UMA Implementer's Guide

Abstract 

This document is a non-normative set of auxiliary material produced by the User-Managed Access Work Group. It records advice to and discussions relevant to developers of UMA-conforming software systems, services, and applications.

Status

This document is currently under active development.

Editors
Intellectual Property Notice

The User-Managed Access Work Group operates under Kantara IPR Policy - Option Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND) (HTML version) and the publication of this document is governed by the policies outlined in this option.


Table of Contents 


Introduction

The User-Managed Access Work Group operates under Kantara IPR Policy - Option Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND) (HTML version) and the publication of this document is governed by the policies outlined in this option.


Organizations as Resource Owners and Requesting Parties

TBS - when two-legged pattern for PAT/AAT (client credentials) is appropriate; autonomous web service clients


Managing Resource Registration Revisions 

Regarding the resource set registration API, it is common practice when using NoSQL databases to replicate entity tag (ETag HTTP header) revision information in the body of the response message as well, in a _rev property. The API does not mandate this property, however.


Handling Ignored Parameters 

TBS - reporting which params ignored for auditing purposes


Giving Non-RPT-Bearing Clients Success Responses 

TBS - what do do when responding with other than a 403


Redirects 

If the client is concerned about HTTP parameter substitution of the ticket value after an end-user requesting party is redirected back after claims gathering, it can verify that the ticket initially sent to the authorization server is the same value that is subsequently returned by the authorization server. To verify that the ticket is the same in a stateless fashion, the client can send the ticket value in the state parameter, ideally in encrypted form, and then compare them on receiving the response from the authorization server.


Change History