UMA telecon 2022-12-08
UMA telecon 2022-12-08
Date and Time
Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
Screenshare and dial-in:Â https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
United States: +1 346 248 7799, Access Code: 994 8781 4311
See UMA calendar for additional details:Â https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar
Agenda
Approve minutes since UMA telecon 2022-06-30
Kantara AGM
FAPI and UMA next steps. OAuth compatible UMA version
AOB
Attendees
NOTE: As of Sept 15, 2022, quorum is 3 of 5. (Peter, Sal, Alec, Eve, Steve)
Voting:
Steve
Alec
Non-voting participants:
Â
Regrets:
Â
Quorum: No
Â
Meeting Minutes
Approve previous meeting minutes
Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25, UMA telecon 2022-09-08 , UMA telecon 2022-09-15 , UMA telecon 2022-09-22 , UMA telecon 2022-09-29 , UMA telecon 2022-10-06 , UMA telecon 2022-10-13 , UMA telecon 2022-10-20 , UMA telecon 2022-10-27 , UMA telecon 2022-11-03 , UMA telecon 2022-11-10 , UMA telecon 2022-11-24 , UMA telecon 2022-12-01
Deferred - no quorum
Topics
Â
Â
UMA leadership elections upcoming
Â
Â
FAPI and UMA next steps - OAuth compatible UMA version
Marked up UMA spec: UMA telecon 2022-10-20
Last discussion:UMA telecon 2022-10-27
Â
Goal: existing OAuth clients are able to get access tokens, the RS/AS are using UMA
Â
UMA concepts to keep:
AS is a gatekeeper for multiple RSs
alternative, each RS is also an AS (requires client registrations to each RS)
alternative, API gateway in front of many RSs, client has some API-key
UMA Fedz, language to talk about resources and scope (fine-graned authZ, ability to have scopes with appropriate resources/endpoint boundaries)
Â
RS first flow challenges
URL sharing (RO->RqP)
haven’t seen OAuth software that follows www-authenticate responses
another option (depending if the RS is accessed through a browser or directly) is have the RS be the client to the AS
Client <> AS to Client <> RS <> AS
Â
AS first flows
resource discovery & selection, not part of the client/AS protocol
RO shares URL of AS (with some ticket/scope attached)
RO can create these URLs through interaction with the AS
Client has a scope of type they can request, RqP selects resources at the AS through interactive claims gathering
Â
Â
https://en.wikipedia.org/wiki/Macaroons_(computer_science) could be used at an AS for RO policy definition and limiting of RqP access
Â
AOB
December schedule:
planning to cancel the Dec 22 and 29th meeting
Â
could we have a technical companion to the Julie Use-case? It would show a specific deployment/integration architecture and how those components map to UMA roles and configuration. Could compare to an OAuth only solution
Â
Potential Future Work Items / Meeting Topics
20 Confluence clean up, archive old items and promote the latest & greatest
10 UMA glossary – Steve has startedÂ
100 FAPI Review (FAPI + UMA)Â
scope: how the FAPI work could be applied to UMA ecosystems
review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI
120 A financial use-case report (following the Julie healthcare template)
either open banking or pensions dashboard
openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
170 UMA + Verifiable Credentials
how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA
There are openapi specs for VC formats
Could UMA protect a VC presentation or issuance endpoint?
There's a lot of openid4vc profilesÂ
300 mDL + UMA
scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMAÂ
is there a role for UMA in token fabrication and referencing it as the RS?
600 Review of the email-poc correlated authorization specification
500 UMA + GNAP https://oauth.xyz/specs/Â
would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP)Â
will GNAP meet all the UMA outcomes?
IDPro knowledge base articles
UMA 2 playground/sandbox
150 Minor profiling work,
resource scopes → scopesÂ
PAR as dynamic scopes eg fhir query params
policy manager & policy description
110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL
use-case, consent as claims (needs_info),
if the client has gathered RqP consent, can it be presented to the AS
the policy to access a resource says "you must have agreed to this TOS/consent"
compare to interactive claims gathering where the AS would present this consent/TOS to the RqP
intersection with ANCR/consent receipt/trust registry work in other Kantara groups
Upcoming Conferences
Â