which UMA calls resource servers (RS). Requesting parties, which can include the resource owner as well as other people or organizations, can access the protected resources through client applications, as long as those parties meet the resource owner's policies residing at the AS.

History and background[edit]

The Kantara Initiative's UMA Work Group[1] held its first meeting[2] on August 6, 2009. UMA's design principles and technical design have been informed by previous work by Sun Microsystems employees, begun in March 2008, on a protocol called ProtectServe. In turn, ProtectServe was influenced by the goals of the Vendor Relationship Management movement and an offshoot effort called feeds-based VRM.

ProtectServe and UMA's earliest versions leveraged the OAuth 1.0 protocol. As OAuth underwent significant change through the publication of the Web Resource Authorization Protocol (WRAP) specification and, subsequently, drafts of OAuth 2.0, the UMA specification has kept pace, and it now uses the OAuth 2.0 family of specifications for several key protocol flows.

UMA does not use or depend on OpenID 2.0 as a means of user identification. However, it optionally uses the OAuth-based OpenID Connect protocol as a means of collecting identity claims from a requesting party in order to attempt to satisfy the authorizing user's access policy.

UMA also does not use or depend on the eXtensible Access Control Markup Language (XACML) as a means of encoding user policy or requesting policy decisions. UMA does not dictate policy format, as policy evaluation is performed internally to the AM from the UMA perspective. However, the UMA protocol flows for requesting access permission have some features in common with the XACML protocol.

Standardization status[edit]

The UMA WG's charter targets the Internet Engineering Task Force (IETF) as an eventual home for UMA standardization work. To this end, the WG has contributed several individual Internet-Drafts to the IETF for consideration. One of these, a specification for OAuth Dynamic Client Registration,[3] has been accepted as a work item for the Web Authorization (OAuth) Working Group.

Implementation and adoption status[edit]

The UMA core protocol has several implementations. Gluu has implemented UMA, using the UMA protocol to secure and manage access to APIs.[4] Cloud Identity Limited has a complete UMA implementation for securing and managing access to personal information as well as Web API's. A number of others have signaled interest in implementing UMA and have been participating in interoperability testing.


  1. ^ UMA Work Group Wiki
  2. ^ UMA workgroup meeting minutes
  3. ^ Internet Draft: OAuth 2.0 Dynamic Client Registration Core Protocol
  4. ^ Gluu OSS implementation of UMA

External links[edit]