authorizing user: An UMA-defined variant of an [OAuth20] resource owner; a web user who configures an authorization manager with policies that control how it makes access decisions when a requester attempts to access a protected resource at a host.
authorization manager (AM): An UMA-defined variant of an [OAuth20] authorization server that carries out an authorizing user's policies governing access to a protected resource.
protected resource: An access-restricted resource at a host.
host: An UMA-defined variant of an [OAuth20] resource server that enforces access to the protected resources it hosts, as decided by an authorization manager.
token validation URL: The URL at an authorization manager that a host can use to validate an access token.
claim: A statement (in the sense of [IDCclaim]). Claims are conveyed by a requester on behalf of a requesting party to an authorization manager in an attempt to satisfy an authorizing user's policy.
requester: An UMA-defined variant of [OAuth20] client that seeks access to a protected resource.
requesting party: A web user, or a corporation (or other legal person), that uses a requester to seek access to a protected resource.
Requirements for the resource owner
- The resource owner MUST be able to choose a different AM for each Host
- (The resource owner MUST be able to choose a different AM for each protected resource)
Requirements for the protected resource
The protocol is divided into three parts:
- The introduction of the Host and Authorization Manager
- The retrieval of an Access Token for a Host by a Requester
- The access to the Protected Resource on the Host by the Requester
The first step is only needed once per Host and Authorization Manager. In this step the resource owner decides which AM is handling access to the protected resource on that Host. The resource owner can either choose
The Resource Owner which has a protected resource on Host decides that the access to this resource is being managed by the AM he chooses.