Page tree
Skip to end of metadata
Go to start of metadata

UMA Introduction

This session ended up being an introduction to the UMA 2 spec for a small group of people that hadn't heard of it, or hadn't dived very deep into it before.

Started off with the UMA flow, eventually drawn out:

  1. The RO (Alice) starts using the RS with the AS for controlling access to resources, so that RS acquires a PAT (protection API access token) at the AS for the RO.
  2. The RO creates a resource at the RS
  3. The RS registers that resource at the AS
  4. The AS returns an ID for the resource and (optionally, and in the case of AM) a URI at which the RO can set policy

Some time later...

  1. The RqP (Bob) uses the Client to attempt to access the resource at the RS
  2. The RS find the request to be insufficient to give access, so requests a ticket from the AS for the resource ID + some scope
  3. The AS returns the ticket
  4. The RS returns the ticket, along with details of where the AS can be found, to the Client
  5. The Client approaches the AS with the ticket using the UMA OAuth 2 grant type
  6. The AS evaluates policy on the resource
  7. The AS finds the request to be insufficient to grant a token, so the AS, Client and (optionally) the RqP interact with one another in order to agree sufficient claims for the RqP's identity
  8. The AS re-evaluates policy
  9. The AS grants a token
  10. The Client presents the token with the original request to the RS
  11. The RS passes the token to the AS to introspect the scope that has been granted for the resource
  12. The RS returns the resource to the client.

Use Cases

The session then continued to be a discussion of various use cases that UMA might be useful for. These use cases were generally similar to the ForgeRock demos, which can be found at the following links:


  • No labels