[OAUTH-WG] Seeking feedback on UMA's use of OAuth and discovery mechanisms
Eve Maler <eve@xmlgrrl.com> Tue, 24 November 2009 02:05 UTC
Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DBABD3A688B for <oauth@core3.amsl.com>; Mon, 23 Nov 2009 18:05:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.122
X-Spam-Level: ****
X-Spam-Status: No, score=4.122 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, FH_HOST_EQ_D_D_D_D=0.765, FROM_DOMAIN_NOVOWEL=0.5, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, HOST_MISMATCH_NET=0.311, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LVh6CBOzXfWw for <oauth@core3.amsl.com>; Mon, 23 Nov 2009 18:05:10 -0800 (PST)
Received: from mail.promanage-inc.com (static-98-111-84-13.sttlwa.fios.verizon.net [98.111.84.13]) by core3.amsl.com (Postfix) with ESMTP id 00E233A6860 for <oauth@ietf.org>; Mon, 23 Nov 2009 18:05:09 -0800 (PST)
Received: from [192.168.168.198] ([192.168.168.198]) (authenticated bits=0) by mail.promanage-inc.com (8.14.3/8.14.3) with ESMTP id nAO24hWg015939 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 23 Nov 2009 18:05:05 -0800
From: Eve Maler <eve@xmlgrrl.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 23 Nov 2009 18:04:43 -0800
To: oauth@ietf.org, oauth@googlegroups.com
Message-Id: <BA53F346-D288-473F-9B71-BC645DEF00D6@xmlgrrl.com>
Mime-Version: 1.0 (Apple Message framework v1077)
X-Mailer: Apple Mail (2.1077)
Subject: [OAUTH-WG] Seeking feedback on UMA's use of OAuth and discovery mechanisms
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 02:05:11 -0000
The User-Managed Access effort[1], previously mentioned on this list as "ProtectServe", intends to solve user-driven permissioning (authorization) problems at Internet scale. It is designed to be modular, and to reuse and profile existing technology as much as possible. Therefore, we have attempted to "stay out of the business of authentication", profiling OAuth lightly in order to do so.
The UMA group would be grateful for your feedback on our intended usage of OAuth and its emerging discovery methods. Details can be found in the worked example in our spec[2]; various explanatory materials about UMA in general are available as well.[3]
Briefly, the UMA protocol has four distinct parties vs. OAuth's three: there's an authorizing user, a consumer/client (which we call a"requester"), an SP/server (which we call a "host"), and an authorization manager. We compose three instances of OAuth to introduce all these parties appropriately to each other: there's user/host/AM (three-legged), requester/host (two-legged), and requester/AM (another two-legged). Because of our goals to allow most of these parties to meet fairly dynamically, we are leaning quite heavily on XRD and LRDD for discovery; various simplifying assumptions could probably be made to simplify this picture, however.
(If you find UMA's use cases and design center interesting, you'd be very welcome at the table.[4])
Thanks,
Eve
UMA group chair
[1] http://kantarainitiative.org/confluence/display/uma/Home
[2] http://kantarainitiative.org/confluence/display/uma/UMA+1.0+Core+Protocol
[3] http://kantarainitiative.org/confluence/display/uma/UMA+Explained
[4] http://signup.kantarainitiative.org/?selectedGroup=11
Eve Maler
eve@xmlgrrl.com
http://www.xmlgrrl.com/blog