UMA telecon 2021-09-02

Date and Time

• Primary-week Thursdays 6:30am PT
  • Screenshare and dial-in: https://global.gotomeeting.com/join/485071053

  • United States: +1 (224) 501-3316, Access Code: 485-071-053

  • See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar

Agenda

• Approve minutes of UMA telecon 2021-06-10, UMA telecon 2021-06-17, UMA telecon 2021-06-24, UMA telecon 2021-07-01, UMA telecon 2021-07-08, UMA telecon 2021-07-15, UMA telecon 2021-07-22, UMA telecon 2021-07-29, UMA telecon 2021-08-05, UMA telecon 2021-08-12, UMA telecon 2021-08-19, UMA telecon 2021-08-26
• Minimal Interop Profile - UMA Grant
• Relationship Manager - user stories / Discovery
• AOB

Minutes

Roll call

Quorum was NOT reached.

Approve minutes

• Approve minutes of  UMA telecon 2021-06-10, UMA telecon 2021-06-17, UMA telecon 2021-06-24, UMA telecon 2021-07-01, UMA telecon 2021-07-08, UMA telecon 2021-07-15, UMA telecon 2021-07-22, UMA telecon 2021-07-29, UMA telecon 2021-08-05, UMA telecon 2021-08-12, UMA telecon 2021-08-19, UMA telecon 2021-08-26

Deferred

European Identity Conference

https://www.kuppingercole.com/sessions/4591/1 

UMA content for 15 mins spot: https://docs.google.com/presentation/d/1GdvHFYEPVpWT55nXZtkShCZ8RQC696KJ5oghlHJrnuU/edit#slide=id.g8dc579d6b5_0_528 

Practitioners familiar with OAuth, getting pushed to implement UMA-like flows on their OAuth Authorization Server

• OAuth vs UMA, what is well solved by each. ← could we add 1 slide to this
• There was an identiverse session, Jared Hansen → UMA lite
• should we create this content in general for the wiki, will start getting this from other communities eg SSI
  • UMA + DID/VC

Minimal Interop Profile

To look at the UMA Grant side

Goal: make sure that AS's are interoperable , eg one AS can be 'swappable' with other ASs. Understanding of 'extras'/vendor specific values that degrade that interop. As an RS the more ASs I can support define the 'wide' ecosystem I can support

Scope of test

• 1 AS under test
• 1 Mock Client test suite
• 1 Mock IDP for claims pushing

Input to Mock Client Test Suites

• uma2 well-known
• permission tickets ← how are they generated
• claim tokens ← how are they generated
  • acceptable claim token
  • unacceptable claim token

Need to test the variations of the AS interface, however this required vendor specific configuration

There are way more required initial conditions to be setup at the AS, and the Client is validating that the expected result matches what happens

1. Have many registered resources
2. set specific policy settings against registered resources
3. validate the AS executes the policy(s) correctly

Two Tables

1. registered resource, specific policy ( pushing + token formats, interaction)
2. permission ticket, expected flow

Test Setup Phase (Done by the AS operator)

• pre-create many resources (static or however) 
• set specific policy determined by the test suite against each resource
• generating permission tickets for each test case → input to the Mock UMA Client

Test Cases (Table 2)

• ticket with 1 resource, user interaction, denied
• ticket with 1 resource, user interaction, rpt granted
• ticket with 1 resource, claims pushing, denied
• ticket with 1 resource, claims pushing, rpt granted
• unknown ticket, result is invalid_grant
• claims pushing, 3 required_claims, where any 1 pushed results in an RPT
• claims pushing, 3 required_claims, where all need to be pushed to result in an RPT
• claims pushing, 3 required_claims, where 2/3 need to be pushed to result in an RPT
• claims pushing and gathering, 1 required claims and user interaction results in an RPT
• claims pushing, after pushing claims, then interaction is required, 

needs_info, clarify optiona

Relationship Manager - user stories / Discovery

1. As a Client, I want to be able to declare types I understand, in order to successfully use complex APIs 
2. As an RS, I want to defer permission ticket creation, in order to a) not have to understand the Client b) not make authZ decisions (tell me don’t make me think)
3. As an ASO, I want to pre-register Clients, in order to assess their appropriateness, capability and complete non-technical activities
4. As a Client, I want to pre-register with ASs, in order to a) test my UX and technical integrations b) declare my capabilities

UMA in Wikipedia

Have started an open document with the current english content. Everyone is welcome to suggest and edit and we can review next week

https://docs.google.com/document/d/1TbD4ODQOdQkLwHjlpjTQ4lbEPMbky67O8Clrzxejfn8/edit?usp=sharing 

Attendees

As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)

Voting:

1. Andi
2. Alec
3. Domenico
4. Steve

Non-voting participants:

1. George
2. Scott

Regrets: