Access Control For The People, By The People

UPDATE: we have created a crowdfunding page on

Gluu will be donating time and design to the project, which will include 2 plug-ins: one for OpenID Connect to handle Authentication and one for UMA to handle Authorization – everything you need!

The intent is to donate the code to Kantara Initiative (where the UMA WG lives).

Original post follows:

Recently, Mike Schwartz from Gluu tweeted about this:

OAuth2 Plugin for IIS and Apache: Gluu’s idea for a Siteminder-like plugin for Apache and Like it on LinkedIn !

In case you missed it, it’s a very cool proposition: write an Apache module, mod_uma, to implement the UMA Resource Server functionality for Apache server.

In short, make Apache server resource UMA protectable, under the control of access policies set by the resource owner (you).

UMA’s promise is to create a “digital footprint control console” to allow you to set access policy on your stuff, wherever it lives on the internet, and permit access on your terms, not those of the service provider.

The “Introduction to UMA” Slide deck is here.

Development costs are in the range of US$15,000 (final estimates coming soon) –  I want to make this happen in the coolest way possible. The proposal I’ve made to Eve Maler (UMA) and Mike Schwartz is that if I can raise the funding from a group of individuals, we will be listed in the documentation and in the code itself. Think of it as an investment in a fledgeling technology that will be used by millions of people. It’s also about the only way I can contribute open source code 😉

Does this light a spark for you? I’m looking for $150-$200 per person, no corporate funding just individuals. Think of it as Access Control For The People, By The People.

I floated the idea at the recent Cloud Identity Summit in Napa and from the responses I got, everyone thought it was a pretty cool idea.

Join me!

More about UMA from the UMA Wiki:

User-Managed Access (UMA, pronounced “OOH-mah” like the given name) is an OAuth-based protocol designed to give a web user a unified control point for authorizing who and what can get access to their online personal data (such as identity attributes), content (such as photos), and services (such as viewing and creating status updates), no matter where all those things live on the web.

UMA allows a user to make demands of the requesting side in order to test their suitability for receiving authorization. These demands can include requests for information (such as “Who are you?” or “Are you over 18?”) and promises (such as “Do you agree to these non-disclosure terms?” or “Can you confirm that your privacy and data portability policies match my requirements?”).

UMA has enterprise implications as well as “user-centric” implications. At least one company has begun using it for coordinating the protection of enterprise APIs in much the way that today’s Web Access Management (WAM) systems protect corporate web apps. As well, since it is a system for distributing authorization responsibilities, UMA has contractual and legal implications.

UMA has the following actors and basic architecture, with entities that closely align with core OAuth entities:

One thought on “Access Control For The People, By The People

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s