idnits 2.17.1 draft-hardjono-oauth-umacore-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 26, 2016) is 3013 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'RFC2119' is defined on line 101, but no explicit reference was found in the text == Unused Reference: 'UMAcore' is defined on line 106, but no explicit reference was found in the text Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group T. Hardjono, Ed. 3 Internet-Draft MIT 4 Intended status: Informational E. Maler 5 Expires: July 29, 2016 ForgeRock 6 M. Machulak 7 Cloud Identity 8 D. Catalano 9 Oracle 10 January 26, 2016 12 User-Managed Access (UMA) Profile of OAuth 2.0 13 draft-hardjono-oauth-umacore-14 15 Abstract 17 User-Managed Access (UMA) is a profile of OAuth 2.0. UMA defines how 18 resource owners can control protected-resource access by clients 19 operated by arbitrary requesting parties, where the resources reside 20 on any number of resource servers, and where a centralized 21 authorization server governs access based on resource owner policies. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on July 29, 2016. 40 Copyright Notice 42 Copyright (c) 2016 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. References . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.1. Normative References . . . . . . . . . . . . . . . . . . 3 60 2.2. Informative References . . . . . . . . . . . . . . . . . 3 61 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 3 63 1. Introduction 65 User-Managed Access (UMA) is a profile of OAuth 2.0 [OAuth2]. UMA 66 defines how resource owners can control protected-resource access by 67 clients operated by arbitrary requesting parties, where the resources 68 reside on any number of resource servers, and where a centralized 69 authorization server governs access based on resource owner policies. 70 Resource owners configure authorization servers with access policies 71 that serve as asynchronous authorization grants. 73 UMA serves numerous use cases where a resource owner uses a dedicated 74 service to manage authorization for access to their resources, 75 potentially even without the run-time presence of the resource owner. 76 A typical example is the following: a web user (an end-user resource 77 owner) can authorize a web or native app (a client) to gain one-time 78 or ongoing access to a protected resource containing his home address 79 stored at a "personal data store" service (a resource server), by 80 telling the resource server to respect access entitlements issued by 81 his chosen cloud-based authorization service (an authorization 82 server). The requesting party operating the client might be the 83 resource owner, where the app is run by an e-commerce company that 84 needs to know where to ship a purchased item, or the requesting party 85 might be resource owner's friend who is using an online address book 86 service to collect contact information, or the requesting party might 87 be a survey company that uses an autonomous web service to compile 88 population demographics. A variety of use cases can be found in 89 [UMA-usecases] and [UMA-casestudies]. 91 Please see for the full UMA-Core 1.0 Specification for a complete 92 description of UMA Core. 94 2. References 96 2.1. Normative References 98 [OAuth2] Hardt, D., "The OAuth 2.0 Authorization Framework", 99 October 2012, . 101 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 102 Requirement Levels", BCP 14, RFC 2119, 103 DOI 10.17487/RFC2119, March 1997, 104 . 106 [UMAcore] Hardjono, T., Maler, E., Machulak, M., and D. Catalano, 107 "User-Managed Access (UMA) Profile of OAuth 2.0 Version 108 1.0.1", December 2015, 109 . 112 2.2. Informative References 114 [UMA-casestudies] 115 Maler, E., "UMA Case Studies", April 2014, 116 . 119 [UMA-usecases] 120 Maler, E., "UMA Scenarios and Use Cases", October 2010, 121 . 124 Authors' Addresses 126 Thomas Hardjono (editor) 127 MIT 129 Email: hardjono@mit.edu 131 Eve Maler 132 ForgeRock 134 Email: eve.maler@forgerock.com 136 Maciej Machulak 137 Cloud Identity 139 Email: maciej.machulak@cloudidentity.co.uk 140 Domenico Catalano 141 Oracle 143 Email: domenico.catalano@oracle.com