SlideShare une entreprise Scribd logo

UMA for ACE

Hannes Tschofenig
Hannes Tschofenig

UMA is a profile and application of OAuth that defines how resource owners can control resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy. Recent investigations have shown promise for applying UMA to Internet of Things authorization use cases. This is a presentation by Eve Maler for the IETF ACE working group.

Technologie
1  sur  28
Télécharger pour lire hors ligne
User-Managed Access (UMA) in the ACE Context Eve Maler, chair @UMAWG | @xmlgrrl 13 January 2015 tinyurl.com/umawg 1
Agenda •  UMA’s design center, progress, and status •  A quick “UMA 101” primer •  Measuring UMA against ACE use cases •  Discussion and next steps 2
OpenID Connect UMA OAuth 2.0 The “new Venn” of web access control and consent
The marvelous spiral of controlled personal data/access sharing 4
Interoperable, RESTful authorization-as-a-service 5 Has standardized APIs for privacy and “selective sharing” Outsources protection to a centralizable authorization server “authz   provider”   (AzP)   “authz   relying   party”   (AzRP)   iden9ty   provider   (IdP)   SSO  relying   party   (RP)  
Use-case domains Health Financial Education Personal Government Media Behavioral Enterprise Web Mobile API IoT
Web/API identity and security specification progress in context 7 Protect   Serve   UMA  Core,  Resource  Set  Registra9on   OAuth  1.0,  1.0a   WRAP   OpenID  AB/Connect   Open   ID   OpenID  Connect   OAuth  2.0   ‘08 ‘09 ‘10 ‘11 ‘13 ‘12 ‘14 ‘15 Dynamic  Client  Reg,  Token   Introspec9on…   Binding   Obs…   5  Jan  ‘15:  45-­‐day  public   review  of  “V1.0   candidate”  specs  begun:   9nyurl.com/umacore  &   oauthrsr   Interop  test  suite   development   under  way  
Other major news items •  EIC award in Munich •  HEART WG at OpenID Foundation •  New open-source community: OpenUMA at ForgeRock.org 8
Agenda •  UMA’s design center, progress, and status •  A quick “UMA 101” primer •  Measuring UMA against ACE use cases •  Discussion and next steps 9
OAuth architecture 10
OAuth experience 11
Under the hood, UMA is “OAuth++” Loosely coupled to enable an AS to onboard multiple RS’s, residing in any security domains This concept is new, to enable asynchronous party-to-party sharing driven by RO policy vs. run-time consent
The RS exposes whatever value-add API it wants, protected by an AS The RPT is the main “access token” and (by default – it’s profilable) is associated with time-limited, scoped permissions App-specific API UMA-enabled client RPT requesting party token
The AS exposes an UMA- standardized protection API to the RS The PAT protects the API and binds the RO, RS, and AS ProtectionAPI Protectionclient PAT protection API token •  Resource registration endpoint •  Permission registration endpoint •  Token introspection endpoint
The AS exposes an UMA- standardized authorization API to the client The AAT protects the API and binds the RqP, client, and AS The client may be told: “need_info” Authorization API Authorization client AAT authorization API token •  RPT endpoint
The AS can collect requesting party claims or otherwise elevate trust to assess policy A “claims-aware” client can proactively push an OpenID Connect ID token, a SAML assertion, a SCIM record, or other available user data to the AS per the access federation’s trust framework A “claims-unaware” client can, at minimum, redirect the requesting party to the AS to log in, press an “I Agree” button, fill in a form, follow a NASCAR for federated login, etc.
The RO and RqP have opposite consent/ privacy relationships with the AS 17
How an individual user might experience setting sharing preferences 18 demo!
Default burdens on apps Resource server •  Gets client creds from AS •  Gets RO-specific access token (PAT) from AS •  Registers protected resources at AS as required (PUT) •  Registers permissions at AS for unauthorized client access attempts (POST) •  Introspects clients’ RPTs at AS (GET) Client •  Learns AS location and endpoints •  Gets client creds from AS •  Gets RqP-specific access token (AAT) from AS •  Requests authz data from AS (POST) •  Pushes user claims (optional) or redirects user to AS 19 •  All REST •  All JSON on both request and response sides •  Endpoints all TLS- and OAuth-protected
Profiling and extensibility enable efficiencies and non-HTTP bindings •  “Protection API extensibility profile” for AS-RS interactions •  “Authorization API extensibility profile” for AS-client interactions •  “Resource interface extensibility profile” for resource server- client interactions –  E.g., to replace HTTP/TLS with CoAP/DTLS or co-locate entities •  RPT profiling –  E.g., to enable disconnected token introspection or AS “hunt list” •  JSON extensibility all over the place –  E.g., to enable general experimentation and escape hatches •  Claim token format profiling –  E.g., to enable a variety of deployment-specific trust frameworks 20
Subject or UMA Binding Obligations •  Distributed authorization across domains? Scary! •  This “legal” spec enables parties operating and using software entities (and devices) to distribute rights and obligations fairly in access federation trust frameworks 21 Individual! Non- person entity Authorizing Party Requesting Party Resource Server Operator Client Operator Requesting Party Agent Authorization Server Operator Important  state   changes  when  new   pairwise  obliga9ons   tend  to  appear:   •  Token  issuance   •  Token  status  checks   •  Permission   registra9on   •  Claims  gathering   •  Access  requests   •  Successful  access  
Agenda •  UMA’s design center, progress, and status •  A quick “UMA 101” primer •  Measuring UMA against ACE use cases •  Discussion and next steps 22
Strong architectural matches þ  Owner grants different resource access rights to different parties •  U1.1, U2.3, U.3.2, (U3.3) þ  Owner grants different access rights for different resources on a device (including read, write, admin) •  U1.3, U4.4, U5.2 þ  Owner not always present at time of access •  U1.6, U5.5 þ  Owner grants temporary access permissions to a party •  U1.7 þ  Owner applies verifiable context-based conditions to authorizations •  U2.4, U4.5, U6.3 þ  Owner grants temporary access permissions to a party •  U1.7 þ  Owner preconfigures access rights to specific data •  U3.1, U6.3 þ  Owner adds a new device under protection •  U4.1 þ  Owner puts a previously owned device under protection •  U4.2 þ  Owner removes a device from protection •  U4.3 þ  Owner preconfigures access rights to specific data •  U3.1 þ  Owner revokes permissions •  U4.6 þ  Owner grants access only to authentic, authorized clients •  U7.1, U7.2 23
Potential profiling/extension opportunities q Constrained device might not always be able to reach the Internet •  U1.9, U5.4, U6.5, U7.3 •  Or proxy/gateway approach q Impossible or inefficient to contact all affected devices directly when policies are updated •  U5.6 24
Potential user experience and system configuration opportunities q Spontaneous device provisioning •  U2.1 q Spontaneous/dynamic policy changes •  U2.2, U6.1 q Secure-by-default policies •  U2.6, U3.6 q Easy-to-edit policies •  U2.7, U2.9, U2.10, U3.6, U6.2 25
Apparent OOS challenges q  Sensor data integrity •  U1.2 q  Sensor data confidentiality •  U1.2 q  Client-RS messages forwarded over multiple hops? •  U1.8, U5.7 q  Smart home devices communicate with different control devices •  U2.5 q  Owner prevents eavesdroppers on home network •  U2.8 q  Prevent (all) DoS •  U3.7 q  High security to prevent owner fatalities •  U3.8 q  Multicast protocol? •  U4.8 q  Physical device security •  U5.1 q  Wired and wireless •  U7.4 q  Mitigate risk of financial damage •  U7.5 •  UMA Binding Obligations spec helps do this 26
Agenda •  UMA’s design center, progress, and status •  A quick “UMA 101” primer •  Measuring UMA against ACE use cases •  Discussion and next steps 27
Questions? Thank you! Eve Maler, chair @UMAWG | @xmlgrrl 13 January 2015 tinyurl.com/umawg 28

Recommandé

Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management Platform
WSO2
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
WSO2
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE
 

Recommandé

Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management Platform
WSO2
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
WSO2
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE
 
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
cdanger
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
Marcin Wolnik
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
himajareddys
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Will Tran
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson Labs
Ericsson Labs
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
 
Securing APIs with oAuth2
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2
Michae Blakeney
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
MifrazMurthaja
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
Prabath Siriwardena
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
ForgeRock
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Eve Maler
 

Contenu connexe

Tendances

Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Will Tran
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
 

Tendances (20)

FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson Labs
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
Securing APIs with oAuth2
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 

Similaire à UMA for ACE

Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
ForgeRock
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Eve Maler
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Extending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMAExtending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMA
kantarainitiative
 

Similaire à UMA for ACE (20)

Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
2018 Oct IIW User Managed Access (UMA)
2018 Oct IIW User Managed Access (UMA)2018 Oct IIW User Managed Access (UMA)
2018 Oct IIW User Managed Access (UMA)
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE Architectures
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
 
API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Extending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMAExtending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMA
 
The state of uma 2014 11-03
The state of uma 2014 11-03The state of uma 2014 11-03
The state of uma 2014 11-03
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
 
Presentation
PresentationPresentation
Presentation
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
 
OAuth2
OAuth2OAuth2
OAuth2
 

Plus de Hannes Tschofenig

A guide to make your research less successful
A guide to make your research less successfulA guide to make your research less successful
A guide to make your research less successful
Hannes Tschofenig
 

Plus de Hannes Tschofenig (10)

Measuring the Performance and Energy Cost of Cryptography in IoT Devices
Measuring the Performance and Energy Cost of Cryptography in IoT DevicesMeasuring the Performance and Energy Cost of Cryptography in IoT Devices
Measuring the Performance and Energy Cost of Cryptography in IoT Devices
 
Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3
 
The Role of Standards in IoT Security
The Role of Standards in IoT SecurityThe Role of Standards in IoT Security
The Role of Standards in IoT Security
 
Device Management with OMA Lightweight M2M
Device Management with OMA Lightweight M2MDevice Management with OMA Lightweight M2M
Device Management with OMA Lightweight M2M
 
Authorization for Internet of Things using OAuth 2.0
Authorization for Internet of Things using OAuth 2.0Authorization for Internet of Things using OAuth 2.0
Authorization for Internet of Things using OAuth 2.0
 
Performance of State-of-the-Art Cryptography on ARM-based Microprocessors
Performance of State-of-the-Art Cryptography on ARM-based MicroprocessorsPerformance of State-of-the-Art Cryptography on ARM-based Microprocessors
Performance of State-of-the-Art Cryptography on ARM-based Microprocessors
 
Smart Object Architecture
Smart Object ArchitectureSmart Object Architecture
Smart Object Architecture
 
Crypto Performance on ARM Cortex-M Processors
Crypto Performance on ARM Cortex-M ProcessorsCrypto Performance on ARM Cortex-M Processors
Crypto Performance on ARM Cortex-M Processors
 
How to Select Hardware for Internet of Things Systems?
How to Select Hardware for Internet of Things Systems?How to Select Hardware for Internet of Things Systems?
How to Select Hardware for Internet of Things Systems?
 
A guide to make your research less successful
A guide to make your research less successfulA guide to make your research less successful
A guide to make your research less successful
 

Dernier

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Dernier (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

UMA for ACE

  • 1. User-Managed Access (UMA) in the ACE Context Eve Maler, chair @UMAWG | @xmlgrrl 13 January 2015 tinyurl.com/umawg 1
  • 2. Agenda •  UMA’s design center, progress, and status •  A quick “UMA 101” primer •  Measuring UMA against ACE use cases •  Discussion and next steps 2
  • 3. OpenID Connect UMA OAuth 2.0 The “new Venn” of web access control and consent
  • 4. The marvelous spiral of controlled personal data/access sharing 4
  • 5. Interoperable, RESTful authorization-as-a-service 5 Has standardized APIs for privacy and “selective sharing” Outsources protection to a centralizable authorization server “authz   provider”   (AzP)   “authz   relying   party”   (AzRP)   iden9ty   provider   (IdP)   SSO  relying   party   (RP)  
  • 7. Web/API identity and security specification progress in context 7 Protect   Serve   UMA  Core,  Resource  Set  Registra9on   OAuth  1.0,  1.0a   WRAP   OpenID  AB/Connect   Open   ID   OpenID  Connect   OAuth  2.0   ‘08 ‘09 ‘10 ‘11 ‘13 ‘12 ‘14 ‘15 Dynamic  Client  Reg,  Token   Introspec9on…   Binding   Obs…   5  Jan  ‘15:  45-­‐day  public   review  of  “V1.0   candidate”  specs  begun:   9nyurl.com/umacore  &   oauthrsr   Interop  test  suite   development   under  way  
  • 8. Other major news items •  EIC award in Munich •  HEART WG at OpenID Foundation •  New open-source community: OpenUMA at ForgeRock.org 8
  • 9. Agenda •  UMA’s design center, progress, and status •  A quick “UMA 101” primer •  Measuring UMA against ACE use cases •  Discussion and next steps 9
  • 12. Under the hood, UMA is “OAuth++” Loosely coupled to enable an AS to onboard multiple RS’s, residing in any security domains This concept is new, to enable asynchronous party-to-party sharing driven by RO policy vs. run-time consent
  • 13. The RS exposes whatever value-add API it wants, protected by an AS The RPT is the main “access token” and (by default – it’s profilable) is associated with time-limited, scoped permissions App-specific API UMA-enabled client RPT requesting party token
  • 14. The AS exposes an UMA- standardized protection API to the RS The PAT protects the API and binds the RO, RS, and AS ProtectionAPI Protectionclient PAT protection API token •  Resource registration endpoint •  Permission registration endpoint •  Token introspection endpoint
  • 15. The AS exposes an UMA- standardized authorization API to the client The AAT protects the API and binds the RqP, client, and AS The client may be told: “need_info” Authorization API Authorization client AAT authorization API token •  RPT endpoint
  • 16. The AS can collect requesting party claims or otherwise elevate trust to assess policy A “claims-aware” client can proactively push an OpenID Connect ID token, a SAML assertion, a SCIM record, or other available user data to the AS per the access federation’s trust framework A “claims-unaware” client can, at minimum, redirect the requesting party to the AS to log in, press an “I Agree” button, fill in a form, follow a NASCAR for federated login, etc.
  • 17. The RO and RqP have opposite consent/ privacy relationships with the AS 17
  • 18. How an individual user might experience setting sharing preferences 18 demo!
  • 19. Default burdens on apps Resource server •  Gets client creds from AS •  Gets RO-specific access token (PAT) from AS •  Registers protected resources at AS as required (PUT) •  Registers permissions at AS for unauthorized client access attempts (POST) •  Introspects clients’ RPTs at AS (GET) Client •  Learns AS location and endpoints •  Gets client creds from AS •  Gets RqP-specific access token (AAT) from AS •  Requests authz data from AS (POST) •  Pushes user claims (optional) or redirects user to AS 19 •  All REST •  All JSON on both request and response sides •  Endpoints all TLS- and OAuth-protected
  • 20. Profiling and extensibility enable efficiencies and non-HTTP bindings •  “Protection API extensibility profile” for AS-RS interactions •  “Authorization API extensibility profile” for AS-client interactions •  “Resource interface extensibility profile” for resource server- client interactions –  E.g., to replace HTTP/TLS with CoAP/DTLS or co-locate entities •  RPT profiling –  E.g., to enable disconnected token introspection or AS “hunt list” •  JSON extensibility all over the place –  E.g., to enable general experimentation and escape hatches •  Claim token format profiling –  E.g., to enable a variety of deployment-specific trust frameworks 20
  • 21. Subject or UMA Binding Obligations •  Distributed authorization across domains? Scary! •  This “legal” spec enables parties operating and using software entities (and devices) to distribute rights and obligations fairly in access federation trust frameworks 21 Individual! Non- person entity Authorizing Party Requesting Party Resource Server Operator Client Operator Requesting Party Agent Authorization Server Operator Important  state   changes  when  new   pairwise  obliga9ons   tend  to  appear:   •  Token  issuance   •  Token  status  checks   •  Permission   registra9on   •  Claims  gathering   •  Access  requests   •  Successful  access  
  • 22. Agenda •  UMA’s design center, progress, and status •  A quick “UMA 101” primer •  Measuring UMA against ACE use cases •  Discussion and next steps 22
  • 23. Strong architectural matches þ  Owner grants different resource access rights to different parties •  U1.1, U2.3, U.3.2, (U3.3) þ  Owner grants different access rights for different resources on a device (including read, write, admin) •  U1.3, U4.4, U5.2 þ  Owner not always present at time of access •  U1.6, U5.5 þ  Owner grants temporary access permissions to a party •  U1.7 þ  Owner applies verifiable context-based conditions to authorizations •  U2.4, U4.5, U6.3 þ  Owner grants temporary access permissions to a party •  U1.7 þ  Owner preconfigures access rights to specific data •  U3.1, U6.3 þ  Owner adds a new device under protection •  U4.1 þ  Owner puts a previously owned device under protection •  U4.2 þ  Owner removes a device from protection •  U4.3 þ  Owner preconfigures access rights to specific data •  U3.1 þ  Owner revokes permissions •  U4.6 þ  Owner grants access only to authentic, authorized clients •  U7.1, U7.2 23
  • 24. Potential profiling/extension opportunities q Constrained device might not always be able to reach the Internet •  U1.9, U5.4, U6.5, U7.3 •  Or proxy/gateway approach q Impossible or inefficient to contact all affected devices directly when policies are updated •  U5.6 24
  • 25. Potential user experience and system configuration opportunities q Spontaneous device provisioning •  U2.1 q Spontaneous/dynamic policy changes •  U2.2, U6.1 q Secure-by-default policies •  U2.6, U3.6 q Easy-to-edit policies •  U2.7, U2.9, U2.10, U3.6, U6.2 25
  • 26. Apparent OOS challenges q  Sensor data integrity •  U1.2 q  Sensor data confidentiality •  U1.2 q  Client-RS messages forwarded over multiple hops? •  U1.8, U5.7 q  Smart home devices communicate with different control devices •  U2.5 q  Owner prevents eavesdroppers on home network •  U2.8 q  Prevent (all) DoS •  U3.7 q  High security to prevent owner fatalities •  U3.8 q  Multicast protocol? •  U4.8 q  Physical device security •  U5.1 q  Wired and wireless •  U7.4 q  Mitigate risk of financial damage •  U7.5 •  UMA Binding Obligations spec helps do this 26
  • 27. Agenda •  UMA’s design center, progress, and status •  A quick “UMA 101” primer •  Measuring UMA against ACE use cases •  Discussion and next steps 27
  • 28. Questions? Thank you! Eve Maler, chair @UMAWG | @xmlgrrl 13 January 2015 tinyurl.com/umawg 28