Secure UMA
PingAM supports the User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization. As an UMA authorization server, AM grants consent to a requesting party on behalf of a resource owner and authorizes access to the owner’s data.
If you implement UMA, secure that implementation in the following ways:
-
Configure mTLS authentication to the datastores that house UMA-related information.
Learn more in mTLS for UMA stores.
-
Protect against confusable characters in usernames.
Because AM grants access to a requesting party, it’s important to be sure that the requesting party is correct. In some cases, confusable characters from different unicode scripts can mean that access is shared with the wrong party. For example,
bobb𝝲andbobbymight appear to be the same requesting party, and a user could inadvertently share their data incorrectly.To mitigate this risk, enable the Warn on confusable characters in username property in the UMA configuration.