Digital Identity, Trust and Privacy on the open Internet

Archive for the ‘UMA’ Category

Open Algorithms (OPAL): Key Concepts

without comments

The following are the key concepts and principles underlying the open algorithms paradigm:

  • Moving the algorithm to the data: Instead of pulling raw data into a centralized location for processing, it is the algorithms that should be sent to the data repositories and be processed there.
  • Raw data must never leave its repository: Raw data must never be exported from its repository, and must always be under the control of its owner or the owner of the data repository.
  • Vetted algorithms: Algorithms must be vetted to be “safe” from bias, discrimination, privacy violations and other unintended consequences. The data owner (data provider) must ensure that the algorithms which it authors/publishes has been thoroughly analyzed for safety and privacy-preservation (i.e. fairness, accountability and transparency in Machine Learning).
  • Provide only safe answers: When executing an algorithm on a data-set, the data-repository must always provide responses that are deemed “safe” from a privacy perspective. Responses must not release or leak personally identifying information (PII) without the consent of the user (subject). This may imply that a data repository return only aggregate answers.
  • Trust Networks (Data Federation): In a group-based information sharing configuration – referred to as Data Sharing Federation – algorithms must be vetted collectively by the trust network members. The operational aspects of the federation should be governed by a legal trust framework for data federation.
  • Consent for algorithm execution: Data repositories that hold subject data should obtain consent from the subject when the subject’s data is to be included in a given algorithm execution.
  • Decentralized Data: By leaving raw data in its repository, the OPAL paradigm points towards a decentralized architecture for data stores.
  • Personal Data Stores: Decentralized data architectures should also incorporate the notion of personal data stores (PDS) as a legitimate data repository end-point.

Written by thomas

October 12th, 2017 at 9:23 pm

UMA Presentation from IIW#16

without comments

Eve Maler kindly prepared an excellent set of slides for me to present at IIW#16 in Mountain View, CA late April: UMA_for_IIW16_2013-05

After discussions during the presentation, I believe one of the technical issues that still causes confusion is the fact that UMA uses three (3) distinct OAuth2.0 Tokens:

  • AAT Tokens: Authorization API Token — this OAuth2.0 token is used by the Client to prove (to the Authorization Server) that it has authorization to access the APIs at the Authorization Server.
  • PAT Tokens: Protection API Tokens — this OAuth2.0 token is used by the Resource Server to prove (to the Authorization Server) that the Resource Owner (e.g. Alice) has provided it (the Resource Server) with authorization to register Alice’s resource at the Authorization Server.
  • RPT Tokens: Requesting Party Tokens — this OAuth2.0 token provides authorization for the Requesting Party to access resources at the Resource Server.

Here are the key take-aways:

  1. All three tokens are OAuth2.0 tokens.
  2. All three tokens are issued by the Authorization Server (or what used to be called the Authorization Manager in UMA).
  3. All three tokens should ideally be used in conjunction with the relevant parts of the UMA Binding Obligations (BO) spec. The BO spec tells the parties involved what their legal obligations will be.



Written by admin

May 22nd, 2013 at 5:59 pm

Towards a Trustworthy Digital Infrastructure for Core Identities and Personal Data Stores

without comments

So that was the title of my paper at the ID360 conference at UTexas in April. A copy of the PDF paper is here: hardjono-greenwood-coreid04C-ID360



Written by admin

May 22nd, 2013 at 5:42 pm

Limitations of the OAuth 2.0 definition of “Client”

without comments

I believe the OAuth 2.0 definition of the “client” is too restrictive, and by doing so it has effectively closed-off any possibility of OAuth 2.0 entertaining true third party access on the Internet. Although OAuth speaks in terms Alice-to-Bob sharing of resources, in reality it caters only as far as Alice-to-client sharing (where the “client” is a piece of application software possibly operated by a third party). This point jumps-out clearly when we compare the OAuth view of Alice-to-Bob sharing against the UMA view.

The definition of “client” in OAuth 2.0 (RFC6749) is as follows:

 An application making protected resource requests on behalf of the resource owner and with its authorization.

The UMA (draft-06) definition of the “client” is as follows:

 An application making protected resource requests with the resource owner’s authorization and on the requesting party’s behalf.

UMA makes the clear distinction between the “Requesting Party” and the Client (or the “Requester”). The Requesting Party is considered to be the human being (or organization, or a human legally representing an organization), while the Client in UMA is the “proxy” entity through which the Requesting Party accesses the resources hosted at the Resource Server. In the UMA view, Bob is the human person who is using the client but may not be in full control of all aspects of the client’s operation.

Nat Sakimura (from the OpenID Foundation) in his recent blog corrects the common misconception that “many people seem to think that this client as “Alice” the resource owner.” I absolutely agree with this view.  However, in order to truly support a realistic Alice-to-Bob sharing, OAuth 2.0 needs to expand its definition and understanding of the client.

The following diagram illustrates further. In this diagram, Alice is wanting to let Bob access her calendar so that Bob could adjust his travel itinerary to match Alice’s itinerary. Alice is the owner of her resource (her calendar file) which resides at the Resource Server (operated by MyCalendardz.com). Bob is using the client (the application operated by Tripitz.com) in his desire to access Alice’s calendar file at the MyCalendarz.com. The client is therefore acting on behalf of Bob.



The OAuth 2.0 definition of “client” fails to recognize that a (legal) relationship may exist between the human person (Bob who is driving the “client” application at Tripitz.com) and the company called Tripitz.com.  Thus, in the Alice-to-Bob sharing, OAuth assumes that Bob is directly accessing the resources, whereas in reality Bob is more likely to be using his browser to “remotely manipulate” the client application (being operated by a third-party Tripitz.com) to access Alice’s resources at the Resource Server (MyCalendarz.com). The UMA architecture recognizes the real-world reality that Bob will likely need to have an account at Tripitz.com, in which Bob will be required to accept the Terms of Service (TOS) of Tripitz.com.

UMA recognizes (i) the Bob-to-Tripitz relationship and (ii) the Tripitz-to-CopMonkey relationship by requiring two (2) types of OAuth tokens to be presented/wielded by the client:

  • The Authorization API Token (AAT):  this is the OAuth token that belongs to the client (TripItz.com) and which authenticates the client to the Authentication Server.
  • The Requesting Party Token (RPT): this is the OAuth token that belongs to the Requesting Party (Bob) and which authenticates Bob to both the Authentication Server and the Resource Server.

This distinction between the Requester and the Requesting Party in UMA allows legal agreements (i.e. trust framework) to recognize Bob as distinct from Tripitz.com, and accord different legal obligations to these two entities. And from a risk management perspective, it allows finer grain analysis and risk assignments to these entities.

In summary, in order to address the true Alice-to-Bob sharing of resources, OAuth 2.0 needs to:

  • expand its understanding of “client” to mean an application being owned and operated by a third party (not Bob).
  • add another player to the ecosystem, namely Bob the Requesting Party.
  • define that the client is acting on behalf of Bob.




Written by thomas

December 29th, 2012 at 1:16 am

Posted in OAUTH2.0,UMA

UMA, OpenID-Connect & OAuth2.0

without comments

Eve Maler has devised a very useful diagram (for our Google techTalk presentation), comparing the features and intended purposes of OAuth2.0, OpenID-Connect and UMA.  Interestingly, the diagram also shows what can be achieved using the venn combinations of two out of three technologies.


Written by thomas

March 10th, 2012 at 9:08 pm

Posted in OAUTH2.0,UMA