Network Working Group                                   T. Hardjono, Ed.
Internet-Draft                                                       MIT
Intended status: Informational                                  E. Maler
Expires: July 29, 2016                                         ForgeRock
                                                             M. Machulak
                                                          Cloud Identity
                                                             D. Catalano
                                                                  Oracle
                                                        January 26, 2016


             User-Managed Access (UMA) Profile of OAuth 2.0
                    draft-hardjono-oauth-umacore-14

Abstract

   User-Managed Access (UMA) is a profile of OAuth 2.0.  UMA defines how
   resource owners can control protected-resource access by clients
   operated by arbitrary requesting parties, where the resources reside
   on any number of resource servers, and where a centralized
   authorization server governs access based on resource owner policies.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 29, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents



Hardjono, et al.          Expires July 29, 2016                 [Page 1]


Internet-Draft                  UMA Core                    January 2016


   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
     2.2.  Informative References  . . . . . . . . . . . . . . . . .   3
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   3

1.  Introduction

   User-Managed Access (UMA) is a profile of OAuth 2.0 [OAuth2].  UMA
   defines how resource owners can control protected-resource access by
   clients operated by arbitrary requesting parties, where the resources
   reside on any number of resource servers, and where a centralized
   authorization server governs access based on resource owner policies.
   Resource owners configure authorization servers with access policies
   that serve as asynchronous authorization grants.

   UMA serves numerous use cases where a resource owner uses a dedicated
   service to manage authorization for access to their resources,
   potentially even without the run-time presence of the resource owner.
   A typical example is the following: a web user (an end-user resource
   owner) can authorize a web or native app (a client) to gain one-time
   or ongoing access to a protected resource containing his home address
   stored at a "personal data store" service (a resource server), by
   telling the resource server to respect access entitlements issued by
   his chosen cloud-based authorization service (an authorization
   server).  The requesting party operating the client might be the
   resource owner, where the app is run by an e-commerce company that
   needs to know where to ship a purchased item, or the requesting party
   might be resource owner's friend who is using an online address book
   service to collect contact information, or the requesting party might
   be a survey company that uses an autonomous web service to compile
   population demographics.  A variety of use cases can be found in
   [UMA-usecases] and [UMA-casestudies].

   Please see for the full UMA-Core 1.0 Specification for a complete
   description of UMA Core.







Hardjono, et al.          Expires July 29, 2016                 [Page 2]


Internet-Draft                  UMA Core                    January 2016


2.  References

2.1.  Normative References

   [OAuth2]   Hardt, D., "The OAuth 2.0 Authorization Framework",
              October 2012, <http://tools.ietf.org/html/rfc6749>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [UMAcore]  Hardjono, T., Maler, E., Machulak, M., and D. Catalano,
              "User-Managed Access (UMA) Profile of OAuth 2.0 Version
              1.0.1", December 2015,
              <https://docs.kantarainitiative.org/uma/draft-uma-core-
              v1_0_1.html>.

2.2.  Informative References

   [UMA-casestudies]
              Maler, E., "UMA Case Studies", April 2014,
              <http://kantarainitiative.org/confluence/display/uma/
              Case+Studies>.

   [UMA-usecases]
              Maler, E., "UMA Scenarios and Use Cases", October 2010,
              <http://kantarainitiative.org/confluence/display/uma/
              UMA+Scenarios+and+Use+Cases>.

Authors' Addresses

   Thomas Hardjono (editor)
   MIT

   Email: hardjono@mit.edu


   Eve Maler
   ForgeRock

   Email: eve.maler@forgerock.com


   Maciej Machulak
   Cloud Identity

   Email: maciej.machulak@cloudidentity.co.uk



Hardjono, et al.          Expires July 29, 2016                 [Page 3]


Internet-Draft                  UMA Core                    January 2016


   Domenico Catalano
   Oracle

   Email: domenico.catalano@oracle.com















































Hardjono, et al.          Expires July 29, 2016                 [Page 4]