UMA telecon 2023-01-05
UMA telecon 2023-01-05
Date and Time
Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
United States: +1 346 248 7799, Access Code: 994 8781 4311
See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar
Agenda
Approve minutes since UMA telecon 2022-06-30
2023 planning & discussion
Leadership elections
FAPI and UMA next steps. OAuth compatible UMA version
AOB
Attendees
NOTE: As of Sept 15, 2022, quorum is 3 of 5. (Peter, Sal, Alec, Eve, Steve)
Voting:
Alec
Steve
Non-voting participants:
Hanfei
Scott
Domenico
Regrets:
Quorum: No
Meeting Minutes
Approve previous meeting minutes
Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25, UMA telecon 2022-09-08 , UMA telecon 2022-09-15 , UMA telecon 2022-09-22 , UMA telecon 2022-09-29 , UMA telecon 2022-10-06 , UMA telecon 2022-10-13 , UMA telecon 2022-10-20 , UMA telecon 2022-10-27 , UMA telecon 2022-11-03 , UMA telecon 2022-11-10 , UMA telecon 2022-11-24 , UMA telecon 2022-12-01 , UMA telecon 2022-12-08 , UMA telecon 2022-12-15
Deferred - no quorum
Topics
2023 planning & discussion
For identos, using UMA in healthcare (hospital and provincial). Looking for how to promote UMA within the US healthcare, how it fits within the sequoia/onc/carin/direct trust
Health: direct trust federated identity gateway aligned with UMA requirements/spec.
Healthcare + Finance, many consumers with data relationships. Desire to empower self-service vs staff managed sharing + access.
UMA + FAPI, still believes UMA works with FAPI, however, making UMA directly compatible with OAuth/OIDC makes this trivial/obvious.
Consumer in the driver's seat → bring your own app.
How do trust registry and BYOA concepts work together? eg UDAP requires clients to have attestation
What about Verifiable Credentials? starting to feel an inflection point
eIDAS, user-carried credentials able to be presented? New regulation may lead to FAPI/VC requirements
mDL, showed VC alignment for web presentation using the openid4vc. Not clear how UMA works with mDL
Can we get an update from UK Pensions Dashboard?
Tentative 2023 roadmap:
120 A financial use-case report (following the Julie healthcare template)
openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case
Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?
127 Open Banking Report → requires more research, determine use case
Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
130 IDPro knowledge base articles
140 Wikipedia article refresh
UMA leadership elections upcoming
FAPI and UMA next steps - OAuth compatible UMA version
FAPI Working Group - OpenID Foundation
Marked up UMA spec: UMA telecon 2022-10-20
Last discussion:UMA telecon 2022-10-27 , UMA telecon 2022-12-08
AOB
Potential Future Work Items / Meeting Topics
20 Confluence clean up, archive old items and promote the latest & greatest
10 UMA glossary – Steve has started
100 FAPI Review (FAPI + UMA)
scope: how the FAPI work could be applied to UMA ecosystems
review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI
120 A financial use-case report (following the Julie healthcare template)
openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case
Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?
127 Open Banking Report → requires more research, determine use case
Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
130 IDPro knowledge base articles
140 Wikipedia article refresh
150 Minor profiling work,
resource scopes → scopes
PAR as dynamic scopes eg fhir query params
policy manager & policy description
110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL
use-case, consent as claims (needs_info),
if the client has gathered RqP consent, can it be presented to the AS
the policy to access a resource says "you must have agreed to this TOS/consent"
compare to interactive claims gathering where the AS would present this consent/TOS to the RqP
intersection with ANCR/consent receipt/trust registry work in other Kantara groups
170 UMA + Verifiable Credentials
how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA
There are openapi specs for VC formats
Could UMA protect a VC presentation or issuance endpoint?
There's a lot of openid4vc profiles
300 mDL + UMA
scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA
is there a role for UMA in token fabrication and referencing it as the RS?
600 Review of the email-poc correlated authorization specification
500 UMA + GNAP https://oauth.xyz/specs/
would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP)
will GNAP meet all the UMA outcomes?
UMA 2 playground/sandbox