First, for those of you who don't know, OAuth 2.0, is a protocol designed to allow people to authorize one web service to access the resources of another web service. For example, allowing a photo printing service to access photos on Flickr.
UMA takes the concept of OAuth a step further and places the authorization server to a third party that works on behalf of an individual. By doing this, UMA take authorization from a resource perspective, and turns it into a consent server for users. That's pretty cool. So far, we've not had a good inter-site model for handling consent.
Where in the typical OAuth 2 deployment, user authorization and resource owner authorization are combined, UMA instead separates the processing of a user's consent, from authorizing access by the resource owner (e.g. Flickr).
Aside from the benefits Eve describes, here are a couple more things I like about the UMA proposal.
- UMA recognizes that user information exists in many places on the Internet, and not just at a single IDP/OPs etc.
- It supports a federated (multi-domain) model for user authorization not possible with current enterprise policy systems.
- It's a great way to separate the issue of user consent away from the resource owner's access control policy.
- It becomes possible to handle consent when individuals are offline
Will this be useful to the enterprise community? As with OAuth, I think so. This is an evolving space to watch.
1 comment:
Phil, thanks as always for your thoughtful comments. I'll share some back just as soon as I'm able. In the meantime, curious folks may want to check out previous writings here.
Post a Comment