UMA telecon 2022-10-27

Date and Time

• Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT

  • Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09

  • United States: +1 346 248 7799, Access Code: 994 8781 4311

  • See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar

Agenda

• Approve minutes since UMA telecon 2022-06-30

• FAPI and UMA next steps. OAuth compatible UMA version

• AOB

Attendees

• NOTE: As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)

• Voting:

  • Alec

  • Sal

• Non-voting participants:

  • Chris

• Regrets:

  • Steve

Quorum: No

Meeting Minutes

Approve previous meeting minutes

• Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25, UMA telecon 2022-09-08 , UMA telecon 2022-09-15 , UMA telecon 2022-09-22 , UMA telecon 2022-09-29 , UMA telecon 2022-10-06 , UMA telecon 2022-10-13 , UMA telecon 2022-10-20

• Deferred - no quorum

Topics

FAPI and UMA next steps - OAuth compatible UMA version

https://fapi.openid.net/ 

UMA isn’t just additional to OAuth, but also changes defined functionality:

• request/response names (scope / ticket, claims_redirect_uri) → creates need to change oauth libraries or create uma custom tech stacks

• well defines AuthZ steps, the multi-step possibilities of ticket/correlation handles makes the flows extremely variable (eg can have 3 token calls, followed by claims gathering).

To address those concerns, is it possible to create an intermediary spec that is OAuth compliant?

OAuth <> OAuth compliant UMA <> Full UMA

What’s the minimum viable UMA features set: needs_info, RqP role, claims_pushing, RS first flows

What could be removed: PCT, request_submitted, ticket(!)

Token endpoint, still need a new grant type for claims pushing, maybe renamed from uma-ticket to uma or uma-claims. There is no OAuth grant_type for this today

• pro: OAuth BW compatibility

• pro: maintain RqP separation, needs_info and claims pushing

• con: no multi-step authZ (no ticket as correlation handle)

  • no pushing claims in multiple steps, no pushing claims + interactive gathering

  • no need/ less value of PCT

  • could be addressed by unique transactional scope created by AS? some challenges here..

• possible: remove PCT and request_submitted. Features that are less 'used' even by UMA impls? Reduce scope for reader/implementer

• neutral: client can stay ignorant of authZ details since its’ returned the scopes to ask for

Pushed Claims Case:

1. client requests resource, gets www-authenticate with scope string

2. client requests token, gets need_info with options (push or gather) and scope string (maybe changed)

3. client requests token with claims, gets RPT (or needs_info again?)

4. client requests resource with RPT

Gathering Use Case

1. client requests resource, gets www-authenticate with scope string

2. client requests token, gets need_info with options (push or gather) and scope string (maybe changed)

3. client does authorization code flow with AS (/authorize → /callback)

4. client requests token with code, gets RPT

5. client requests resource with RPT

Next steps:

• Can we see this side by side with oauth

• what are the implications to UMA Fedz

• Draft UMA-lite spec text

Policy Descriptions

AOB

Potential Future Work Items / Meeting Topics

• 20 Confluence clean up, archive old items and promote the latest & greatest

  • 10 UMA glossary – Steve has started 

• 100 FAPI Review (FAPI + UMA) 

  • scope: how the FAPI work could be applied to UMA ecosystems

  • review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI

• 120 A financial use-case report (following the Julie healthcare template)

  • either open banking or pensions dashboard

  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

  • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

• 170 UMA + Verifiable Credentials

  • how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA

  • There are openapi specs for VC formats

  • Could UMA protect a VC presentation or issuance endpoint?

  • There's a lot of openid4vc profiles 

• 300 mDL + UMA

  • scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA 

  • is there a role for UMA in token fabrication and referencing it as the RS?

• 600 Review of the email-poc correlated authorization specification

  • https://github.com/umalabs/correlated-authorization

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/BntTknCOAAE/m/EzL9i_VIAwAJ

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/ablVJ9cAreg/m/a_ZpCVrcCQAJ

• 500 UMA + GNAP https://oauth.xyz/specs/ 

  • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 

  • will GNAP meet all the UMA outcomes?

• IDPro knowledge base articles

• UMA 2 playground/sandbox

  • eg https://developers.google.com/oauthplayground/, https://www.oauth.com/playground/

• 150 Minor profiling work,

  • resource scopes → scopes 

  • PAR as dynamic scopes eg fhir query params

  • policy manager & policy description

  • 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL

    • use-case, consent as claims (needs_info),

      • if the client has gathered RqP consent, can it be presented to the AS

      • the policy to access a resource says "you must have agreed to this TOS/consent"

      • compare to interactive claims gathering where the AS would present this consent/TOS to the RqP

      • intersection with ANCR/consent receipt/trust registry work in other Kantara groups

Upcoming Conferences

• IIW 35,  November 15 - 17