Experiments in User Managed Access - achal-shah/uma-is4 GitHub Wiki

I find the general problem of how one safely shares content (or a resource) with others an interesting one. Solutions already exist, for example on OneDrive, one can share files with others. Typically the granularity of who has access is broad, for example, anyone with the URI can access it. How can one share content with the absolute assurance that only the intended recipient is able to consume it, with the appropriate access policies, in a generic way? Resources can be files (documents, photos, videos), APIs, services - pretty much anything that can be accessed using a URI.

• The resource can be housed or hosted on any secure server or service.
• The resource owner can designate who has access to the resource and how.
• The recipient can be validated without necessarily being known to the resource server a priori.

I envisioned that such a system could be implemented directly on a resource server, working with appropriate identity providers. Then I came across UMA. The framework essentially outsources access management to a separate UMA authorization server. The resource server has to be able to talk to the authorization server, but the heavy lifting is done by the authorization server.

There is an analogy here to how plain OAuth works, where the authorization server is used by a resource owner to delegate access to resources on a resource server to another service which also knows the user.

With this project, I hope to learn UMA by implementing it. At this point, the goal is not a production system, but something more basic with which I can learn and experiment.