-
-
Notifications
You must be signed in to change notification settings - Fork 764
User-Managed Access (UMA) standard #2632
Comments
I never looked into the UMA spec - but in your words - what would it add to identityserver? |
I understood from UMA specs, that it can integrate perfectly with OAuth2, in similar sense OIDC extended OAuth2 with user identity by introducing userinfo endpoint, UMA extends OAuth2 with user-access permissions/management by introducing 2 endpoints that consume access-token in Bearer format: first endpoint to register user permission and second endpoint retrieve user permission. so if that's included in IdentityServer3, the pipeline flow can be illustrated like this: OIDC -> OAuth2 -> UMA in other words, as OIDC came on top of OIDC, UMA goes under/below OAuth2 :) if you want quick look about the 2 endpoints without spending a lot of time reading the specs then please check below section of the specs: https://docs.kantarainitiative.org/uma/rec-uma-core.html#rfc.section.3.2.1 |
..and what's the benefit? |
I agree that IdentityServer3 built as OIDC and OAuth2 provider. but I don't understand why it would be bad idea to enrich it with user-managed access. UMA resolve big issue and misconception in OIDC & OAuth2 uses. a lot of people inject fine grained permissions in hacky way in access-token or identity token claims, and you fully aware that OAuth2 scopes only designed for coarse-grained permissions. so by embedding UMA in idsrv3, the community wouldn't be lost anymore on how to manage user permissions in fine-grain style. even this point might not help convincing you, a couple of OIDC providers already embedded UMA. but since I love idsrv3 and see it as the best provider I think embedding UMA will make it even greater. I am aware how busy you are in delivering idsrv4, and I wish I had time to contribute myself since I followed the project about year ago, but currently my schedule is fully allocated till June. thanks for taking the time to read my words. |
No thats fine - as I said I never spent time with UMA. It sounds interesting - but yeah - right now I have no spare time for that. Also - I had a brief look at it - and it looks like this would be a separate service anyways - so nothing necessarily "inside" identityserver - right? |
I can't confirm now if its feasible to make it as separate service (I need dig deeper), but from structure point of view wouldn't be great to have all endpoints acting as STS exist in single service? also that might save some roundtrips. In all cases, I won't take more of your time, the message is delivered. and thanks again for all what you did in IT security domain. |
Since you are asking for that feature, what would be your use case? |
I came across UMA, while I was trying to find secure and standard way to embed/integrate users permissions for enterprise SPA. As we know, OIDC & OAuth2 methodology of securing APIs using roles scope, resource scopes and defining few access claims for user, is primitive and limited, in which it only define one/single level of access control, in addition to the fact that OIDC & OAuth2 ignored common and critical essence of user experience where user permissions can be used to hide all UI sections that the user can't interact with. Because of that limitation, most people be forced to use what's being provided by OIDC and OAuth2 even it hurt user experience by:
Also security experts defended OIDC & OAuth2 by saying that user access is implementation details that can't be standardized as it depend on company vision and project requirements. (I agree but that's not solution, as UMA introduced 2 endpoints to manage user permissions without limitation or drawbacks, every OIDC & OAuth2 provider should implement it as resolution for above limitations). Until UMA get embedded or integrated with idsrv3, I have 2 options:
ex: in lookup table: 03 could mean export reports.etc.,
I hope the use case interest you. |
a) I still don't get why UMA must be part of identityserver? it seems to me like a standalone "permission service" where the endpoints are secured by an access token from an authorization server. b) my understanding was that UMA - UM being User-Managed - is more for consumer / self-service style applications - but you want to target an "enterprise SPA". So my question still stands - an UMA server sounds to me like something separate to the authorization server - deliberately. Why do you think it must be embedded. Or IOW - if you would write a UMA server - what would we need to change to be able to integrate with yo (or rather vice versa)? |
and btw - I am not trying to criticize you - I am just trying to understand more about UMA and its use cases. |
I am trying to understand what is UMA and found this online https://docs.kantarainitiative.org/uma/rec-uma-core.html User-Managed Access (UMA) is a profile of OAuth 2.0. UMA defines how resource owners can control ...... |
I didn't feel being criticized, but part of me regret the fact of highlighting UMA because I was not planing to invest time digging into details (even it sound selfish). Nonetheless I can't ignore or run away from something I started. OK, I did my homework (took 4 hours including this post drafting):
|
Cool - thanks for the write-up. We are actively thinking about ways to improve the fine grained authorization story - but never came across something compelling. Nor did we have the time. I will leave this open. |
I don't think it's good idea to support UMA on identity server.
|
I personally do not believe that Identity Server should be doing Registration. That should be up to separate projects / clients; to go back to your decoupled architecture comment. |
The registration endpoint is coming from the OpenId's RFC : http://openid.net/specs/openid-connect-registration-1_0.html. It needs to be implemented by the Authorization Server to pass the latest OpenId certification "OP dynamic" : http://openid.net/certification/ |
|
|
I take back what I said about the Registration endpoint. I've just glanced over that spec for registration. What if you have a Client "Admin" area where you create Registration accounts and it's not "Allow Anonymous"; how will that work? I am assuming there will be no issues? |
if i've correctly understood your question, you've a client (a website) that wants to restrict the access to the "admin" page based on the resource owner's roles, is-it correct ? |
Yeah, so it's controlled primarily through Client configurations via Scopes + Roles. I figured that. The page acts like the login page. |
The UMA specification has been implemented on my personnal project (ASP.NET CORE). The source code can be found here : "https://github.com/thabart/SimpleIdentityServer/tree/master/SimpleIdentityServer/src/SimpleIdServer.Uma.*". Unfortunately there's no documentation, but it can easily be linked to IdentityServer or mine by updating the AppSettings.json file. There's also a UI to help developers to protect their resources : http://g.recordit.co/Gsqqu6uq58.gif |
We can probably close this one here, since IS3 is not longer in active development. // @leastprivilege |
Any plans for supporting User-Managed Access (UMA) standard?
ref:
https://docs.kantarainitiative.org/uma/rec-uma-core.html
The text was updated successfully, but these errors were encountered: