[WG-UMA] New web sequence diagrams for rev 05a

Eve Maler eve at xmlgrrl.com
Thu Jun 14 13:35:39 EDT 2012


I had occasion to throw these together, and thought they might be helpful. If anyone has suggestions for improvements, give a yell (or, better yet, send out revised versions)... I'll once again start putting links to these on the wiki.

	Eve

===================

Phase 1: http://is.gd/3QXmlP

Source:

title UMA Phase 1 (rev 05a)

participant "Alice" as A
participant "CopMonkey" as AM
participant "MyCalendar" as H

note over A, AM, H
Endpoints:
* Alice = Authorizing user
* CopMonkey = Authorization manager (AM)
* MyCalendar = Host of protected resources
Terminology:
* PAT = OAuth protection API token [Alice, MyCalendar,CopMonkey]
* AAT = OAuth authorization API token [Roger, TripFollwr, CopMonkey]
* RPT = UMA requester permission token [Roger, TripFollwr, MyCalendar, CopMonkey]
end note

A-->H: Please use this AM
H->A: Look up AM config data (2.1)
A->H: AM config data
opt: Host has no client credentials yet (2.2)
H-->A: Get OAuth client credentials
A-->H: OAuth client credentials
end opt
opt: Authorization code flow (could use others)
H->A: Redirect to AM...
A->AM: ...to log in and consent\n(standard OAuth; details elided)
AM->H: Issue PAT (2.3)
end opt

loop: Register resource sets as necessary, in order to protect them
H->AM: Register resource sets and scopes (2.4)
AM->H: Confirm registration etc.
end loop

===================

Phases 2 and 3: http://is.gd/gX35bu

Source:

title UMA Phases 2 and 3 (rev 05a)

participant "Roger" as RU
participant "TripFollwr" as R
participant "CopMonkey" as AM
participant "MyCalendar" as H

note over RU, R, AM, H
Endpoints:
* Roger = Requesting party
* TripFollwr = Requester
* CopMonkey = Authorization manager (AM)
* MyCalendar = Host of protected resources
Terminology:
* PAT = OAuth protection API token [Alice, MyCalendar,CopMonkey]
* AAT = OAuth authorization API token [Roger, TripFollwr, CopMonkey]
* RPT = UMA requester permission token [Roger, TripFollwr, MyCalendar, CopMonkey]
Assumptions:
* This exercises the entire phase 2/3 set of flows, except for an invalid RPT
end note

R->H: Attempt access with no RPT (3.1.1)
H->R: 401 with CopMonkey location (3.1.1)

R->AM: Look up AM config data (3.4.1)
AM->R: AM config data (3.4.1)

R-->AM: Get OAuth client credentials (3.4.2)
AM-->R: OAuth client credentials

R->RU: Redirect to AM... (3.4.3)
RU->AM: ...to log in and consent to use\nthis AM for authorization purposes\n(standard OAuth; details elided) (3.4.3)
AM->R: Issue AAT (3.4.3)

R->AM: Request RPT (3.4.4)
AM->R: RPT (3.4.4)

R->H: Attempt access with RPT (3.1.2)
H->AM: Check token status (3.3.1;\nassumes UMA bearer token)
AM->H: Token status: valid, with current permissions (3.3.1)
H->H: Assess access attempt against\nreturned permissions: insufficient (3.3)
H->AM: Register permission request on TripFollwr's behalf (3.2)
H->R: 403 with CopMonkey location and permission ticket (3.1.2)

R->AM: Request authorization to add permission (3.4.5)
AM->R: Claims-gathering flow (3.5)
R->RU: Redirect to AM... (3.5.1)
RU->AM: ...to provide claims as required by Alice's policy
AM->R: Permission added (3.2)

R->H: Attempt access with RPT (3.1.2)
H->AM: Check token status (3.3.1)
AM->H: Token status: valid, with current permissions (3.3.1)
H->H: Assess access attempt against\nreturned permissions: sufficient (3.3)
H->R: 200: Give access to resource (3.1.3)

Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl




More information about the WG-UMA mailing list