UMA Trust Model
Abstract
This document defines the expectations and responsibilities of various parties interoperating in the User-Managed Access (UMA) context. The overall goal for UMA's trust model is to support legal enforceability of any agreements made between authorizing users and requesting parties in the granting of access authorization. This document's audience includes technologists, legal professionals, and operators of UMA-conforming services.
Status
This document is a product of the User-Managed Access Work Group. It is currently under active development. Its latest version can always be found here. See the Change History at the end of this document for its revision number.
Editors
Intellectual Property Notice
The User-Managed Access Work Group operates under Kantara IPR Policy - Option Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND) and the publication of this document is governed by the policies outlined in this option.
Table of Contents
Introduction
UMA is a Web protocol. As such, it describes a technical "contract" for web-based interactions – standardized request and response messages using standardized data formats – among software entities. The entities fill various roles in order to achieve "user-managed access" to Web resources. The following diagram illustrates the high-level goal of UMA.
The following diagram illustrates the high-level architecture UMA uses to achieve its goal.
Software entities participating in a protocol are known as endpoints. The UMA endpoints are:
- Authorizing user – the "user" in User-Managed Access
- NOTE: "User" is often used informally in the UMA spec, where what is really meant is the browser (or other client software application) being operated by this person
- Authorization manager (or AM)
- Host (of "protected resources")
- Requester
Software is just a tool; it can’t be held legally responsible for its own actions. Because UMA has a goal of setting legally enforceable conditions for access to resources, we must acknowledge the importance of the natural persons (human beings) and legal persons (such as companies) that run, control, own, contract to use, etc. UMA-conforming software. These are parties (distinguishing them from protocol endpoints). The UMA parties are:
- Authorizing user – the person seeking to protect resources stored at the host (context will tell whether the use of the phrase refers to the party or the entity)
- NOTE: This could mean a legal person, but Version 1 of UMA focuses primarily on natural persons acting on their own behalf on the Web
- Host operator – the natural or legal person responsible for the running host service
- Authorization manager operator (or AM operator) – the natural or legal person responsible for the running AM service
- Requesting party – the natural or legal person seeking access to protected resources
Sharing Constellations
While the essential end-to-end relationship being managed in UMA is the one between the authorizing user and the requesting party, there are subtle variations around the nature of the latter and the nature of the software they might use. Each type of requesting party and interaction style defines a different sharing constellation. Following are examples of each.
Person-to-self sharing
This describes most types of today's OAuth-mediated access, for example, when Alice introduces the Klout service to her Twitter account. She uses both services herself, and wants them to communicate together on her behalf.
Person-to-person sharing
Today, many Web 2.0 sites offer some level of this control, but methods, strengths, and interfaces are inconsistent between sites and we're not able to reuse policies across sites. For example, Alice can share Flickr photos with Bob by adding him to her Flickr "friends" or "family" list or by mailing him a special link to a photo album. Or Alice can add Bob as a "friend" on Facebook.
For example, Alice wants to give her dentist's office, DentalCare, temporary access to her calendar, to make it easier to schedule a series of root canal appointments. Carl, the office assistant, might be the actual person acting on behalf of the dental practice who sees Alice's calendar.
For example, Alice has crafted a "personal request for proposals" (known as a pRFP among the Vendor Relationship Management community) because she's in the market for a new car, and she's willing to let car dealerships in her region of the country see the RFP and make her offers. Different car dealerships might use Web crawler services to go out and collect such RFPs, and these services will have to prove in automated fashion that they legitimately represent the right kind of business.
Each constellation's requirements for successful user-managed access may be distinct. For example, in person-to-self sharing, it's unlikely Alice will want to impose stringent contract terms on herself. In person-to-organization sharing, if the organization is using a web service client, it makes no sense to present a browser-interaction interface to it. And if the organization is acting through a human agent such as a receptionist or administrator, that person may need to prove they are acting on behalf of the organization.
Trust Relationships
NOTE: Parts of this section require the reader to have UMA protocol knowledge; references to specific sections of the UMA core protocol specification are provided throughout to help with this process.
To trust another party means to expect it to live up to agreed-on responsibilities. If something goes wrong, it must be possible to assign responsibility accurately. For example, if Alice sets policies that she thinks will prevent Zeke from seeing her calendar, and Zeke gets access somehow through some requester software, who exactly was at fault? Since UMA imposes a loose coupling between the setting of policy, the application of policy in assigning authorizations, and the providing of resources, a lot could go wrong. The act of authorization has to be made meaningful through making different parties' actions enforceable and auditable.
The parties in the UMA picture can potentially have the following expectations of each other. Note that expectations can flow in both directions (though a pair of such expectations is likely not reciprocal):
The UMA protocol can only define junctures where entities are required to uphold expectations of technical trust by other entities, meaning that the interactions can be entirely programmatic or automatable. For example, when a host sends a request message X to an AM, and the AM replies with response message Y, each of their sets of expectations is defined by the relevant normative instructions in the UMA specification. Technical trust is measured in terms of technical conformance (UMA Core Sec 7).
This Trust Model adds elements of business trust to this picture, defining a behavior standard the parties are required to live up to in order to meet each others' expectations. These elements of business trust build on the exact same interactions defined by the technical spec, so that a technical action by an entity implies that the party operating the entity intends to live up to the matching set of business expectations. These constitute a standard set of "general rules" that apply to all parties that deploy entities claiming to be UMA-conforming. A pair of business trust expectations and responsibilities is referred to in this document as a trust relationship.
NOTE: UMA's trust relationships are not legally enforceable unless parties include them in contracts, or unless laws or regulations mandate them.
Following is a pictorial summary of the TRs defined by this Trust Model.
Trust Relationships by Party
Following is a summary of TRs organized by party, with references to the relevant TR collections.
TRs Where the Authorizing User Is Responsible
TR ID |
Party Expecting the Authorizing User to Be Responsible |
2 |
Requesting party |
4 |
AM operator |
6 |
Host operator |
TRs Where the AM Operator Is Responsible
TR ID |
Party Expecting the AM Operator to Be Responsible |
3 |
Authorizing user |
8 |
Host operator |
9 |
Host operator |
12 |
Requesting party |
TRs Where the Host Operator Is Responsible
TR ID |
Party Expecting the Host Operator to Be Responsible |
5 |
Authorizing user |
7 |
AM operator |
10 |
AM operator |
15 |
Requesting party |
TRs Where the Requesting Party Is Responsible
TR ID |
Party Expecting the Requesting Party to Be Responsible |
1 |
Authorizing user |
11 |
AM operator |
13 |
AM operator |
15 |
Host operator |
Trust Relationships Outside of UMA
Parties are free to define or adhere to additional "special rules" beyond the trust relationships defined in this document. Following are typical pairwise agreements the parties might form between themselves.
Note that UMA neither anticipates nor requires any outside trust relationship between the authorizing user and the requesting party. This is because UMA's central purpose is to enable this trust relationship itself.
Following are some examples of pairwise terms of service that parties might execute:
- The host operator relies on the authorizing user to adhere to the host operator’s terms of service (TOS). This trust relationship typically gets formed when the user initially registers for an account at the service.
- The AM operator relies on the operator of a requester web app, apart from any particular requesting party's usage of that web app, to adhere to the AM operator's TOS for API clients. This TR typically gets formed when the client app developer registers for client credentials, or through "API-wrap" TOS (akin to "browse-wrap" that binds a user who merely visits a website).
- The requesting party relies on its employee to act as its legitimate agent. The authorizing user's policy may require the requesting party to prove that the request is being mediated by a legitimate agent for that party. However, the requesting party itself is the one who may impose constraints on its workforce around keeping information learned in the course of business confidential etc.
- The requesting party relies on the operator of a requester web service to adhere to any contractual agreement governing that service. For example, a car dealership may contract out to use a cloud service that crawls the Web looking for personal RFPs that meet the dealership's criteria.
- The operator of the requester app relies on the host operator to be the correct party for supplying trustworthy information of a certain type. For example, in a scenario where the authorizing user is trying to fill in an online loan application through a financial service (the requester) and the host provides credit risk data about the user, the financial service will want to authenticate the host service in some fashion.
Another way of creating rules that go beyond UMA is for parties to join trust frameworks that impose umbrella agreements on their members. Such agreements might contain more specific versions of UMA's trust relationships, or additional trust relationships among the parties, or might include requirements to use specially profiled technical features of UMA, or impose user experience requirements on parties interacting with human beings – or all of the above. This is where levels of identity or attribute assurance, levels of data protection, and levels of data usage control might come in to the picture.
Trust Relationships at the Heart of UMA
This is the set of trust relationships that describes the overall purpose of UMA. The authorizing user works through the AM as a proxy for authorization management.
TR ID |
Expecting party |
Responsible party |
Contextual parties |
Expected behavior of responsible party |
When TR is formed |
Protocol spec section |
Comments |
1 |
Authorizing user |
Requesting party |
AM operator, host operator |
Adhere to promises made in order to get access authorization granted. |
When the requesting party successfully receives access to a protected resource by wielding a valid requester permission token with a currently valid permission for the type of access sought. |
3.1.3 |
Previously, the requesting party asked for the permission from the AM and may have had to provide claims asserting willingness to adhere to data usage constraints imposed by the user. This is precisely the end-to-end access authorization agreement that UMA exists to forge. Accepting access to the protected resource binds the requesting party to the terms it agreed to. |
2 |
Requesting party |
Authorizing user |
AM operator |
Respect the boundaries of data usage constraints given to the requesting party. |
When the AM grants the requester a permission for the requested scope. |
3.4.4, when the AM returns 201 |
For example, the authorizing user should not subsequently protest or sue the requesting party operator for the resale of the user’s data if this was allowed by the terms of the granted authorization. (The AM operator acts as the user’s proxy to set the boundaries of permissions based on the user's policies.) |
This is the set of trust relationships formed in UMA phase 1, when the user introduces a host and AM to work together in protecting resources. The user will likely introduce many hosts to the same AM. In some cases, particular hosts may make it possible to protect some resources with one AM and other resources with a different AM. Many of these trust relationships depend on the authorizing user's expression of various preferences and instructions through a user interface, and to this extent, they have a subjective component.
TR ID |
Expecting party |
Responsible party |
Contextual parties |
Expected behavior of responsible party |
When TR is formed |
Protocol spec section |
Comments |
3 |
Authorizing user |
AM operator |
Host operator |
Work with this host operator in protecting the user's resources hosted here. |
When the user authorizes the AM to issue a protection API token. |
(2.3 |
Later, the AM will require the host to present the PAT whenever it uses the AM’s protection API on behalf of this user. The user can break this trust relationship by revoking the PAT. |
4 |
AM operator |
Authorizing user |
Host operator |
Introduce the desired host operator to this AM operator in outsourcing protection of this host's resources. |
When the user authorizes the AM to issue a protection API token. |
2.3 |
How the host collected the AM's location is out of band for UMA; it is the user's responsibility to check that the user has been redirected to an acceptable AM before authorizing the connection. The user can break this trust relationship by revoking the PAT. |
5 |
Authorizing user |
Host operator |
AM operator |
Participate in the outsourcing of authorization for protected resources and respect the permissions generated by the AM. |
When the user authorizes the AM to issue a protection API token. |
2.3 |
Once the AM operator becomes the user’s authorization proxy, it begins relying on the host operator in other, more specific ways. The host has the opportunity to inspect permissions in Phase 2, but its responsibility for respecting them begins now. The user can break this trust relationship by revoking the PAT. |
6 |
Host operator |
Authorizing user |
AM operator |
Introduce the host to the desired AM operator. |
When the user authorizes the AM to issue a protection API token. |
2.3 |
Once the AM operator becomes the user’s authorization proxy, the host operator begins relying on it in other, more specific ways. How the user indicated the desired AM to the host is out of band for UMA; it is the user's responsibility to check that the user has been redirected to an acceptable AM before authorizing the connection. The user can break this trust relationship by revoking the PAT. |
7 |
AM operator |
Host operator |
Authorizing user |
a) Register resource sets and applicable actions accurately and timely according to the user’s wishes for protection/selective sharing. |
When the user authorizes the AM to issue a protection API token. |
2.3 |
The host has the opportunity to register resource sets later in Phase 1, but its responsibility for performing this task begins now. The user can break this trust relationship by revoking the PAT. |
Trust Relationships Involving the Protection API Token
This is the set of trust relationships that allow the protection outsourcing to take place. The host operator and AM operator have two contexts for dealing with each other: one is specific to the authorizing user (the same two operators could participate in protection for different users) and the other is specific to the requesting party (the same two operators could be protecting the same resource on behalf of the same user but fielding requests from different requesting parties). Many of these trust relationships depend on the authorizing user's expression of various preferences and instructions through a user interface, and to this extent, they have a subjective component.
TR ID |
Expecting party |
Responsible party |
Contextual parties |
Expected behavior of responsible party |
When TR is formed |
Protocol spec section |
Comments |
8 |
Host operator |
AM operator |
Requesting party |
Provide accurate requester permission token status information, including active permissions. |
When the host checks the RPT status. |
3.3 |
This TR involves only UMA token profiles that are defined as part of the UMA spec. Third-party profiles must be covered in externally defined TRs ("special rules"). |
9 |
Host operator |
AM operator |
Authorizing user |
Represent the user’s authorization policies accurately and timely in issuing a permission. |
When the host successfully registers a permission at the AM. |
3.2 |
Later in Phase 2, when a requester approaches the AM seeking that permission, the AM matches user policies to the requested permission to drive any requests for claims and its ultimate authorization decision, but its responsibility for performing this task begins now. |
10 |
AM operator |
Host operator |
Requesting party |
Respect the status of permissions granted by the AM operator. |
When the host checks the RPT status. |
3.3 |
The host operator, as an autonomous party, carries a great deal of responsibility here not to grant access where the AM has not granted permission and to make every effort to grant access where the AM has granted permission. Its interpretation of scopes and permissions is not directly auditable by the AM. Further, issues can arise from the skew between permission validity periods and actual access. This is a recommended area of exploration for additional UMA token profiles that can effect higher levels of technical trust in order to rely less on business trust. |
Trust Relationships Involving the Authorization API Token
This is the set of trust relationships that govern the authorization process. These trust relationships reflect how the requesting party goes from untrusted to trusted for a particular scope of access, as far as the AM operator (acting as a proxy for the authorizing user) is concerned. Many of these trust relationships depend on the authorizing user's expression of various preferences and instructions through a user interface, or on the requesting party's actions, and to this extent, they have a subjective component.
TR ID |
Expecting party |
Responsible party |
Contextual parties |
Expected behavior of responsible party |
When TR is formed |
Protocol spec section |
Comments |
11 |
AM operator |
Requesting party |
(none) |
Truthfully supply any self-asserted claims required for access authorization at this AM. |
When the AM issues an authorization API token. |
3.4.3 |
Later in Phase 2, the requesting party may be asked to provide claims to support authorization processes at this AM, for accessing all resources protected by this AM, managed by any authorizing users. This is why this TR is formed outside of the context of any specific host operator or authorizing user. The requesting party's responsibility to provide truthful claims in all these cases begins now. The requesting party can revoke this relationship by revoking the AAT. |
12 |
Requesting party |
AM operator |
(none) |
Request only claims that support the purpose of satisfying the user's policy. |
When the the AM issues an authorization API token. |
3.4.3 |
Later in Phase 2, the AM may ask the requesting party to provide claims for specific permission purposes, but its responsibility begins now. The requesting party can revoke this relationship by revoking the AAT. |
13 |
AM operator |
Requesting party |
Host operator |
Truthfully supply any claims required for access authorization for the requested permission. |
When the requesting party provides claims to satisfy the AM's authorization process. |
3.5 |
Where claims are supplied that can be verified by the AM, the risk imposed by this need for business trust can be reduced. UMA defines an "OpenID Connect claim profile" that provides one way to collect trusted claims from third-party claim providers. |
Trust Relationships Involving the Requester Permission Token
This is the set of trust relationships that govern the actual release of access by the host operator to the requesting party.
TR ID |
Expecting party |
Responsible party |
Contextual parties |
Expected behavior of responsible party |
When TR is formed |
Protocol spec section |
Comments |
14 |
Host operator |
Requesting party |
AM operator |
Represent the legitimate bearer of the requester permission token presented to the host. |
When the AM issues (or re-issues) a requester permission token to the requesting party. |
3.4.4 |
In the case where the "bearer" UMA token profile is being used, the token can't be bound in any meaningful way to the party to whom it was originally issued, so the requesting party takes on the duty of protecting and not maliciously sharing the RPT. This is a recommended area of exploration for additional UMA token profiles that can effect higher levels of technical trust in order to rely less on business trust. For example, a new UMA token profile could mitigate this risk by using digital signatures to test the putative requesting party's right to possess the token. |
15 |
Requesting party |
Host operator |
AM operator |
Give accurate access to the protected resource according to whether the requesting party has permission to do so. |
When the host responds to the requesting party's access request. |
3 |
The host operator, as an autonomous party, carries a great deal of responsibility here to make every effort to grant access where the AM has granted permission. Its interpretation of scopes and permissions is not directly auditable by the requester or AM. Further, issues can arise from the skew between permission validity periods and actual access. This is a recommended area of exploration for additional UMA token profiles that can effect higher levels of technical trust in order to rely less on business trust. |
Change History
| Version |
Date |
Comment |
|
Current Version
(v. 10)
|
May 06, 2012 00:14
|
|
v. 17
|
Aug 26, 2012 19:42
|
|
v. 16
|
May 15, 2012 13:35
|
|
v. 15
|
May 15, 2012 13:35
|
|
v. 14
|
May 11, 2012 12:16
|
|
v. 13
|
May 11, 2012 11:49
|
|
v. 12
|
May 06, 2012 00:18
|
|
v. 11
|
May 06, 2012 00:15
|
|
v. 10
|
May 06, 2012 00:14
|
|
v. 9
|
Apr 20, 2012 16:23
|
|
v. 8
|
Apr 15, 2012 15:10
|
|
v. 7
|
Apr 15, 2012 15:09
|
|
v. 6
|
Apr 15, 2012 15:07
|
|
v. 5
|
Sep 25, 2011 22:00
|
|
v. 4
|
Sep 25, 2011 17:38
|
|
v. 3
|
Sep 25, 2011 16:39
|
|
v. 2
|
Feb 24, 2011 22:49
|
|
v. 1
|
Feb 23, 2011 19:03
|
E-mail
You are viewing an old version of this page. View the current version.
Compare with Current ·
View Page History