Child pages
  • Simple Access Authorization Claims

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Abstract

This document uses the Claims 2.0

...

specification

...

to

...

define

...

a

...

small

...

set

...

of

...

basic

...

claims

...

to

...

be

...

used

...

in

...

the

...

process

...

of

...

User-Managed

...

Access

...

(UMA)

...

access

...

authorization.

...

...

Status

...

This document is a product of the User-Managed

...

Access

...

Work

...

Group

...

.

...

It

...

is

...

currently

...

under

...

active

...

development.

...

Its

...

latest

...

version

...

can

...

always

...

be

...

found

...

here

...

.

...

See

...

the

...

Change

...

History

...

at

...

the

...

end

...

of

...

this

...

document

...

for

...

its

...

revision

...

number.

...

This

...

document

...

is

...

intended

...

to

...

be

...

experimental,

...

and

...

it

...

may

...

be

...

superseded

...

at

...

any

...

time

...

by

...

a

...

more

...

formal

...

or

...

more

...

comprehensive

...

set.

...

...

Editors

...

  • Eve Maler
  • Paul C. Bryan

...

Intellectual Property Notice

...

The User-Managed Access Work Group operates under Kantara IPR Policy - Option Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND) and the publication of this document is governed by the policies outlined in this option.

...

Table of Contents

Table of Contents
minLevel1
maxLevel3
outlinetrue
indent20px

...

Introduction

Wiki Markup
This document uses the Claims 2.0 (\[[Claims20|#Claims20]]) specification to define a small set of basic claims to be used in the process of User-Managed Access (UMA) access authorization.  UMA uses claims in its process of negotiation for access authorization, in which an authorization manager can require a requester to convey claims on behalf of a requesting party in order to satisfy the polices of an authorizing user.

...

Terminology

scope:

...

The

...

particular

...

protected

...

resource(s)

...

and

...

method(s)

...

of

...

access

...

being

...

sought

...

by

...

the

...

requester

...

in

...

approaching

...

the

...

authorization

...

manager

...

for

...

an

...

access

...

token.

...

...

Claim Format:

...

Requesting

...

Party

...

Policy

...

URL:

...

http://c2.io/req-party-policy

...

Image Added

This

...

claim

...

conveys

...

a

...

URL

...

whose

...

resource

...

representation

...

is

...

a

...

persistent

...

record

...

of

...

the

...

set

...

of

...

policies

...

the

...

requesting

...

party

...

promises

...

to

...

adhere

...

to

...

for

...

the

...

current

...

scope

...

of

...

access.

...

The

...

policy

...

may

...

include

...

privacy,

...

data

...

protection,

...

purpose,

...

data

...

portability,

...

copyright

...

licensing

...

of

...

posted

...

data,

...

or

...

any

...

other

...

relevant

...

policy,

...

and

...

may

...

be

...

in

...

a

...

natural

...

language

...

or

...

may

...

be

...

machine-readable.

...

Claims-Requested

...

Form

...

The

...

claims-requested

...

form

...

MAY

...

contain

...

a

...

template

...

requiring

...

one

...

or

...

more

...

issuer

...

attributes.

...

The

...

value

...

attribute

...

for

...

the

...

claims-requested

...

object

...

contains

...

an

...

object

...

as

...

follows:

...

{

Name

Value

Description

"policy"

URL (MAY use wildcard and option conventions)

A template for a URL representing the policies to which the requesting party is promising to adhere. If a literal string is provided, requires the requesting party to promise to adhere to a specific set of policies.

}

The following example causes the authorization manager to request a claim from the requester that allows the requesting party to select whatever policy it wants, as long as a persistent URL can be provided for it:

Code Block
 
{ 
  "http://c2.io/claims-requested": [ 
    { 
      "type": "http://c2.io/req-party-policy", 
        "value": { 
          "policy": "*"
        } 
    } 
  ] 
} 
{code}

The

...

following

...

example

...

causes

...

the

...

authorization

...

manager

...

to

...

request

...

a

...

claim

...

from

...

the

...

requester

...

that

...

requires

...

the

...

requesting

...

party

...

to

...

agree

...

to

...

the

...

authorizing

...

user's

...

chosen

...

policy,

...

by

...

virtue

...

of

...

dictating

...

the

...

policy

...

URL

...

string:

...

}
Code Block
 
{ 
  "http://c2.io/claims-requested": [ 
    { 
      "type": "http://c2.io/req-party-policy", 
      "value": { 
        "policy": "http://creativecommons.org/licenses/by/2.0/deed.en"
      } 
    } 
  ] 
} 
{code} 

h2. Claims Form

The claims form MAY contain an issuer attribute (and may be required to contain one if the claims-requested form requires it).  The value attribute for the claims object contains an object as follows:

{ 
|| Name || Value || Description || 
| {{"policy"}} | _URL_ | A URL representing the policies to which the requesting party is promising to adhere. | 
} 

The following example represents a claim conveyed by the requester that indicates the requesting party promises to adhere to the policy persistently found at the supplied policy URL:

{code}

Claims Form

The claims form MAY contain an issuer attribute (and may be required to contain one if the claims-requested form requires it). The value attribute for the claims object contains an object as follows:

{

Name

Value

Description

"policy"

URL

A URL representing the policies to which the requesting party is promising to adhere.

}

The following example represents a claim conveyed by the requester that indicates the requesting party promises to adhere to the policy persistently found at the supplied policy URL:

Code Block
 
{ 
  "http://c2.io/claims": [ 
    { 
      "type": "http://c2.io/req-party-policy", 
        "value": { 
          "policy": "http://creativecommons.org/licenses/by/2.0/deed.en"
        } 
    } 
  ] 
} 
{code}

---- 
h1. Claim 

...

Claim Format:

...

Self-Asserted

...

Requesting

...

Party

...

Identifier

...

URL:

...

http://c2.io/self-id

...

Image Added

This

...

claim

...

conveys

...

a

...

string

...

that

...

the

...

requesting

...

party

...

wishes

...

to

...

use

...

to

...

identify

...

itself/himself/herself

...

to

...

the

...

authorization

...

manager

...

and

...

authorizing

...

user

...

for

...

the

...

current

...

scope

...

of

...

access.

...

The

...

string

...

is

...

self-asserted.

...

Note:

...

Such

...

a

...

label

...

may

...

be

...

useful

...

in

...

audit

...

logs

...

and

...

in

...

notifying

...

authorizing

...

users

...

about,

...

and

...

requesting

...

consent

...

to,

...

certain

...

kinds

...

of

...

access

...

requests

...

in

...

real

...

time.

...

Typically

...

a

...

self-asserted

...

identifier

...

is

...

inappropriate

...

for

...

high-sensitivity

...

access.

...

Claims-Requested

...

Form

...

The

...

claims-requested

...

form

...

MUST

...

NOT

...

contain

...

a

...

template

...

requiring

...

one

...

or

...

more

...

issuer

...

attributes.

...

The

...

value

...

attribute

...

for

...

the

...

claims-requested

...

object

...

contains

...

an

...

object

...

as

...

follows:

...

{

Name

Value

Description

"self-id"

...

string (MAY

...

use

...

wildcard

...

and

...

option

...

conventions)

...

A

...

template

...

for

...

a

...

string

...

representing

...

an

...

identifier

...

the

...

requesting

...

party

...

has

...

chosen

...

to

...

use.

...

}

The following example causes the authorization manager to request a claim from the requester that requires the requesting party to provide a self-asserted identifier of its choice:

Code Block
{ 
  "http://c2.io/claims-requested": [ 
    { 
      "type": "http://c2.io/self-id", 
        "value": { 
          "self-id": "*"
        } 
    } 
  ] 
} 
{code}

h2. Claims Form

The claims form MUST NOT contain an issuer attribute.  The value attribute for the claims object contains an object as follows:

{ 
|| Name || Value || Description || 
| {{"self-id"}} | _string_ | A string representing an identifier the requesting party has chosen to use. | 
} 

The following example represents a claim conveyed by the requester that indicates the requesting party promises to adhere to the policy persistently found at the supplied policy URL:

code}

Claims Form

The claims form MUST NOT contain an issuer attribute. The value attribute for the claims object contains an object as follows:

{

Name

Value

Description

"self-id"

string

A string representing an identifier the requesting party has chosen to use.

}

The following example represents a claim conveyed by the requester that provides the self-asserted identifier the requesting party has chosen to use:

Code Block
{ 
  "http://c2.io/claims": [ 
    { 
      "type": "http://c2.io/self-id", 
        "value": { 
          "self-id": "BelleCare Dental of Bellevue, WA, USA"
        } 
    } 
  ] 
} 

{code}

---- 
h1. References 

{anchor:Claims20}

...

References

Wiki Markup
<ac:structured-macro ac:name="anchor" ac:schema-version="1" ac:macro-id="0b78c718-a222-4303-8f23-f1d0ce33b040"><ac:parameter ac:name="">Claims20</ac:parameter></ac:structured-macro>*\[Claims20]* \\ 
http://kantarainitiative.org/confluence/display/uma/Claims+2.0

...

...

Anchor
change-history
change-history

...

Change

...

History

...

Change History

...