UMA telecon 2022-12-08

Date and Time

• Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT

  • Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09

  • United States: +1 346 248 7799, Access Code: 994 8781 4311

  • See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar

Agenda

• Approve minutes since UMA telecon 2022-06-30

• Kantara AGM

• FAPI and UMA next steps. OAuth compatible UMA version

• AOB

Attendees

• NOTE: As of Sept 15, 2022, quorum is 3 of 5. (Peter, Sal, Alec, Eve, Steve)

• Voting:

  • Steve

  • Alec

• Non-voting participants:

  •  

• Regrets:

  •  

Quorum: No

Meeting Minutes

Approve previous meeting minutes

• Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25, UMA telecon 2022-09-08 , UMA telecon 2022-09-15 , UMA telecon 2022-09-22 , UMA telecon 2022-09-29 , UMA telecon 2022-10-06 , UMA telecon 2022-10-13 , UMA telecon 2022-10-20 , UMA telecon 2022-10-27 , UMA telecon 2022-11-03 , UMA telecon 2022-11-10 , UMA telecon 2022-11-24 , UMA telecon 2022-12-01

• Deferred - no quorum

Topics

UMA leadership elections upcoming

FAPI and UMA next steps - OAuth compatible UMA version

https://fapi.openid.net/ 

Marked up UMA spec: UMA telecon 2022-10-20

Last discussion:UMA telecon 2022-10-27

Goal: existing OAuth clients are able to get access tokens, the RS/AS are using UMA

UMA concepts to keep:

• AS is a gatekeeper for multiple RSs

  • alternative, each RS is also an AS (requires client registrations to each RS)

  • alternative, API gateway in front of many RSs, client has some API-key

• UMA Fedz, language to talk about resources and scope (fine-graned authZ, ability to have scopes with appropriate resources/endpoint boundaries)

RS first flow challenges

• URL sharing (RO->RqP)

• haven’t seen OAuth software that follows www-authenticate responses

• another option (depending if the RS is accessed through a browser or directly) is have the RS be the client to the AS

  • Client <> AS to Client <> RS <> AS

AS first flows

• resource discovery & selection, not part of the client/AS protocol

• RO shares URL of AS (with some ticket/scope attached)

  • RO can create these URLs through interaction with the AS

  • Client has a scope of type they can request, RqP selects resources at the AS through interactive claims gathering

Macaroons (computer science) could be used at an AS for RO policy definition and limiting of RqP access

AOB

• December schedule:

  • planning to cancel the Dec 22 and 29th meeting

• could we have a technical companion to the Julie Use-case? It would show a specific deployment/integration architecture and how those components map to UMA roles and configuration. Could compare to an OAuth only solution

Potential Future Work Items / Meeting Topics

• 20 Confluence clean up, archive old items and promote the latest & greatest

  • 10 UMA glossary – Steve has started 

• 100 FAPI Review (FAPI + UMA) 

  • scope: how the FAPI work could be applied to UMA ecosystems

  • review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI

• 120 A financial use-case report (following the Julie healthcare template)

  • either open banking or pensions dashboard

  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

  • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

• 170 UMA + Verifiable Credentials

  • how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA

  • There are openapi specs for VC formats

  • Could UMA protect a VC presentation or issuance endpoint?

  • There's a lot of openid4vc profiles 

• 300 mDL + UMA

  • scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA 

  • is there a role for UMA in token fabrication and referencing it as the RS?

• 600 Review of the email-poc correlated authorization specification

  • https://github.com/umalabs/correlated-authorization

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/BntTknCOAAE/m/EzL9i_VIAwAJ

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/ablVJ9cAreg/m/a_ZpCVrcCQAJ

• 500 UMA + GNAP https://oauth.xyz/specs/ 

  • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 

  • will GNAP meet all the UMA outcomes?

• IDPro knowledge base articles

• UMA 2 playground/sandbox

  • eg https://developers.google.com/oauthplayground/, https://www.oauth.com/playground/

• 150 Minor profiling work,

  • resource scopes → scopes 

  • PAR as dynamic scopes eg fhir query params

  • policy manager & policy description

  • 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL

    • use-case, consent as claims (needs_info),

      • if the client has gathered RqP consent, can it be presented to the AS

      • the policy to access a resource says "you must have agreed to this TOS/consent"

      • compare to interactive claims gathering where the AS would present this consent/TOS to the RqP

      • intersection with ANCR/consent receipt/trust registry work in other Kantara groups

Upcoming Conferences