J. Richer, Ed.
February 15, 2016

Health Relationship Trust Profile for User Managed Access 1.0
openid-heart-uma-1_0

Abstract

The User Managed Access protocol defines a method for an end user to introduce a resource to an authorization server, define a set of policies governing access to that resource, and for a requesting party to provide claims to fulfill those policies in order to gain access to the resource.

This specification profiles the User Managed Access protocol to increase baseline security, provide greater interoperability, and structure deployments in a manner specifically applicable to (but not limited to) the healthcare domain.


Table of Contents

1. Introduction

This document profiles the User Managed Access [UMA] specification for use in the context of securing web-facing application programming interfaces (APIs), particularly Representational State Transfer (RESTful) APIs, in potentially multi-party cross-domain scenarios. Because User Managed Access is built on OAuth 2.0 and OpenID Connect 1.0, this profile inherits all requirements of the HEART profiles for the use of OAuth 2.0 [HEART.OAuth2] and OpenID Connect 1.0 [HEART.OIDC]. All requirements herein are in addition to the OAuth 2.0 and OpenID Connect 1.0 profiles.

1.1. Requirements Notation and Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

All uses of JSON Web Signature (JWS) [RFC7515] and JSON Web Encryption (JWE) [RFC7516] data structures in this specification utilize the JWS Compact Serialization or the JWE Compact Serialization; the JWS JSON Serialization and the JWE JSON Serialization are not used.

1.2. Terminology

This specification uses the terms "Access Token", "Authorization Code", "Authorization Endpoint", "Authorization Grant", "Authorization Server", "Client", "Client Authentication", "Client Identifier", "Client Secret", "Grant Type", "Protected Resource", "Redirection URI", "Refresh Token", "Resource Owner", "Resource Server", "Response Type", and "Token Endpoint" defined by OAuth 2.0 [RFC6749], the terms "Claim Name", "Claim Value", and "JSON Web Token (JWT)" defined by JSON Web Token (JWT) [RFC7519], the terms defined by OpenID Connect Core 1.0 [OpenID.Core], and the terms defined by UMA [UMA].

2. Tokens

Authorization servers MUST support the "bearer" profile of all token categories. All issued tokens (whether AAT, PAT, or RPT) MUST be JSON Web Tokens (JWTs) [RFC7519] signed with JSON Web Signatures (JWS) [RFC7515] using the authorization server's key as described in the HEART OAuth 2.0 [HEART.OAuth2] profile section 4.2.

AATs and PATs MUST be issued using a standard OAuth 2.0 token flow appropriate to the type of application (whether client or protected resource) described in the HEART OAuth 2.0 [HEART.OAuth2] profile.

2.1. Authorization API Token

The AAT MUST at minimum define the following fields inside the JWT and return them from the introspection endpoint. Other fields MAY also be defined.

iss
The issuer URL of the authorization server.
aud
An array containing the URL of the RPT endpoint
sub
The issuer-specific identifier of the user that authorized the AAT.
azp
The client identifier of the authorized client.

2.2. Protection API Token

The PAT MUST at minimum define the following fields inside the JWT and return them from the introspection endpoint. Other fields MAY also be defined.

iss
The issuer URL of the authorization server.
aud
An array containing the URL of the introspection endpoint and the URL of the resource set registration endpoint
sub
The issuer-specific identifier of the user that authorized the PAT.
azp
The client identifier of the protected resource.

2.3. Requesting Party Token

The RPT MUST at minimum define the following fields inside the JWT and return them from the introspection endpoint. Other fields MAY also be defined.

iss
The issuer URL of the authorization server.
aud
An array of resource identifiers where this token can be used.
sub
The issuer-specific identifier of the user that authorized the RPT (the resource owner).
azp
The client identifier of the authorized client.

2.4. Token Lifetimes

It is RECOMMENDED that AATs and PATs have a lifetimes as specified in the HEART OAuth 2.0 [HEART.OAuth2] profile section 4.3 depending on the nature of the client or protected resource they were issued to.

It is RECOMMENDED that RPTs have a lifetime of no greater than one hour.

3. Client Authentication

All clients and protected resources MUST authenticate to the token endpoint using a private key as described in the HEART OAuth 2.0 [HEART.OAuth2] profile section 2.2.

4. Component Registration

All UMA clients MUST register with the authorization server as OAuth clients, as described in the HEART OAuth 2.0 [HEART.OAuth2] profile. Since all UMA resource servers also act as OAuth clients, they MUST also register with the authorization server under the same requirements as regular OAuth clients.

The authorization server MUST allow for dynamic client registration [RFC7591] and dynamic resource set registration [UMA.RSR]. The authorization server MAY prohibit dynamically registered clients and resource sets from requesting specific scopes, as described in the HEART OAuth 2.0 [HEART.OAuth2] profile.

The authorization server MUST indicate to end users that a client or protected resource was dynamically registered in the UI, such as on the policy editing screen presented to the resource owner.

5. Discovery

The authorization server MUST implement the UMA discovery mechanism defined in UMA [UMA] as well as the discovery mechanisms described in the HEART OAuth 2.0 [HEART.OAuth2] profile.

6. Claims Gathering

The authorization server MUST support claims being presented in at least two methods:

When the ID token is presented directly to the RPT endpoint, the authorization server MUST validate the token, including its audience and signature. Since the audience of an ID token is the client's identifier with the IdP, and this client identifier is known only to the client and the IdP, this restriction effectively means that ID tokens can only be presented at the RPT endpoint in the special case when the authorization server is also the IdP.

7. Security Considerations

All transactions MUST be protected in transit by TLS as described in BCP195 [BCP195].

All clients MUST conform to applicable recommendations found in the Security Considerations sections of [RFC6749] and those found in the OAuth 2.0 Threat Model and Security Considerations document [RFC6819].

8. Normative References

[BCP195] Sheffer, Y., Holz, R. and P. Saint-Andre, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May 2015.
[HEART.OAuth2] Richer, J., "Health Relationship Trust Profile for OAuth 2.0", February 2016.
[HEART.OIDC] Richer, J., "Health Relationship Trust Profile for OpenID Connect 1.0", February 2016.
[I-D.ietf-oauth-pop-architecture] Hunt, P., Richer, J., Mills, W., Mishra, P. and H. Tschofenig, "OAuth 2.0 Proof-of-Possession (PoP) Security Architecture", Internet-Draft draft-ietf-oauth-pop-architecture-07, December 2015.
[OpenID.Core] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B. and C. Mortimore, "OpenID Connect Core 1.0", August 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, DOI 10.17487/RFC2246, January 1999.
[RFC3986] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008.
[RFC5322] Resnick, P., "Internet Message Format", RFC 5322, DOI 10.17487/RFC5322, October 2008.
[RFC5646] Phillips, A. and M. Davis, "Tags for Identifying Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, September 2009.
[RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known Uniform Resource Identifiers (URIs)", RFC 5785, DOI 10.17487/RFC5785, April 2010.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March 2011.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012.
[RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, DOI 10.17487/RFC6750, October 2012.
[RFC6819] Lodderstedt, T., McGloin, M. and P. Hunt, "OAuth 2.0 Threat Model and Security Considerations", RFC 6819, DOI 10.17487/RFC6819, January 2013.
[RFC7009] Lodderstedt, T., Dronia, S. and M. Scurtescu, "OAuth 2.0 Token Revocation", RFC 7009, DOI 10.17487/RFC7009, August 2013.
[RFC7033] Jones, P., Salgueiro, G., Jones, M. and J. Smarr, "WebFinger", RFC 7033, DOI 10.17487/RFC7033, September 2013.
[RFC7515] Jones, M., Bradley, J. and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015.
[RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, DOI 10.17487/RFC7516, May 2015.
[RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, May 2015.
[RFC7519] Jones, M., Bradley, J. and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015.
[RFC7523] Jones, M., Campbell, B. and C. Mortimore, "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants", RFC 7523, DOI 10.17487/RFC7523, May 2015.
[RFC7591] Richer, J., Jones, M., Bradley, J., Machulak, M. and P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", RFC 7591, DOI 10.17487/RFC7591, July 2015.
[RFC7662] Richer, J., "OAuth 2.0 Token Introspection", RFC 7662, DOI 10.17487/RFC7662, October 2015.
[UMA] Hardjono, T., "User-Managed Access (UMA) Profile of OAuth 2.0", April 2015.
[UMA.RSR] Hardjono, T., "OAuth 2.0 Resource Set Registration", April 2015.

Appendix A. Acknowledgements

The OpenID Community would like to thank the following people for their contributions to this specification: Dale Moberg, Adrian Gropper, Eve Maler, Danny van Leeuwen, John Moehrke, Aaron Seib, John Bradley, Debbie Bucci, Josh Mandel, and Sarah Squire.

Appendix B. Notices

Copyright (c) 2015 The OpenID Foundation.

The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.

The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.

Appendix C. Document History

-2016-02-15

-2015-12-09

-2015-12-01

-2015-04-23

Author's Address

Justin Richer (editor) EMail: openid@justin.richer.org URI: http://justin.richer.org/