UMA telecon 2013-06-06

Date and Time

Agenda

Minutes

Action item review

Done. See that page for details.

Spec issues review and resolution

Issue 79: no comments right now.

Issue 81:

AI: Thomas: Implement issue 81. (Part of his standing AIs.)

Issue 82: George muses: If the AAT is just a standard OAuth 2 token (which is true), it can be revoked, it can be invalidated, etc. We believe that this proposal constitutes an interesting OpenID Connect-, LOA-, and authn context-friendly profile that inserts itself at the AAT juncture (which, as the "head" of the requesting party and client authentication chain, seems appropriate). Gluu's use case is related to enterprise needs – thus the "initial AAT issuance through web services", i.e., silently since the human resource owner agent doesn't have the right to withhold consent to claims-sharing, as this is simply part of their employment contract.

OpenID Connect has some global optional parameters to represent some light authentication context, e.g., to handle LOA. Gluu's proposed solution is finer-grained. The UMA AS and the requesting party's IdP/AP would need to establish trust at the AAT level in order to start to gather authentication context (outside of the claims system) as well as any claims. Domenico's older banking use-case work did have an element of LOA in it. Eve likes that the AAT's tuple doesn't correlate with the RS, and the RS is kept properly out of the policy-assessing equation.

AI: Domenico will share the links to his most recent UX exploration that include LOA types of considerations.

AI: Eve: Ask Mike Schwartz to consider turning the Dynamic Re-Auth of RP proposal into a true UMA profile, referencing the advice in our spec, so that we can begin to catalogue it with others on our wiki (with no favoritism of profiles implied).


RS=C optimization opportunities

Attendees

Next Meetings