User-Managed Access

  • Michael Schwartz
  • Maciej Machulak


Today, you use OAuth 2.0 to authorize software to access your own stuff, but what if you want to let someone else access your stuff? We call this "Alice to Bob sharing". This is one of the primary use cases for the User-Managed Access (UMA) protocol. Alice and Bob don’t have to be humans—either can be a non-person entity (NPE), such as a software process or company. With UMA, Alice can use any authorization server to share data with Bob. It's up to Bob and the clients he is using, to interact with the authorization servers of Alice's choosing. Moreover, Alice can choose to use the same authorization server for different protected information that she wants to share with Bob—this data can be distributed, yet access to it can be centralized with UMA. An interesting property of UMA is that it also handles asynchronous authorization. For example, Bob may request access to something, and Alice may not approve the request until she's online. Likewise, Alice can also create a policy at the authorization server that gives access to some data to Bob—she does not have to be online for access to be granted.

Copyright information

© Michael Schwartz, Maciej Machulak 2018

Authors and Affiliations

  • Michael Schwartz
    • 1
  • Maciej Machulak
    • 2
  1. 1.AustinUSA
  2. 2.LondonUK

Personalised recommendations