1. Alice tells Taxmonkey.com that access to her return should be managed by copmonkey.com (or some other UMA Access Manager). There's presumably one and only one Access Manager (AM) for her tax data.
Alice goes through an IRS-sanctioned, 7216-compliant Opt-In protocol to enable access for qualifying services, such as financial aid and loan issuers. Alice also tells Bob (a Financial Aid administrator at UCLA) where to get her tax return.
2. When Alice configures her Taxmonkey.com preferences like this, Taxmonkey.com discovers the URLs to drive the mechanics of the UMA protocol with her chosen Access Manager (AM).
[@@TBS: More granular description needs to be prepared that explains how Taxmonkey.com discovers interfaces at copmonkey.com; what it needs to discover, whether it copmonkey.com supports the kinds of controls that are required for the types of resources hosted at Taxmonkey.com, etc. Also, the manner in which Alice passes introductions to Bob needs to be described.]
3. Bob, the Financial Aid administrator at UCLA, connects to Taxmonkey.com, and Taxmonkey.com redirects him to copmonkey.com.
4. Bob presents a collection of information to copmonkey.com that allows the AM to verify that the Requester is a party that complies with the policies and preferences expressed by Alice.
[@@TBS: This is where a "Claims Required" dialog needs to be presented. A process that verifies that Bob is really Bob, and that he's operating as a Financial Aid Administrator at UCLA, and that the "root" of these claims can be verified by copmonkey.com. If Bob asserts identity purely through an email exchange or via OpenID, it's not yet clear that it will satisfy requirements from the IRS, or that a reasonable person would want to allow access to financially sensitive information based on claims or attributes provided in OpenID. The ID-Assurance WG would seem to have something to say here; there may be a need for Level of Assurance N, where N is appropriate to the resources being served.]
5. If Bob meets the access criteria by providing claims appropriate for the resources, the AM issues a token, and Bob passes this in each request to Taxmonkey.com to retrieve data from Alice's tax return.
6. Taxmonkey.com may, at its discretion, call back to the AM to "punch the ticket" that Bob presented before granting access. This might be to further validate Bob's access, to verify Bob's identity, to track access requests at the AM, and/or to prevent Bob from accessing this data more than once.
[@@ The discovery process needs to provide the location of the Back-Channel interfaces at the AM. ]
7. Sometime later, Alice is able to login to the AM and review the kinds of access that Bob has and make changes if appropriate. She may decide that after she gets the financial aid package that Bob no longer needs access, and then turn his access off. If several other entities have access to Alice's tax data, she can review that access and adjust it at any time.
[@@ This isn't really a protocol function, but it seems like a functional requirement for the AM. From one AM to the next, the presentation ought to be clear enough that Mom can use it constructively and not be misled. ]
There could be a few discovery processes in this case:
- The Host determines that the AM operates in a manner consistent with the handling of tax information (maybe that it will require several forms of identification and authentication) before granting access to the resources
- The AM discovers the methods or resources on the Host that require highest protection and policy controls. It might be that for most daa (name, address, phone, etc.) the access policy is no more than a baseline set. However, when the Requester attempts to access my salary, list of bank accounts,and my taxpayer ID number, a higher degree of policy enforcement is required.
- The Requester, Bob, needs to know what claims he needs to provide in order to conduct the work that Alice specified. It may be that these are Alice's requirements and preferences, or they may be implicitly described in the requirements from the IRS and other tax agencies.
I've assumed that copmonkey.com knows that Bob will access resources classified at Level "High" and that anyone presenting a token certified at this level can access resources classified at Level "Low" - copmonkey.com arranges things to avoid situations where Bob will have to come back for another round of access negotiation to work with taxmonkey.com.
Some portions of this flow seem to suggest that there are some AMs that are best suited for certain purposes. It might be that the AM for hData operates with terms, support, and
Apects of this reminded me of George Fletcher's ideas and ideas from the hData scenario, but I've not yet done the transformation on those ideas into this case. I'll read them through and apply them if I can.
Does this scenario really illustrate the "extras" that UMA may need to provide beyond what OAuth provides? Or is there some way to achieve this within OAuth that I missed? Ideally, all problems should have simple solutions and we don't need to invent.
I hope this is helpful!
-tom
_______________________________________________
WG-UMA mailing list
WG-...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma
Folks,
Here's a scenario that might help illustrate some issues that our meetings last week motivated (at least they mootivated me).
- How does UMA handle highly restrictive information, where requirements come from the user and from other agencies?
- How does UMA handle dynamic configurations between Hosts and AMs?
- How does the Requester know what they need to provide to the AM in order to properly assert their credentials (and satisfy requirements from the 1st question)?
These seem like uniquely UMA concerns that don't yet seem to be present in OAuth 1.0a or WRAP (at least as I read them).
There seem to be cases where the Host needs to know whether the AM supports specific kinds of access policies and Opt-In procedures, the AM needs to discover aspects of the Host, and the Requester needs to discover what they need to deliver to properly assert their identity.
Consider IRS Rule 7216, that specifies the requirements that tax preparers should meet in order to access tax return information for any purpose other than filing taxes.
Currently, there are products available to meet the use case of providing data for access to financial aid, but consider how it might be conducted in UMA:
Alice's daughter is starting college at UCLA in the fall. The financial aid department needs a copy (or an extract) of Alice's tax return to determine eligibility for financial aid. UMA might be applied like this (skipping lots of error handling and HTTP-level details):
1. Alice tells Taxmonkey.com that access to her return should be managed by copmonkey.com (or some other UMA Access Manager). There's presumably one and only one Access Manager (AM) for her tax data.
Alice goes through an IRS-sanctioned, 7216-compliant Opt-In protocol to enable access for qualifying services, such as financial aid and loan issuers. Alice also tells Bob (a Financial Aid administrator at UCLA) where to get her tax return.
2. When Alice configures her Taxmonkey.com preferences like this, Taxmonkey.com discovers the URLs to drive the mechanics of the UMA protocol with her chosen Access Manager (AM).
[@@TBS: More granular description needs to be prepared that explains how Taxmonkey.com discovers interfaces at copmonkey.com; what it needs to discover, whether it copmonkey.com supports the kinds of controls that are required for the types of resources hosted at Taxmonkey.com, etc. Also, the manner in which Alice passes introductions to Bob needs to be described.]
3. Bob, the Financial Aid administrator at UCLA, connects to Taxmonkey.com, and Taxmonkey.com redirects him to copmonkey.com.
4. Bob presents a collection of information to copmonkey.com that allows the AM to verify that the Requester is a party that complies with the policies and preferences expressed by Alice.
[@@TBS: This is where a "Claims Required" dialog needs to be presented. A process that verifies that Bob is really Bob, and that he's operating as a Financial Aid Administrator at UCLA, and that the "root" of these claims can be verified by copmonkey.com. If Bob asserts identity purely through an email exchange or via OpenID, it's not yet clear that it will satisfy requirements from the IRS, or that a reasonable person would want to allow access to financially sensitive information based on claims or attributes provided in OpenID. The ID-Assurance WG would seem to have something to say here; there may be a need for Level of Assurance N, where N is appropriate to the resources being served.]
5. If Bob meets the access criteria by providing claims appropriate for the resources, the AM issues a token, and Bob passes this in each request to Taxmonkey.com to retrieve data from Alice's tax return.
6. Taxmonkey.com may, at its discretion, call back to the AM to "punch the ticket" that Bob presented before granting access. This might be to further validate Bob's access, to verify Bob's identity, to track access requests at the AM, and/or to prevent Bob from accessing this data more than once.
[@@ The discovery process needs to provide the location of the Back-Channel interfaces at the AM. ]
7. Sometime later, Alice is able to login to the AM and review the kinds of access that Bob has and make changes if appropriate. She may decide that after she gets the financial aid package that Bob no longer needs access, and then turn his access off. If several other entities have access to Alice's tax data, she can review that access and adjust it at any time.
[@@ This isn't really a protocol function, but it seems like a functional requirement for the AM. From one AM to the next, the presentation ought to be clear enough that Mom can use it constructively and not be misled. ]
There could be a few discovery processes in this case:
- The Host determines that the AM operates in a manner consistent with the handling of tax information (maybe that it will require several forms of identification and authentication) before granting access to the resources
- The AM discovers the methods or resources on the Host that require highest protection and policy controls. It might be that for most daa (name, address, phone, etc.) the access policy is no more than a baseline set. However, when the Requester attempts to access my salary, list of bank accounts,and my taxpayer ID number, a higher degree of policy enforcement is required.
- The Requester, Bob, needs to know what claims he needs to provide in order to conduct the work that Alice specified. It may be that these are Alice's requirements and preferences, or they may be implicitly described in the requirements from the IRS and other tax agencies.
I've assumed that copmonkey.com knows that Bob will access resources classified at Level "High" and that anyone presenting a token certified at this level can access resources classified at Level "Low" - copmonkey.com arranges things to avoid situations where Bob will have to come back for another round of access negotiation to work with taxmonkey.com.
Some portions of this flow seem to suggest that there are some AMs that are best suited for certain purposes. It might be that the AM for hData operates with terms, support, and
Apects of this reminded me of George Fletcher's ideas and ideas from the hData scenario, but I've not yet done the transformation on those ideas into this case. I'll read them through and apply them if I can.
Does this scenario really illustrate the "extras" that UMA may need to provide beyond what OAuth provides? Or is there some way to achieve this within OAuth that I missed? Ideally, all problems should have simple solutions and we don't need to invent.
I hope this is helpful!