...
NOTE: As of Sept 15, 2022, quorum is 3 of 5. (Peter, Sal, Alec, Eve, Steve)
Voting:
Steve
Alec
Non-voting participants:
Regrets:
...
Marked up UMA spec: UMA telecon 2022-10-20
Last discussion:UMA telecon 2022-10-27
Goal: existing OAuth clients are able to get access tokens, the RS/AS are using UMA
UMA concepts to keep:
AS is a gatekeeper for multiple RSs
alternative, each RS is also an AS (requires client registrations to each RS)
alternative, API gateway in front of many RSs, client has some API-key
UMA Fedz, language to talk about resources and scope (fine-graned authZ, ability to have scopes with appropriate resources/endpoint boundaries)
RS first flow challenges
URL sharing (RO->RqP)
haven’t seen OAuth software that follows www-authenticate responses
another option (depending if the RS is accessed through a browser or directly) is have the RS be the client to the AS
Client <> AS to Client <> RS <> AS
AS first flows
resource discovery & selection, not part of the client/AS protocol
RO shares URL of AS (with some ticket/scope attached)
RO can create these URLs through interaction with the AS
Client has a scope of type they can request, RqP selects resources at the AS through interactive claims gathering
https://en.wikipedia.org/wiki/Macaroons_(computer_science) could be used at an AS for RO policy definition and limiting of RqP access
AOB
December schedule:
planning to cancel the Dec 22 and 29th meeting
could we have a technical companion to the Julie Use-case? It would show a specific deployment/integration architecture and how those components map to UMA roles and configuration. Could compare to an OAuth only solution
Potential Future Work Items / Meeting Topics
...