How UMA deals with scopes and authorization

The UMA group has been quite busy of late. Like several other efforts (don’t miss John Bradley’s OpenID ABC post or anything Mike Jones has been blogging in the last few months), we’ve been gearing up for IIW 12 as a great place to try out our newest work, figure out the combinatorial possibilities with all the other new stuff going on, and get feedback.

Newcastle University’s SMART project team will be in Mountain View again, discussing their UMA implementation and UX work. And vice-chair Maciej Machulak and I plan to convene a session to share our draft solution for loosely coupling an OAuth authorization server and resource server to solve for externalized authorization and interoperable scoped access in the UMA context.

Back in February, a bunch of us tried discussing this very subject in Twitter and got pretty far, but it took Paul Madsen to put the whole story together in his blog post Way more than 140. And loving it. Check it out.

Essentially, UMA is choosing to give the host (resource server) more autonomy than it would typically have in a tightly coupled environment, so that it’s not entirely accurate to say it’s a mere policy enforcement point (PEP) and the authorization manager (authz server) is a full policy decision point (PDP). This seems to make good sense in a totally open-Web environment. However, “the full PDP” is an optional feature we could probably add if there’s interest.

The really interesting thing is that, to make externalized authorization work, we’ve had to go “radically claims-based”. The model seems very powerful and generative — it gives the power to upgrade and downgrade granted scopes at will! But it does take a step or two back from pure OAuth 2.0 as a result. This is something I’m keen to discuss with folks in and around IIW; we’ll be presenting these slides to that end.