UMA 2.0 Grant for OAuth 2.0 Authorization


UMA 2.0 Grant for OAuth 2.0 Authorization (UMAGrant) defines an extension to the OAuth 2.0 Grant Types and provides a means for a OAuth Client, representing a Requesting Party, to use a Permission Ticket to request an OAuth 2.0 Access Token to gain access to a Protected Resource asynchronously from the time a Resource Owner authorizes access.

UMA 2.0 Grant for OAuth 2.0 Authorization defines an extension OAuth 2.0 RFC 6749 grant. The grant enhances OAuth capabilities in the following ways:

  • The resource owner authorizes protected resource access to clients used by entities that are in a requesting party role. This enables party-to-party authorization, rather than authorization of application access alone.
  • The authorization server and resource server interact with the client and requesting party in a way that is asynchronous with respect to resource owner interactions. This lets a resource owner configure an authorization server with authorization grant rules (policy conditions) at will, rather than authorizing access token issuance synchronously just after authenticating.

For example, bank customer (Resource Owner) Alice with a bank account service (Resource Server) can use a sharing management service (Authorization Server) hosted by the bank to manage access to her various Protected Resources by spouse Bob, accounting professional Charline, and bank account aggregation company DecideAccount, all using different client applications, to view account data and get access to payment or withdrawal functions.

An OPTIONAL second specification, UMAFedAuthz, defines a means for an UMA-enabled Authorization Server and Resource Server to be loosely coupled, or federated, in a Resource Owner context. UMA 2.0 Grant for OAuth 2.0 Authorization specification, together with UMAFedAuthz, constitutes UMA 2.0.

More Information#

There might be more information for this subject on one of the following: