This page collects our specifications and relevant auxiliary material.
We use https://github.com/xmlgrrl/UMA-Specifications for active spec development, with snapshots provided on the docs.kantarainitiative.org site. The UMA wiki page for the core spec summarizes breaking and notable changes to both the core spec and other normative specs.
The UMA technical specifications have reached Version 1.0 finalization. The normative specs include the final UMA Core V1.0 specification (Kantara Recommendation, IETF I-D rev 13) and the OAuth Resource Set Registration V1.0 specification (Kantara Recommendation, IETF I-D rev 06), dated 4 April 2015. The latter specification was originally derived from UMA design work, but is suitable for use by OAuth and OpenID Connect as well. UMA Core also refers to a Binding Obligations spec that is "contractual" in nature, rather than technical.
The following auxiliary documents are currently non-normative:
- Binding Obligations on User-Managed Access (UMA) Participants (latest version, pretty-printed) (most recent IETF I-D, possibly somewhat out of date wrt the KI version)
- UMA Requirements
- UMA Scenarios and Use Cases
- UMA Case Studies
- Privacy by Design Implications of UMA
- UMA Implementer's Guide
The following documents still available on this wiki are considered obsolete:
- User-Managed Access (UMA) Claim Profiles Framework (latest version, pretty-printed) (most recent IETF I-D, possibly somewhat out of date wrt the KI version)
- Claims 2.0 and Simple Access Authorization Claims (obsoleted by Claim Profiles, itself obsolete)
- Legal Considerations (obsoleted by Binding Obligations)
- Lexicon (obsoleted by the spec itself and Binding Obligations)
- UMA Trust Model (obsoleted by Binding Obligations)
- UMA User Stories (obsoleted by Case Studies)
- OAuth Dynamic Client Registration Protocol (obsoleted by the OAuth WG's own standards-track specification, to which UMA core now refers)
- UMA Resource Registration (obsoleted by the now spun-off OAuth Resource Set Registration spec)