User-Managed Access (UMA) Update€¦ · 29/01/2010 · potential user experience... 23 UnSeen...

http://tinyurl.com/uma-wgU AM

User-Managed Access(UMA) Update

29 January 2010Eve Maler, UMA WG Chair

Paul Bryan, UMA WG Vice-Chair and Spec Editor

The UMA WG site will have links to these slides and the webinar recording

1

http://tinyurl.com/uma-wg


http://kantarainitiative.org/


http://kantarainitiative.org/confluence/display/uma/Home
















Topics we’ll cover today

• The problem space

• Introducing UMA

• Next steps

• Technical deep-dive

2



















The “data price” for online service is too high

• Why must we laboriously type the same data over and over?

• Why must we manuallyupdate it in a hundred placeswhen something changes?

• Why must we surrender all thedata requested, under termsfavorable only to the recipient?

• Can we get a global viewof our sharing preferences,patterns, and recipients?

• Can websites give us better service if we trust them enough to give each one more data, selectively?

3



















The classic web-form model

4

site that

consumes data

disclose



















Apps think they “own” something special...but do they?

5




















• We lie (and resent being asked)

Mickey Mouse1060 West Addison StChicago, IL

5




















• We lie (and resent being asked)

Mickey Mouse1060 West Addison StChicago, IL

My Realname123 Realad Dr.#456Chicago, IL

MOVED

5

• The data goes stale



















There’s proofa better way is possible

6




















• Calendar and photo sharing

• With “friends and family” or with specific email addresses

http://www.flickr.com/photos/k6mmc/ | CC BY 2.0

6


















http://www.flickr.com/photos/k6mmc/




• Calendar and photo sharing

• With “friends and family” or with specific email addresses

http://www.flickr.com/photos/k6mmc/ | CC BY 2.0

6

• OAuth-style connections

• To share tweets, geolocations, social graphs, professional associations, health data





















The OAuth model

7

consumerservice

provider

disclose store

authorize



















Forging and managingOAuth connections

8

Fire Eagle executes my sharing policy

Dopplr talks directly to Fire Eagle to get

this



















Privacy is not about secrecy

9

– Ann Cavoukian, Information and Privacy Commissioner of Ontario,Privacy in the Clouds paper

It’s about context, control, choice, and respect

“The goal of a flexible, user-centric identity management infrastructure must be to allow the user to quickly determine what information will be revealed to which parties and for what purposes, how trustworthy those parties are and how they will handle the information, and what the consequences of sharing their information will be”



















What if...

• You can give prospective employers a set of links to your CV and transcripts, so they see your accomplishments – and you can revoke their access when you land a job?

• You have a “protected inbox” that rejects too-frequent marketing communications from retailers?

• You can offer custom “feeds” of personal data to get personalized user experiences – only to sites that have privacy policies you like?

10



















How can users manage and control lots of connections like these?User-managed access

Dedicated interface and service for:

• Authorizing data sharing and service access

• Imposing sharing terms on any app wanting access

• Monitoring, changing, and stopping access relationships

• Letting services make requests of all of your authoritative sources directly

11

http://www.flickr.com/photos/paraflyer/2749336420/





















The UMA model for relationship management

12



















UMA is...

• A web protocol that lets you control authorization of data sharing and service access made between online services on your behalf

• A Work Group of the Kantara Initiative that is free for anyone to join and contribute to

• A set of draft specifications that is free for anyone to implement

• Heading towards multiple implementation efforts

• Going to be contributed to the IETF

• Striving to be simple, OAuth-based, identifier-agnostic, RESTful, modular, generative, and developed rapidly

13






















http://signup.kantarainitiative.org/?selectedGroup=11


http://kantarainitiative.org/confluence/display/uma/Working+Drafts

http://kantarainitiative.org/confluence/display/uma/Working+Drafts

http://kantarainitiative.org/confluence/display/uma/Implementations

http://kantarainitiative.org/confluence/display/uma/Implementations

http://kantarainitiative.org/confluence/display/uma/UMA+Requirements

http://kantarainitiative.org/confluence/display/uma/UMA+Requirements

http://www.ietf.org/dyn/wg/charter/oauth-charter.html

http://www.ietf.org/dyn/wg/charter/oauth-charter.html


Working through one scenario**See the UMA Scenario document for many more

Selectively share an ever-changing CV with prospective employers

14

UnseenUniversity

BigCo.com CopMonkey

Enforce

Store

AuthorizeGrant Access

ProtectAccess

Authorizing User

Host

Requester AuthorizationManager


















http://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases

http://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases


UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


Alice Adams chooses to store and maintain her CV at her university

15

The simple CV scenario




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


She introduces the university to her chosen AM for CV protection

(just once)

16



















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


She sets up policies and terms for that CV

at the AM

17




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


She tells a prospective employer where to find

her CV

(just once)

18




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


The prospective employer tries to

retrieve the CV and gets introduced to the AM as

a result

(a one-time event)referral

19




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


referral

20

The prospective employer and the AM negotiate terms for

access

(which can be cached if nothing else changes)




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


21

The prospective employer retrieves the CV, once the AM tells the university it’s okay

to release it

(as often as Alice’s policy allows; the policy can be cached by the

university as long as the AM allows)




















UnseenUniversity

BigCo.Com CopMonkeyRevoke

Authorizing User

Host


✘

22

One day, Alice revokes access, blocking that

employer’s CV access going forward

...sorry, Charlie




















Let’s look at apotential user experience...

23

UnSeen University provides the best studies for the best students

Search

Contact | Jobs | Site Map

Hello AliceChange passwordSettings

© copyright 2004 UnSeen University. All rights reserved.

LEARN MORE >

UnSeen

PostgraduateUndergraduate Manage CV Research

Edit CV Share your CV resources

Privacy Trust Model

Select an Authorization manager to share and protect your online information.

U AM CopMonkey UMA SiteSample AM

Share4Sharedata control

AuthorizeMeShare your Data

University

Update CV Add a new item

CV_Professional_Job BrowseCV name

CV to apply for jobDescription

Ask for Faculty references

Edit CV or CancelUpdate

10.0CopMonkey protects your data

© copyright 2009 CMInc. All rights reserved.

LEARN MORE >

UMA lets an individual control the authorization of data sharing and service access made between online services on the individual's behalf.


User Login

User Name

Password Login

Forgot passwordOpenID Login or IdP

alicea

********

User Profile HostsHome Policy Grant Access

an UMA sample AM

SignUp Protect Resources Grant Access

10.0

© copyright 2009 BigCo.Com. All rights reserved.

LEARN MORE >

1

Service ClientsHome Careers

Search


Applicant Login

User Name

Password Login

Forgot passwordOpenID Login

BigCo.Comthe information and consulting company

Your Business needs more

Our Services

Service #A

Service #B

Service #C

Service #D

SEE OUR SOLUTION >>

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Duis quis pede. Sed mauris. Duis tempor. Curabitur in nibh. Morbi pede.




News02.02.2005

12.27.2004

11.02.2004

10.27.2004

09.15.2004

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Duis quis pede. Sed mauris.Duis tempor. Curabitur in nibh.





MORE NEWS >

From Our Blog

MORE SERVICES >

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Duis quis pede. Sed mauris.Duis tempor. Curabitur in nibh. mm.dd.yyyy





MORE BLOG POSTS >

6.0

BigCo.Com



















Next steps for the UMA work

• Rapidly incubate the specs (with your help)

• And facilitate their testing with multiple independent implementations

• Continue to seek out (your) contributed scenarios and use cases

• And facilitate prototype deployments

• Join us!

24





















Questions beforethe deep-dive?...

25

[email protected] / [email protected]@pbryan.net

Thanks to the Kantara staff and the UMA WG participants, especiallythe rest of our WG leadership team: Hasan Akram, Use Cases Editor; Domenico Catalano, Graphics/UX Editor; and Maciej Machulak,Implementation Coordinator

The UMA site will have links to these slides and the webinar recording


















mailto:[email protected]






http://kantarainitiative.org/confluence/display/uma/Participant+Roster


http://kantarainitiative.org/confluence/display/uma/UMA+Explained



Thanks!

26

[email protected] / [email protected]@pbryan.net

Thanks to the Kantara staff and the UMA WG participants, especiallythe rest of our WG leadership team: Hasan Akram, Use Cases Editor; Domenico Catalano, Graphics/UX Editor; and Maciej Machulak,Implementation Coordinator

The UMA site will have links to these slides and the webinar recording

http://www.flickr.com/photos/greeblie/2426454804 | BY 2.o




























http://www.flickr.com/photos/greeblie/2426454804

http://www.flickr.com/photos/greeblie/2426454804

http://tinyurl.com/uma-wgU AM27

The CV scenarioin more detail

http://www.flickr.com/photos/27620885@N02/2655221272/ | CC-BY-2.0


















http://www.flickr.com/photos/27620885@N02/2655221272/

http://www.flickr.com/photos/27620885@N02/2655221272/



UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


User Stores CV

28




















UnseenUniversity

BigCo.Com CopMonkey

Store CV

Authorizing User

Host


User Stores CV

User manages CV on Host site

28



















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


User Registers Host at AM

29




















UnseenUniversity

BigCo.Com CopMonkey

AMLocation

Authorizing User

Host



a. User introduces Host to AM

29




















UnseenUniversity

BigCo.Com CopMonkey

AMLocation

New HostResource

Authorizing User

Host



a. User introduces Host to AMb. Host requests creation of a new host resource on AM

29




















UnseenUniversity

BigCo.Com CopMonkeyAuthorize

New HostResource

Authorizing User

Host



a. User introduces Host to AMb. Host requests creation of a new host resource on AMc. User authorizes the connection

29




















UnseenUniversity

BigCo.Com CopMonkeyAuthorize

Authorizing User

Host



a. User introduces Host to AMb. Host requests creation of a new host resource on AMc. User authorizes the connectiond. Host requests and gets an H➮A access token

H➮AAccess Token

29




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


User Sets Up CV Protection

30




















UnseenUniversity

BigCo.Com CopMonkeyPolicies

Authorizing User

Host


User Sets Up CV Protection

User manages policies and termsat AM

30




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


User Tells Requester About CV

31




















UnseenUniversity

BigCo.Com CopMonkeyResource URL

Authorizing User

Host


User Tells Requester About CV

User provides protected resourceURL to requester

31




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


Requester Attempts CV Access

32




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host



a. Requester attempts to access the resourceAttempt

Access

32




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host



a. Requester attempts to access the resourceb. Requester requests and gets an R➮H access tokenRequest R➮H

Access Token

32




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host



a. Requester attempts to access the resourceb. Requester requests and gets an R➮H access token

32

R➮HAccess Token




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host



a. Requester attempts to access the resource

c. Host requests a “referral resource” from AM to return to Requester

Request ReferralResource

referral

b. Requester requests and gets an R➮H access token

32

R➮HAccess Token




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host





d. Requester requests and gets an R➮A access token


Request R➮AAccess Token

referral


32

R➮HAccess Token




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host





d. Requester requests and gets an R➮A access token


referral


32

R➮AAccess Token

R➮HAccess Token




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


Negiotiate Terms of CV Access

referral

33




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host



a. Requester asks AM for the authorization state

referral

Authorization State?

33




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host




b. AM responds with “claims- required” authorization state

referral

“claims-required”

33




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host




b. AM responds with “claims- required” authorization state

c. Requester sends required claims

referral

Claims

33




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


Requester Successfully Accesses CV

34




















UnseenUniversity

BigCo.Com CopMonkey

Access CV

Authorizing User

Host



a. Requester attempts access to protected resource on Host

34




















UnseenUniversity

BigCo.Com CopMonkey

Access CV

Authorizing User

Host



a. Requester attempts access to protected resource on Hostb. Host requests a policy decision from AMPolicy Decision?

34




















UnseenUniversity

BigCo.Com CopMonkey

Access CV

Authorizing User

Host



a. Requester attempts access to protected resource on Hostb. Host requests a policy decision from AM

c. AM provides “Allow” response

“allow”

34




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host



a. Requester attempts access to protected resource on Hostb. Host requests a policy decision from AM

c. AM provides “Allow” response

“allow”

CV

d. Host returns the CV resource

34




















UnseenUniversity

BigCo.Com CopMonkey

Authorizing User

Host


User Revokes Access

35




















UnseenUniversity


Authorizing User

Host


User Revokes Access

a. User changes policy to revoke this Requester’s access to this resource

35




















UnseenUniversity


Authorizing User

Host


User Revokes Access

a. User changes policy to revoke this Requester’s access to this resourceAttempt

Access

b. Requester attempts access as usual

35




















UnseenUniversity


Authorizing User

Host


User Revokes Access


Access

Policy Decision?


c. Host requests a policy decision from AM

35




















UnseenUniversity


Authorizing User

Host


User Revokes Access


Access “deny”



d. AM denies the request

35




















UnseenUniversity


Authorizing User

Host


User Revokes Access


Access

BlockAccess

“deny”

✘



d. AM denies the request

e. Host blocks Requester access

35



















User-Managed Access (UMA) Update€¦ · 29/01/2010 · potential user experience... 23 UnSeen...

Documents

Transcript of User-Managed Access (UMA) Update€¦ · 29/01/2010 · potential user experience... 23 UnSeen...