UMA Dev telecon 2016-07-06
UMA Dev telecon 2016-07-06
Date and Time
- Alternate Wednesdays 10am PT / 1pm ET / 6pm UK / 7pm CET
- Voice: Skype: +99051000000481 / US +1-805-309-2350 / international lines / web interface, code 178-2540#
- Screen sharing: http://join.me/findthomas – NOTE: do not use the join.me dial-in line
Calendar: http://kantarainitiative.org/confluence/display/umadev/Calendar
Agenda
- Group needs a co- or vice-chair
- Also vote in Maciej as UMA WG liaison for completeness
- Review the existing Implementations page and move it over
- What about cataloguing "book resources" as well?
- AOB
Minutes
oxD test tool
Gluu has developed a test tool that includes a simple API, with one endpoint and multiple scopes and a basic UX, that is just enough to test UMA's standardized functions (such as "Did the revocation of a scope really take away the client's ability to use that scope?") without getting into testing nonstandardized aspects. You can see the UX and API at their wiki page. This is something we discussed back at IIW 18: Since the API that an RS presents to the client can be anything, testing interop/conformance is difficult (for OAuth as well as UMA).
Next they anticipate getting developer feedback. PHP, node.js, Ruby are done, but not others such as .NET, C#, etc., and Python is in progress.
Colin notes that monetizing test harnesses is a real possibility. First we are keen to facilitate adoption! "Convenience APIs" and "happy flows" are the kind of thing that promote good developer experience.
Reminder: The free version of oxD has a limit of 2 transaction/second and has a "commercial open source" software license.
oxD was modeled on shibd.
API security use cases
To date, Gluu has mostly seen UMA adoption for SCIM protection, where the client credential is is private key-based. Mike sees this as a sort of SiteMinder equivalent. The only choices in his product for SCIM protection are UMA and test mode.
We discussed the disconnect people have been bringing up around OAuth vs. the kind of access management needed in enterprise API security, where there's no pure ?? way to reference the end user of the client. Mike mentioned the idea of Gluu working on a Kong UMA gateway by the end of the summer. This would be a little similar to the ForgeRock Identity Gateway's "UMA Protector" component.
Implementations page
For our questionnaire, when it comes to "UMAnizing" an API, it's worth asking a sub-question: What deployment model (gateway, library, custom code, agent)? They roughly break down into "outside" and "inside". We could ultimately write up some short pieces on the wiki about the pros and cons in the UMA context, if warranted.
Eve quickly made this skeleton page. Maciej will need to flesh it out.
Attendees
- Eve
- Mike
- Yuriy
- Colin
- Sal
Regrets:
- Marcos