4 Comments
User's avatar
Michael Schwartz's avatar

Great article! I agree that UMA is ready to serve! UMA is still in both the Gluu Server and also in the upstream open source Janssen Server, see https://jans.io. The best docs we have are from Gluu 4: https://gluu.org/docs/gluu-server/4.5/admin-guide/uma/

Also, see current Janssen Auth Server OpenAPI docs, for example for version 1.8, https://gluu.org/swagger-ui/?url=https://raw.githubusercontent.com/JanssenProject/jans/v1.8.0/jans-auth-server/docs/swagger.yaml#/UMA_(User_Managed_Access) There you'll see endpoints for claims gathering, rpt token requests and configuration.

BTW, perhaps another way to look at UMA: a front channel transaction token.

Expand full comment
Eve Maler's avatar

Thanks for weighing in, Mike! Great references here. And interesting idea about being a kind of transaction token.

Expand full comment
Adrian Gropper, MD's avatar

Thanks for this post Eve and for pointing out the MSFT and MIT perspective. That said, I think that addressing the problems of agency through identity is a bad idea and already failing with things like mobile drivers licenses and other real-world attempts to scale digital identity even before agents come into the picture.

Digital agents are just actors without biometrics.

The problem with differentiating humans from their agents is that it restricts the agency of the human. That can lead to a basic human rights problem. We can't just wish away the problem of accountability based on biometric uniqueness (e.g.: a notary public's countersignature and log) by creating ever more complex "bowtie" diagrams in UMA.

Agents are delegates of biometric humans and others, including corporations and other agents. Some agents (e.g. spouses, licensed physicians or attorneys) are biometric humans. Practical agency always depends on attenuated delegation and sometimes depends on biometric accountability as well.

Your post ignores current standards like GNAP that have moved beyond OAUTH 2 to fix some delegated authorization problems using RAR while leaving identity mostly out of scope. I really don't care whether UMA and GNAP get along but I do much prefer IETF to other SDOs.

Let's try to fix this together. MCP and A2A are too important and OAUTH is clearly inadequate to their task. The HIE of One demo continues to explore human agency in the real world context of a patient using a private personal AI agent as well as the less private frontier LLMs. Physicians, are already participants in a group chat with the patient and the various AIs that are replacing the patient's Dr. Google. The physician now has to delegate some of her work to digital agents of her own. None of this is hypothetical. Only the robust conversations and standards are missing.

Expand full comment
Eve Maler's avatar

Hi Adrian, thanks for commenting. It sounds like we basically agree, partaking, as we are, in the “robust conversations” and contributing to the “standards”. I’m not sure I agree, though, that “addressing the problems of agency through identity is a bad idea”. In law, technical protocols, and even human interactions, it’s best to understand what part everyone is playing. That usually means identifying/distinguishing them as a baseline. Just a thought.

Expand full comment