UMA2 logo

User-managed Access

CategoryCyber Security Standards

User-managed Access (UMA) 2.0 is a family of standards that define how a client application, representing a requesting party, obtains a permission ticket from a Resource Server, to exchange for an OAuth 2.0 token from an Authorization Server, to access protected web resources.


Specifications


Permission Management


Permission Scoping for Third-party Access

UMA 2.0 specifications define an extension OAuth 2.0 authorization grant that enables party-to-party authorization, rather than authorizing the client application alone. It also lets a resource owner configure an Authorization Server with authorization grant rules (policy conditions) at will, rather than authorizing access token issuance synchronously just after authenticating the client application.

Responding to the client application's tokenless resource request, the Resource Server obtains a permission ticket from the Authorization Server, that can be used by the client application for access token requests to the Authorization Server. The latter may redirect the requesting party to claims interaction endpoint for claims gathering.

UMA 2.0 also defines a means for an Authorization Server and Resource Servers to be loosely coupled. The former provides a Protection API to multiple Resource Servers for putting and maintaining web resources under protection on behalf of the resource owner, and requesting access permissions on behalf of the client application.

UMA2 standard