I'm trying to understand the essence of an UMA Legal framework by picking a very simple but real-life use case and premise.

Premise: The resource server operator (RSO) installs UMA because it limits their liability due to clients interactions. In other words, they are transferring some risk to an authorization server operator (ASO), otherwise they would just implement OAuth.

For simplicity, presume:

a single resource: https://uma.rso.com/adrian/weight/readonly
terms of use: the data is only to be accessed by anyone, including rso, via the resource above
clients will present a valid SSL certificate and a token verifiable at the authorization server
this contract between RS and RO expires after one year or upon notice by either party

Under these circumstances, the RSO has transferred most of the liability for interacting with a particular client to the ASO. This, I believe is the UMA Legal MVP.

In a real-world use-case, the RSO may not be allowed to duck this much liability. For example, the RSO might be required by law to notify the RO that a particular Client / RqP is on an industry watchlist.

In this case, the Client / RqP is providing attributes to both the AS and the RS. The RSO bears somewhat greater liability unless it can warn the RO via UMA the same way it might warn the RO via OAuth.

Can the ASO bear the responsibility of warning the RO or must the RS warn the RO directly?

As far as I can tell, this is the essence of UMA legal. Everything else is just an elaboration on one of the four bullet points above. This, incidentally, is the use-case I'm discussing with the US Office for Civil Rights.

Adrian

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/