User-Managed Access

This purpose has privacy and consent implications for web applications and the Internet of Things (IoT), as explored by the collection of case studies contributed by participants in the standards group.

In a typical OAuth flow: A resource owner (RO), a human who uses a client application, is redirected to an authorization server (AS) to log in and consent to the issuance of an access token.

User-Managed Access adds three main concepts and corresponding structures and flows: The Kantara Initiative's UMA Work Group[3] held its first meeting[6] on August 6, 2009.

However, it optionally uses the OAuth-based OpenID Connect protocol as a means of collecting identity claims from a requesting party in order to attempt to satisfy the authorizing user's access policy.

Sources of active and available open-source implementations include ForgeRock,[12] Gluu,[13] IDENTOS Inc.,[14] MITREid Connect,[15] Atricore, Node-UMA,[16] Roland Hedberg,[17] Keycloak,[18] and WSO2 Identity Server.

[27] Cloud Identity Limited has a full UMA implementation for securing and managing access to personal information and web APIs.

Another example set of use cases, which originally influenced UMA's development, is in the area of "personal data stores" in the fashion of vendor relationship management.

This diagram provides a high level overview of the entities and relationships involved in the UMA specification.