User-Managed Access (UMA 2.0) is an OAuth-based access management protocol standard for managing authorization to resources. It's the main security standard used by the security framework to control accessibility and permissions to datasets. Since the scope of the project requires policy enforced access to resources, access management is a crucial aspect to consider. It is important to properly identify Data Stewards (Data Managers) who can manage permissions to their resources and define who can access their resources (Data Consumers). UMA is a protocol that enables this kind of management, by giving users responsible for managing data the ability to regulate access. These resources may be anything from AIRR-seq data sets, a study, or even a whole iReceptor Plus repository.
Each piece of data to protect must be related to a resource on the Authorization Server. When trying to access a resource there are two possible ways of doing it:
By default, a user has access to nothing. When a resource owner gives a user access to a resource, a new permission will be created, connecting a resource with a user.
security researcher Keycloak framework repository | | | | | OpenID Connect authentication | |--- (1) --------->| | | | OpenID Connect token | | |<-- (1) ----------| | | | | | | | no RPT token | | | |--- (2) -------------------->| | | |Request permissions | | |<-- (3) --| | | |Permissions ticket | | |--- (3) ->| | | permissions ticket | | |<-- (4) ---------------------| | | permissions ticket, OIDC token | |--- (5) --------->| | | | validation | | | | +-- (6) -->| | | | +-- (6) -->| | | | RPT token | | | |<-- (7) ----------| | | | | | | | RPT token | | | |--- (8) -------------------->| | | |RPT introspection | | |<-- (9) --| | | |RPT metadata | | |--- (9) ->| | | | | validation | | | |<- (9) -+ | | | |<- (9) -+ | | | | forwarded request | | |--- (10) --> | | | | resource(s) | | | |<-- (10) --- | | resource(s) | | | |<-- (11) --------------------| | | | | |
To see UMA in action, check out How to use a secured API: Authorization
Resources are the representation of what needs to be protected by the authorization service. When a resource is requested to the Resource Server, the server transforms/drills down the requested entity to match the resources on Keycloak, allowing the comparison between them.
When a user tries to access a given resource, the client will send a request to the Resource Server without any Authorization token. The Resource Server will then process the respective resource name and query the Authorization Server for a ticket representing the access to said resource. The ticket is returned to the client.
When it receives a ticket, the client will send a request to the Authorization Server, which will assess whether the user has permission to access the resource. If the user has access, an RPT is issued with the permission for the requested resource. If the user doesn't have access, an unauthorized response is sent, and the resource owner is notified of the request attempt and can opt to allow or deny the access to that resource to the requesting user. If the resource owner allows access to the resource, the next time the user requests the same resource, an RPT will be issued allowing said access.
When successfully issued with an RPT token, the user repeats the request from “Ticket request”, only this time the RPT token will be sent as Bearer. When the Resource Server receives a request with the RPT it will query the Authorization Server for its introspection and will, once again, check the RPT permission field against the data field that relates to the resource representation and, if it matches, the data will be returned.