Allan Foster, ForgeRock
Eve Maler, ForgeRock
Examination of UMA (User Managed Access) as an emerging standard, presenting both individual and enterprise use cases and showing how UMA could address many of them in an open, lightweight approachable way, while still allowing and interoperating with other technologies.
10. ACIs and ACLs
RBAC
ABAC
Doesn’t scale, becomes unmanageable as
users and resources grow
Doesn’t scale, leads to role proliferation
and multiplexing
18. 18
What is, and isn’t, UMA?
■ It’s a draft standard for authorization V.next
■ It’s a profile and application of OAuth
■ It’s not a new, disconnected technology
■ It’s a set of privacy-by-design and consent APIs
■ It’s not an “XACML killer”
19. 19
resource
owner
reques+ng
party
authoriza+on
server
resource
server
manage consent
control
negotiateprotect
authorize
access
manage
client
*Thanks to UMAnitarian Domenico Catalano for the “marvelous spiral”
23. 23
Collecting claims from the
requesting party to assess policy
2
manage
control
protect
authorize
access
negotiate
consentmanage
resource
owner
resource
server
authorization
server
Authenticate OIDC
Server
client
requesting
party
Client acting as claims
conveyor
Client redirects the
Requesting Party to AS
25. 25
Patient-centric health
data sharing
■ UMA uniquely solves for
Consent Directives
■ Special requirements:
– Impeccable security
– “Context, control, choice, and
respect”
– Wide ecosystem
– Accounting of Disclosures
– Meaningful Use
– (Relationship Locator Service)
26. 26
pa+ent
AS
fron+ng
a
consent
direc+ve
server
FHIR
EHR
API/
lab
results/FitBit…
manage consent
control
negotiateprotect
authorize
access
manage
web
or
na+ve
app
care
provider/
family/Alice
herself
27. 27
Delegated authorization
from SaaS to enterprise
■ Allow Enterprise business logic as policy
■ Easy to define Resources and actions
■ Allow Enterprise freedom in evaluation
■ Each Enterprise provides its own AS
■ Attributes stay in the enterprise
28. 28
enterprise
enterprise
AS
third-‐party
SaaS
APIs
manage consent
control
negotiateprotect
authorize
access
manage
web
or
na+ve
app
enterprise
employees
30. 30
Resource Server
■ Concerned with protecting Resources
■ Concerned with Clients
■ Supplies resource and scope Attributes to AS
■ Uses OAuth token for access to protection API
■ Redirects Client if its UMA token is insufficient
■ Could have multiple AS relationships
31. 31
Client
■ Accesses resources on RS
■ Uses OAuth token for access to authorization API
■ Receives UMA token from AS
■ Asks to add authorization to UMA token for access
■ Provides Subject Attributes via Claims or redirects
Subject to AS for further claims-gathering
32. 32
Resource Owner
■ Provides Resource Owner attributes to AS
■ Can provide Authorization policy to AS
■ Manages access settings of protected resources
33. 33
Authorization Server
■ Consumes attributes from all parties
■ Evaluates Policy in context of attributes
■ Associates entitlements with UMA token so client
can access RS
■ Leaves RS to judge entitlements against access
attempt
34. 34
Summing up
■ OAuth-based framework
■ Facilitates Constrained Delegated Authorization
■ Policy evaluation agnostic
■ Enables humans to control their digital footprint