Thursday, July 8, 2010

UMA and OAuth 2 - First Impressions

I recently attended a briefing by Eve Maler, chair of the UMA Workgroup. As usual, Eve had lots of info to share, and I'd like to pass it on.

First, for those of you who don't know, OAuth 2.0, is a protocol designed to allow people to authorize one web service to access the resources of another web service. For example, allowing a photo printing service to access photos on Flickr.

UMA takes the concept of OAuth a step further and places the authorization server to a third party that works on behalf of an individual. By doing this, UMA take authorization from a resource perspective, and turns it into a consent server for users. That's pretty cool. So far, we've not had a good inter-site model for handling consent.

Where in the typical OAuth 2 deployment, user authorization and resource owner authorization are combined, UMA instead separates the processing of a user's consent, from authorizing access by the resource owner (e.g. Flickr).

Aside from the benefits Eve describes, here are a couple more things I like about the UMA proposal.
  1. UMA recognizes that user information exists in many places on the Internet, and not just at a single IDP/OPs etc.
  2. It supports a federated (multi-domain) model for user authorization not possible with current enterprise policy systems.
  3. It's a great way to separate the issue of user consent away from the resource owner's access control policy.
  4. It becomes possible to handle consent when individuals are offline
The only downside I can see at the moment, is that the UMA Authorization server would get to know a lot about its users. What type of organizations would/could successfully offer UMA consent services? Any organization attempting this would have to have a strong privacy brand indeed. Monetizing private information would be a tough sell. Yet would users pay for the service? Anyway, not to worry, I'm sure someone will figure this out soon, if not already.

Will this be useful to the enterprise community? As with OAuth, I think so. This is an evolving space to watch.

1 comment:

Eve M. said...

Phil, thanks as always for your thoughtful comments. I'll share some back just as soon as I'm able. In the meantime, curious folks may want to check out previous writings here.

Post a Comment