Enable users to grant access to their UMA Resources per access attempt

By: Andreea Corici user 14 Sep 2022 at 8:10 a.m. CDT

3 Responses
Andreea Corici gravatar
My project mGov4EU (https://www.mgov4.eu/) includes in the architecture the 3 parties: user-accessed RP App, the data provider and the Authorization Server(Gluu). The user is the data owner to which the UMA resource relates. Up until now provisioning of UMA resources, retrieving UMA ticket and UMA RPT token were successful. Currently one of the RPT policies returns true all the time. The plan is to empower users to grant access to their UMA Resources per access attempt in case of a third party access. In the simple version, the user can be asked if he wants to retrieve the consent token as data owner. Here one could add claims like name and family name in the request to retrieve the RPT and also define a RPT policy script to check that the UMA resource is associated with the respective user claims. Here there is a missing link between the UMA resource and the user information. I was thinking of using SCIM to add a custom attribute for each UMA resource. What do you think about it. Are activities in the gluu community enabling similar usecases (either the general one with 3rdparty access and offline data owner agreement or the simple one with data owner accessing its own data). Also important is to enable the data owner user to track the access attempts or even accept and reject per attempt. This is why we are looking into the consent management plugin from CASA. Can you please tell me how to trigger the consent management plugin to ask the user about the access attempt. Until now I only got the log output that there are no authorization sessions to be listed.
Gluu 4.4 Ubuntu 20.04
closed

Answers

By Davin Cooke staff 14 Sep 2022 at 8:37 a.m. CDT

Copy
Davin Cooke gravatar
Hi Andreea - this is looks like an interesting project we'd like to learn more about. I'll send an email to setup a call but we can certainly answer these questions in this ticket too. I'll have our team respond.

By Michael Schwartz Account Admin 04 Nov 2022 at 9:32 a.m. CDT

Copy
Michael Schwartz gravatar
I wonder if you're trying to do too much with the RPT token. Remember, RPT is backchannel (i.e. the UMA token endpoint). You would have more flexibility interacting with the end user if you used the claims gathering flow, which has it's own script. You don't need SCIM, because in oxAuth you can connect to the underlying database. You only need a SCIM extension for UMA resources if you have a third party application that needs to manage UMA resources for the person. If you want to schedule a call to whiteboard, we can try to help you think this through. I would also suggest that you create a sequence diagram using https://sequencediagram.org and post the source here. Without a sequence diagram, it's really impossible to know that you have consensus on a solution. BTW, UMA has tepid adoption, so the support team is not well versed in configuration and customization of these flows. I'll take over this issue for now. But so you are fore warned, it's a little outside the scope of community support.

By Michael Schwartz Account Admin 12 Nov 2022 at 4:17 p.m. CST

Copy
Michael Schwartz gravatar
Closing for inactivity.

Post an answer