First, for those of you who don't know, OAuth 2.0, is a protocol designed to allow people to authorize one web service to access the resources of another web service. For example, allowing a photo printing service to access photos on Flickr.
UMA takes the concept of OAuth a step further and places the authorization server to a third party that works on behalf of an individual. By doing this, UMA take authorization from a resource perspective, and turns it into a consent server for users. That's pretty cool. So far, we've not had a good inter-site model for handling consent.
Where in the typical OAuth 2 deployment, user authorization and resource owner authorization are combined, UMA instead separates the processing of a user's consent, from authorizing access by the resource owner (e.g. Flickr).
Aside from the benefits Eve describes, here are a couple more things I like about the UMA proposal.
- UMA recognizes that user information exists in many places on the Internet, and not just at a single IDP/OPs etc.
- It supports a federated (multi-domain) model for user authorization not possible with current enterprise policy systems.
- It's a great way to separate the issue of user consent away from the resource owner's access control policy.
- It becomes possible to handle consent when individuals are offline
Will this be useful to the enterprise community? As with OAuth, I think so. This is an evolving space to watch.