Comments on: Where web and enterprise meet on user-managed access http://www.xmlgrrl.com/blog/2010/07/18/where-web-and-enterprise-meet-on-user-managed-access/ Tangled musings on identity, privacy, trust, and suchlike Sat, 08 Oct 2011 19:31:02 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: links for 2010-08-01 • Bare Identity http://www.xmlgrrl.com/blog/2010/07/18/where-web-and-enterprise-meet-on-user-managed-access/comment-page-1/#comment-286539 links for 2010-08-01 • Bare Identity Mon, 02 Aug 2010 00:03:37 +0000 http://www.xmlgrrl.com/blog/?p=2559#comment-286539 [...] Where web and enterprise meet on user-managed access | Pushing String (tags: uma identity authorization evemaler) [...] [...] Where web and enterprise meet on user-managed access | Pushing String (tags: uma identity authorization evemaler) [...]

]]> By: Eve M. http://www.xmlgrrl.com/blog/2010/07/18/where-web-and-enterprise-meet-on-user-managed-access/comment-page-1/#comment-285778 Eve M. Tue, 20 Jul 2010 03:32:59 +0000 http://www.xmlgrrl.com/blog/?p=2559#comment-285778 At the UMA table we're trying to address at least some of this, e.g., with the notion of a "resource registration API" and with user-dictated policy that in many cases can be enforced without the user being around, but indeed it's tricky... At the UMA table we’re trying to address at least some of this, e.g., with the notion of a “resource registration API” and with user-dictated policy that in many cases can be enforced without the user being around, but indeed it’s tricky…

]]> By: Saqib Ali http://www.xmlgrrl.com/blog/2010/07/18/where-web-and-enterprise-meet-on-user-managed-access/comment-page-1/#comment-285773 Saqib Ali Tue, 20 Jul 2010 00:32:50 +0000 http://www.xmlgrrl.com/blog/?p=2559#comment-285773 Eve, I like how you make the distinction between business-level problem vs. technical problem. Like you said, relying parties (3rd party app vendors) would like as much access as possible. But I also think that the technological solutions (for e.g. OAuth) should default to user's predefined settings regardless of how the service provider sets up the Authorization. Unless I am missing something, I am not seeing this being addressed anywhere. Saqib Eve,

I like how you make the distinction between business-level problem vs. technical problem. Like you said, relying parties (3rd party app vendors) would like as much access as possible. But I also think that the technological solutions (for e.g. OAuth) should default to user’s predefined settings regardless of how the service provider sets up the Authorization. Unless I am missing something, I am not seeing this being addressed anywhere.

Saqib

]]> By: Eve http://www.xmlgrrl.com/blog/2010/07/18/where-web-and-enterprise-meet-on-user-managed-access/comment-page-1/#comment-285752 Eve Mon, 19 Jul 2010 17:00:58 +0000 http://www.xmlgrrl.com/blog/?p=2559#comment-285752 Hi Saqib-- Thanks for your thoughtful comment. There is a business-level problem here (relying parties would prefer getting as much access as possible), and also a technical problem (defining "scope" of access in an interoperable way is hard, as evidenced by the OAuth group's decision to punt on semantics for this field). I think UMA should ideally be able to pick up whatever technical solution wins the day, but we did propose a solution to the wider community that relies on "extreme RESTfulness" of the API being accessed to achieve interop. If an API can be described meaningfully as a set of triples of resource URL/HTTP method/semantic, then the first two parts could be encoded (we proposed a JSON format) as a way to ask for and grant that kind of access in an OAuth or UMA ecosystem. It's more wordy than 100% of the OAuth deployments on the planet, but it can at least be consistently applied. So that's the technical problem. My hope is that the business-level problem can be tackled piecemeal at the UMA level by giving users better tools to offer valuable data on their own terms. Changing them from passive to active participants (through the assistance of an AM) should change the incentives a bit. Further thoughts welcome... Hi Saqib– Thanks for your thoughtful comment.

There is a business-level problem here (relying parties would prefer getting as much access as possible), and also a technical problem (defining “scope” of access in an interoperable way is hard, as evidenced by the OAuth group’s decision to punt on semantics for this field).

I think UMA should ideally be able to pick up whatever technical solution wins the day, but we did propose a solution to the wider community that relies on “extreme RESTfulness” of the API being accessed to achieve interop. If an API can be described meaningfully as a set of triples of resource URL/HTTP method/semantic, then the first two parts could be encoded (we proposed a JSON format) as a way to ask for and grant that kind of access in an OAuth or UMA ecosystem. It’s more wordy than 100% of the OAuth deployments on the planet, but it can at least be consistently applied.

So that’s the technical problem. My hope is that the business-level problem can be tackled piecemeal at the UMA level by giving users better tools to offer valuable data on their own terms. Changing them from passive to active participants (through the assistance of an AM) should change the incentives a bit.

Further thoughts welcome…

]]> By: Saqib Ali http://www.xmlgrrl.com/blog/2010/07/18/where-web-and-enterprise-meet-on-user-managed-access/comment-page-1/#comment-285750 Saqib Ali Mon, 19 Jul 2010 16:40:53 +0000 http://www.xmlgrrl.com/blog/?p=2559#comment-285750 Sort of off-topic comment. May be more related to your tweet, "I want to allow most #OAuth connections as read-only; too many want read/write for no good reason. Services, please make this an option!" Recently I have been looking at how Google Apps Marketplace apps utilize OAuth to access user's Google Apps data. It is all or nothing access. Once Google Apps domain administrator adds a Marketplace Apps to the domain, the app gets full access all the data in the <i>entire</i> domain. This kinda worries the Data Custodians, and rightfully so. Here are somethings, if implemented, may calm the fears of the data custodians: 1) Controls to prevent mis-use of this over-reaching authorizations; 2) Granular policy controls, i.e. ability to give read-only access to pre-defined data for users who will be using the apps; 3) A view into detailed logs of access and audit logs; 4) Anomaly detection system. I am not sure how UMA can help in this area, but would like to hear your thoughts. Saqib Sort of off-topic comment. May be more related to your tweet, “I want to allow most #OAuth connections as read-only; too many want read/write for no good reason. Services, please make this an option!”

Recently I have been looking at how Google Apps Marketplace apps utilize OAuth to access user’s Google Apps data. It is all or nothing access. Once Google Apps domain administrator adds a Marketplace Apps to the domain, the app gets full access all the data in the entire domain. This kinda worries the Data Custodians, and rightfully so.

Here are somethings, if implemented, may calm the fears of the data custodians:

1) Controls to prevent mis-use of this over-reaching authorizations;
2) Granular policy controls, i.e. ability to give read-only access to pre-defined data for users who will be using the apps;
3) A view into detailed logs of access and audit logs;
4) Anomaly detection system.

I am not sure how UMA can help in this area, but would like to hear your thoughts.

Saqib

]]>