Users in control of their data UMA

From IIW

Session Topic: Users Managed Access (UMA) (T2I)

Convener: Convener: Eve, Maciek, Lukas


Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Introduction: reasons for user centric privacy management

Current situation: why UMA gives a better solution.

Digital identity management

Online social networking

Vendor relationship management

How to control your data

What is uma

A web protocol

UMA group

Introducing a new standardised solution

OAuth themes

Password anti-pattern

Access tokens

User managed access

Architecture and protocol

Uma players explanation: user, host, am, requested

Uma protocol steps

Trusting a token - OAuth workflow, host acting as a client

End point


Q: Who's reliable for the trust relationship?

A: You have to believe that host will use your AM

Two parties host and AM establish a relation.


Alice to Alice sharing

  • Alice to Bob sharing
Alice to a company sharing

Mapping transactions and transparency of the protocol

Why avoidance of encryption is a design principle?

Trusting a token - establishing a trust relationship.

Requested application getting a token.

Accessing requested resource - token validation.

Smart AM - static layout

Defining available permissions by host.

Accessing a resource through requester

Issue of displaying permissions. Circles of trusts eg in small
business companies. Vertical data. Low assurance for web.

Restful policy making


n the open web. Making sure to get users simply and quickly.

Market different shares for different AMs

Architectural challenge:
separating hosting the data from authorising the data.

Good feature of triggering the workflow by users themselves. If one
user have access to e.g. particular folder he or she may also be
interested in accessing also other resources and asking the owner of
the data to grant them with access.

OAuth Leeloo and UMAj framework