Re: [WG-UMA] UMA is ready

(Weird, I didn’t seem to get a direct copy of this email — thanks to Mike for forwarding it to me. Is Pedro perhaps just subscribed to the list and not a WG participant?)

> On 6 Oct 2015, at 10:41 PM, Mike Schwartz  wrote:
> 
> 
> 
> -------- Original Message --------
> Subject: Re: [WG-UMA] UMA is ready
> Date: 2015-10-06 09:47
> From: Pedro Igor Silva 
> To: "Salvatore D'Agostino" 
> Cc: Justin Richer , Michael Schwartz , wg-uma@kantarainitiative.org
> 
> Hi,
> 
>    We've being working on an authorization solution for one of our community projects. Initially, we've chosen UMA because its seems to address some of our requirements. For instance:
> 
>        - Use standards and avoid, when possible, proprietary solutions
>        - Be able to support different types of resources
>        - Leverage existing oAuth2 and OIDC implementation in order to plug additional authorization capabilities for resource servers
>        - Leverage existing oAuth2 implementation with a more fine-grained policy and permissioning model
>        - Support different ways to define authorization policies (XACML, etc)
>        - Support a distributed and centralized PAP and PDP.
> 
>    From what I read so far, we are mainly considering the so called NPE use cases, where the resource server is actually protecting its own resources.
> 
>    So far, UMA fits nicely to what we are planning. However, there are some things that I would like to share based on what is being discussed on this thread.
> 
>    First of all, most examples, docs and even the specs, seem to cover only use cases where the user is in control of his resources and probably using different AS. I understand that this is the main use case that UMA tries to solve, but shouldn't have also more references about NPE use cases ? Specially from a spec perspective ?

This is a good point. We have done some editing to take away some overt assumptions, but perhaps we could do more. I just did a search for “resource owner” in Core, and Sec 2 jumps out as one place, and also the heavy “web app” assumptions in a few places.

But, reading through with this specifically in mind, I wonder if this is more in the eye of the beholder at this point. This is why we wanted to have a section in the UIG to discuss the implications of a non-human RO — and we were finding that there isn’t a heck of a lot more to say. Do you have suggestions for improvements? It would be great to catalogue these for future discussion.

Actually, the design patterns that the NZ folks have been working on are where I suspect the real meat is, and these (I’ve been finding) are not so much a spec thing as a deployment-choice thing, perhaps more in the realm of “deployment profiles”. E.g., in an environment where an individual RO wants to share a resource with an employee of an organization, does the RO share with an individual RqP agent, an RqP-as-RqP, a non-unique set of “RqP agents by role claim”, or what? NZ chose one path that I think is potentially elegant, but it wasn’t a complete solution.

> 
>    From a NPE perspective, do we really need all those steps in order to obtain a RPT and finally access a resource ? In other words, does all the steps involved in a non NPE use case apply to NPE ? Specially if you consider that a RS relies on a single AS.

If the AS issued the claims/ID token/whatever in the first place, and if you push claims in the initial RPT endpoint request, it could be fairly straightforward. Is that what you’re thinking of, or some further optimization?

> 
>    For last, we also have some requirements regarding entitlements. In some situations, we must be able to return all the entitlements for a given identity (and not only act as a PDP). Given that UMA does not provide something around that, we are designing a proprietary solution. What do you think about that and are there any plans to standardize how you obtain the entitlements/permissions in UMA ?

This is where I’ve been thinking for a long time that it would be very valuable to experiment with new token profiles. In some conversations with one SaaS company, I heard (e.g.) that they likely wouldn’t be satisfied with just resource set/scope permissions, because they have so many custom fine-grained semantics, and would want to get ID tokens and claims about the RqP in addition (a very SSO-like pattern). Your case sounds almost like the opposite end of the spectrum (if I’m understanding correctly).

We knew that our default MTI token profile in V1.0 might not be the be-all end-all — it’s just there for interop out of the box — so experimentation here would be great…

	Eve

> 
> Regards.
> Pedro Igor
> 
> ----- Original Message -----
> From: "Salvatore D'Agostino" 
> To: "Justin Richer" , "Michael Schwartz" 
> Cc: wg-uma@kantarainitiative.org
> Sent: Tuesday, October 6, 2015 9:50:30 AM
> Subject: Re: [WG-UMA] UMA is ready
> 
> Thanks for this Justin I agree that this is a good way to look at things.
> 
> As an example there are a number of things that measures something's maturity, these include:
> 
> 1. Extent of deployments
> 2. Extent of conformance and interop
> 3. Availability of open source for all the endpoints (in multiple dev environments/language).
> 
> On these measures UMA is still moving out the maturity model.  Not recognizing this would be silly as would be treating the immature comments as damning.
> 
> Justin nailed it, look at 1.01 if it fits use it and join us in making access control meet the privacy, scale and "userability" that is so needed on line today.
> 
> b/r Sal
> 
> -----Original Message-----
> From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Justin Richer
> Sent: Tuesday, October 06, 2015 8:10 AM
> To: Michael Schwartz
> Cc: wg-uma@kantarainitiative.org UMA
> Subject: Re: [WG-UMA] UMA is ready
> 
> Or maybe, if we remove the tinfoil-lined hat, UMA really *is* half-baked in a lot of ways. I know it’s difficult to see that when you’ve invested a lot of time and effort into a project, but when criticisms come in it’s often best to start with “they may have a point” before jumping to the defense of decisions you’ve made. It’s implementable within certain circumstances, but that doesn’t make it a good fit for everywhere. It’s likely that most deployments of Gluu (and others like the demos I’ve seen from ForgeRock) are working within specific environments that fit very nicely with the assumptions that the UMA standard has made so far.
> 
> I ran face-first into a lot of these assumptions while implementing UMA in our own project. It fit in some ways, and really really didn’t in others. We had to hack in a few pieces to make our demo work (like the cross-domain AAT, which is why I want it gone in the next revision). It’s possible you won’t know if it’s a good fit until you try to build it, so grab a couple engineers and go to town for a few weeks. If it works, great, you’ve got the start to a really good solution. If it doesn’t work, come tell the working group how and we’ll try to fix that. You’ve only invested a very small amount of time/money/effort and probably learned a lot about your problem in the process, so this is hardly a wasted investment.
> 
> What I’d tell people looking at UMA today is to look at their problem set and use case. Does UMA 1.0.1 fit that use case? Awesome, use it! There are a handful of implementations that work just fine in their own use cases and may or may not be interoperable, we don’t actually know, but the ecosystem is just getting started so come join us. And I think that the software-engineering approach to spec management that this group is adopting is a very good (and hopefully repeatable) model for managing expectations and efforts of people using the spec. Problem is, most consumers of specs don’t quite get that yet, but I think they will. This community needs to do an even better job of managing expectations than we’re already doing.
> 
> Is UMA ready? Sure, for some things. Is it perfect? Not at all. Is it universally applicable? Not a chance. Is it done? Hardly. And that’s OK, as long as we all work to manage expectations. For example, don’t tell people that UMA is the answer before you know their question. ;)
> 
> — Justin
> 
>> On Oct 6, 2015, at 12:49 AM, Mike Schwartz  wrote:
>>>> I have heard and seen pushback that UMA  is too immature to
>>>> implement yet and that worries me.
>> Of course its hard to respond to hearsay, but maybe the ones saying UMA is immature have an interest in non-interoperability of API security. Maybe it's not in the interest of vendors who haven't implemented, or don't understand UMA, to say it's immature. Or maybe the ones saying its not mature would rather not see a standard evolving at an organization they can't control. Who knows...
>> Gluu had no trouble implementing UMA. And the changes from 1.0 to 1.0.1 are no worse than the changes we've seen in OpenID Connect (i.e. look at the new front channel and back channel logout proposed specs).
>> Ultimately, Gluu's customers are deriving a competitive business advantage by using UMA, and that's all that really matters to us.
>> What I'd like to see is more sample code and more libraries. I think that would help--i.e. implementation is exactly what is needed, not what should be delayed.
>> - Mike
>> -------------------------------------
>> Michael Schwartz
>> Gluu
>> Founder / CEO
>> _______________________________________________
>> WG-UMA mailing list
>> WG-UMA@kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-uma
> 
> _______________________________________________
> WG-UMA mailing list
> WG-UMA@kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma
> 
> _______________________________________________
> WG-UMA mailing list
> WG-UMA@kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma
> 
> -- 
> -------------------------------------
> Michael Schwartz
> Gluu
> Founder / CEO
> mike@gluu.org


Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com