UMA telecon 2022-09-08

Date and Time

• Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
  • Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09

  • United States: +1 (224) 501-3316, Access Code: 485-071-053

  • See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar

Agenda

• Approve minutes since UMA telecon 2022-06-30
• Core UMA content (no use-case)
• FAPI discussion
• AOB

Attendees

• NOTE: As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
• Voting:
• Non-voting participants:
• Regrets:

Quorum: No

Meeting Minutes

Approve previous meeting minutes

• Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25

• Deferred - no quorum

Topics

Core UMA content (no use-case)

FAPI discussion

AOB

Potential Future Work Items / Meeting Topics

• 100 FAPI Review (FAPI + UMA) 
  • scope: how the FAPI work could be applied to UMA ecosystems
  • review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI
• 20 Confluence clean up, archive old items and promote the latest & greatest
  • 10 UMA glossary – Steve has started 
• 600 Review of the email-poc correlated authorization specification
  • https://github.com/umalabs/correlated-authorization
  • https://groups.google.com/g/kantara-initiative-uma-wg/c/BntTknCOAAE/m/EzL9i_VIAwAJ
  • https://groups.google.com/g/kantara-initiative-uma-wg/c/ablVJ9cAreg/m/a_ZpCVrcCQAJ
• 120 A financial use-case report (following the Julie healthcare template)
  • either open banking or pensions dashboard
  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
  • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
• 300 mDL + UMA
  • scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA 
  • is there a role for UMA in token fabrication and referencing it as the RS?
• 500 UMA + GNAP https://oauth.xyz/specs/ 
  • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 
  • will GNAP meet all the UMA outcomes?
• 170 UMA + Verifiable Credentials
  • how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA
  • There are openapi specs for VC formats
  • Could UMA protect a VC presentation or issuance endpoint?
  • There's a lot of openid4vc profiles 
• IDPro knowledge base articles
• UMA 2 playground/sandbox
  • eg https://developers.google.com/oauthplayground/, https://www.oauth.com/playground/
• 150 Minor profiling work,
  • resource scopes → scopes 
  • PAR as dynamic scopes eg fhir query params
  • 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL
    • use-case, consent as claims (needs_info),
      • if the client has gathered RqP consent, can it be presented to the AS
      • the policy to access a resource says "you must have agreed to this TOS/consent"
      • compare to interactive claims gathering where the AS would present this consent/TOS to the RqP
      • intersection with ANCR/consent receipt/trust registry work in other Kantara groups

Upcoming Conferences

• IIW 35,  November 15 - 17