Tag Archives: Kantara

Wishing you a happy, healthy, user-managed new year

UMA Christmas tree 2010

Thanks to Domenico Catalano (@DomCat) for putting together this lovely and geeky holiday message! And thanks to all the UMAnitarians for their contributions of passion, business problem-solving, and technical know-how to the User-Managed Access work.

The end of 2010 has brought new progress on several fronts. The UMA-friendly Java-based OAuth leeloo implementation was released as open source; we’ve begun solving some hard problems in defining interoperable interfaces between OAuth authorization servers and resource servers; we’ve been teasing out the implications of trusted claims as the basis for user-centric access control; and we saw two significant submissions in response to the UMA validation bounty program. We’re grateful to submitters Cordny Nederkoorn, whose interest in UMA grew as a result of his explorations into cloud identity, and Project hData, a unique and important effort that seeks to make electronic health data amenable to RESTful web app treatment.

We’ve got lots more developments in store for the coming months, and we welcome your involvement. From our Kantara home page you can join the group (no membership fees!), subscribe to our mailing list, and check out the latest news, and don’t forget to follow us on Twitter.

Happy holidays!

UMA validator bounty program announced

Are you a software developer or tester? You might be interested in the new $4000 bounty program just announced by the Kantara Initiative for:

Develop[ing] material that assists in validating the compliance of implemented authorization manager, host, requester, and authorizing user/user agent endpoints to the UMA draft specifications (and their referenced external specifications).

The first deadline, to express submission interest, is November 1 — which happens to be the day we’re hosting a F2F meeting just ahead of IIW.

You can keep an eye on the status of the program at its dedicated UMA wiki page.

UMA meeting co-located with IIW and other news

Thanks to Phil and Kaliya and the gang, I’m happy to say we’re holding an UMA face-to-face meeting at the Computer History Museum on the Monday just prior to IIW XI (pronounced “yewksie”?).

This follows close on the heels of a face-to-face in Paris at the Kantara conference, so I hope we’ll be able to crank through a lot of work in the next few weeks. What work, you ask? We’re shooting for draft completion of some key items in the upper box shown here (click to get to a full-size site-mapped version on our Working Drafts page):

I’ve already gotten several requests for more info about the IIW meeting. These will be working meetings, not public transfer-of-information workshops, and we always welcome new participation. You can become a participant (voting/frequently attending or non-voting/attend at will, totally up to you) by filling out this form. I’ve put up some very preliminary agendas (Paris, Mtn View); they tend to be responsive to work done in weeks prior, so check back.

(UPDATE: There’s no formal registration process for the IIW meeting as long as you’re already signed up as an UMA participant; just send me an RSVP. Contact info is under my Welcome section in the right sidebar.)


Did you know our Newcastle University UMAnitarians have begun open-sourcing their Java implementation? The first big piece from the SMART Project covers UMA-friendly OAuth 2.0 and has the lovely name leeloo. They promise more to come soon, and I bet we’ll see some swank demos at IIW. Check it out!

Personal RFP Model and Information Sharing Report

The Kantara Information Sharing group, led by the intrepid Joe Andrieu and Iain Henderson, has been doing a ton of work to make the business justifications for Vendor Relationship Management scenarios concrete and and the use cases actionable.

The group has two documents out for review, and seeks your input. (I’m really tardy blogging this; comments are due tomorrow, but I’m sure they’d be welcome even coming in a little late…) See Joe’s writeup for document links and descriptions.

Here’s a taste of the pRFP document:

Sally uses a Personal Request for Proposal (pRFP) to solicit offers for, negotiate, and purchase a new car through the MyPal pRFP Broker. She has previously researched her options and made up her mind about the kind of car she wants to buy. She has also secured financing and credentials asserting that fact. Sally’s information is maintained in a personal data store which provides it on demand for use by service providers and vendors. On the Vendor side, Frank at Chryota of London responds to Sally’s Personal RFP (pRFP), using a hands‐on approach that integrates CoL’s CRM system, MyPal, and Chryota Manufacturing’s CRM program HEARING AID, which is managed by Jimmy.

The Info Sharing Report is interesting too, but in a totally different way; it’s chock full of interesting statistics and trends around the cost of acquiring customers and the privacy pitfalls of the current ecosystem.

Check ‘em out, and send in your thoughts.

UMA learns how to simplify, simplify

It seems like a good time to review where we’ve been and where we’re going in the process of building User-Managed Access (UMA).

The introduction to our draft protocol spec reads:

The User-Managed Access (UMA) 1.0 core protocol provides a method for users to control access to their protected resources, residing on any number of host sites, through an authorization manager that makes access decisions based on user policy.

For example, a web user (authorizing user) can authorize a web app (requester) to gain one-time or ongoing access to a resource containing his home address stored at a “personal data store” service (host), by telling the host to act on access decisions made by his authorization decision-making service (authorization manager). The requesting party might be an e-commerce company whose site is acting on behalf of the user himself to assist him in arranging for shipping a purchased item, or it might be his friend who is using an online address book service to collect addresses, or it might be a survey company that uses an online service to compile population demographics.

While this introduction hasn’t changed much over time, the UMA protocol itself has undergone a number of changes, some of them dramatic. The changes came from switching “substrates”, partly in response to the recent volatility that has entered the OAuth world with the introduction of WRAP and partly in an ongoing effort to make everything simpler.

Here’s an attempt to convey the once and future UMA-substrate picture:

uma-history

Back in the days of ProtectServe, we did try to use “real OAuth” to associate various UMA entities, but in one area we “cheated” (that is, used something OAuth-ish but not conforming) to get protocol efficiencies and to ensure the privacy of the authorizing user. Hence the wavy line.

Once the UMA effort started in earnest at Kantara, we discovered a way to use three instances of “real OAuth” instead, and decided to (as we thought of it) “get out of the authentication business” entirely — thus theoretically allowing people to build UMA implementations on top of OAuth as a fairly thin shim. However, the trick we had discovered to accomplish this, along with (it must be admitted) an over-enthusiasm for website metadata discovery loops, made the spec pretty dense and hard to understand and we weren’t satisfied with that either.

As of last week, we have moved to a WRAP substrate on an interim basis, and that approach is what’s in our spec now. Although WRAP’s entities sound an awful lot like UMA’s entities (authorization manager/authorization server, host/protected resource, requester/client, authorizing user/resource owner), it took us a while to disentangle the different use cases and motivations that drove the development of each set, and in retrospect I’m glad we don’t have the same exact language. It allows us to have a meaningful conversation about the ways in which WRAP can gracefully assume a “plumbing” role for UMA (and other) use cases, and the ways in which we need to extend and profile it.

Here’s a diagram that summarizes the current state of the UMA protocol and the role(s) WRAP plays in it (click to enlarge):

UMA protocol summary

Given our use cases, it pretty much flows naturally, and it solves the problems we were previously tying ourselves in knots over. (Do check out the details if you have that sort of inquiring mind. Though reading our spec now benefits from an existing understanding of the WRAP paradigm — we plan to add more detail to make it stand better on its own — it’s now a lot more to-the-point.)

So all in all, I’m very pleased about our direction, and about the increasing interest we’re seeing from all over the place. But we’re not there yet, and it’s partly because over at the IETF they’re still working on OAuth Version 2.0, and that’s what we’re really after. We have been active in contributing use cases and feedback to the OAuth WG, and I think next week’s meeting at IETF 77 will be productive for all.


Come to the Kantara UMA workshop at the beginning of the European Identity Conference on May 4! (fixed; used to say May 3)


Though UMA isn’t fully incubated yet, it also seems like a good time to give a shout-out to all the UMAnitarians (join us… don’t be afraid…) who are helping with the process, with special thanks to our leadership team: Paul Bryan, Domenico Catalano, Maciej Machulak, Hasan ibne Akram, and Tom Holodnik.

Discovery and OAuth and UMA – oh my

If you saw the ProtectServe status update from the Internet Identity Workshop in May, but haven’t taken a look since then, you’ll want to check out our progress on what has become User-Managed Access (“UMA”, pronounced like the actress…).

The proposition still centers on helping individuals gain better control of their data-sharing online, along with making it easier for identity-related data to live where it properly should — rather than being copied all over the place so that all the accuracy and freshness leaks out.

On our wiki you’ll now find a fledgling spec that profiles OAuth and its emerging discovery mechanisms XRD and LRDD. We’re also starting to collect a nice little bunch of diagrams and such, to help people understand what we’re up to. Click on the authorization flowchart to get to our “UMA Explained” area:

Access flowchart

Thanks to the Kantara Initiative participation rules, it’s easy and free to join the UMA group. If you’re interested to contribute use cases or thoughts on design or implementation talents, consider coming on board.

ProtectServe news: User-Managed Access group

After a few weeks’ worth of charter wrangling, I’m delighted to announce the launch of a new Kantara Initiative work group called User-Managed Access (UMA). Quoting some text from the charter that may sound familiar if you’ve been following the ProtectServe story:

The purpose of this Work Group is to develop a set of draft specifications that enable an individual to control the authorization of data sharing and service access made between online services on the individual’s behalf, and to facilitate the development of interoperable implementations of these specifications by others.

Quite a few folks have expressed strong interest in using this work to solve their use cases and in implementing the protocol (speaking of which, sincere thanks to the dozen-plus people who joined with me in proposing the group). With a basic design pattern that is as generative as ProtectServe seems to be, and with the variety of communities we’ll need to engage, it could be tricky to stay focused on a core set of scenarios and solutions, but I intend to work hard to do just that. Better to boil a small pond than…well, you know. Stay tuned for more thoughts on how I think we can accomplish this.

If you’d like to contribute to the continuing adventures of ProtectServe, please check out the User-Managed Access WG charter and join up! Here’s where to go to subscribe to the wg-uma list, which is read-only by default, and to become an official participant in the group, which gains you list posting privileges. (In case you’re wondering, there is no fee whatsoever for Kantara group participation.)

By the end of this week we’ll start using the list to figure out a first-telecon time slot, and I’ll provide updates on various group milestones here. If you’ve got any questions at all, feel free to drop me a line.