UMA telecon 2023-01-05
UMA telecon 2023-01-05
Date and Time
Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
Screenshare and dial-in:Â https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
United States: +1 346 248 7799, Access Code: 994 8781 4311
See UMA calendar for additional details:Â https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar
Agenda
Approve minutes since UMA telecon 2022-06-30
2023 planning & discussion
Leadership elections
FAPI and UMA next steps. OAuth compatible UMA version
AOB
Attendees
NOTE: As of Sept 15, 2022, quorum is 3 of 5. (Peter, Sal, Alec, Eve, Steve)
Voting:
Alec
Steve
Non-voting participants:
Hanfei
Scott
Domenico
Regrets:
Â
Quorum: No
Â
Meeting Minutes
Approve previous meeting minutes
Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25, UMA telecon 2022-09-08 , UMA telecon 2022-09-15 , UMA telecon 2022-09-22 , UMA telecon 2022-09-29 , UMA telecon 2022-10-06 , UMA telecon 2022-10-13 , UMA telecon 2022-10-20 , UMA telecon 2022-10-27 , UMA telecon 2022-11-03 , UMA telecon 2022-11-10 , UMA telecon 2022-11-24 , UMA telecon 2022-12-01 , UMA telecon 2022-12-08 , UMA telecon 2022-12-15
Deferred - no quorum
Topics
Â
2023 planning & discussion
Â
For identos, using UMA in healthcare (hospital and provincial). Looking for how to promote UMA within the US healthcare, how it fits within the sequoia/onc/carin/direct trust
Health: direct trust federated identity gateway aligned with UMA requirements/spec.
Healthcare + Finance, many consumers with data relationships. Desire to empower self-service vs staff managed sharing + access.
UMA + FAPI, still believes UMA works with FAPI, however, making UMA directly compatible with OAuth/OIDC makes this trivial/obvious.
Â
Consumer in the driver's seat → bring your own app.
How do trust registry and BYOA concepts work together? eg UDAP requires clients to have attestation
Â
What about Verifiable Credentials? starting to feel an inflection point
eIDAS, user-carried credentials able to be presented? New regulation may lead to FAPI/VC requirements
mDL, showed VC alignment for web presentation using the openid4vc. Not clear how UMA works with mDL
Â
Can we get an update from UK Pensions Dashboard?
Â
Tentative 2023 roadmap:
120 A financial use-case report (following the Julie healthcare template)
openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case
Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?
127 Open Banking Report → requires more research, determine use case
Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
130 IDPro knowledge base articles
140 Wikipedia article refresh
Â
UMA leadership elections upcoming
Â
Â
FAPI and UMA next steps - OAuth compatible UMA version
FAPI Working Group - OpenID Foundation Â
Marked up UMA spec: UMA telecon 2022-10-20
Last discussion:UMA telecon 2022-10-27 , UMA telecon 2022-12-08
Â
Â
AOB
Â
Â
Â
Potential Future Work Items / Meeting Topics
20 Confluence clean up, archive old items and promote the latest & greatest
10 UMA glossary – Steve has startedÂ
100 FAPI Review (FAPI + UMA)Â
scope: how the FAPI work could be applied to UMA ecosystems
review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI
120 A financial use-case report (following the Julie healthcare template)
openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case
Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?
127 Open Banking Report → requires more research, determine use case
Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
130 IDPro knowledge base articles
140 Wikipedia article refresh
150 Minor profiling work,
resource scopes → scopesÂ
PAR as dynamic scopes eg fhir query params
policy manager & policy description
110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL
use-case, consent as claims (needs_info),
if the client has gathered RqP consent, can it be presented to the AS
the policy to access a resource says "you must have agreed to this TOS/consent"
compare to interactive claims gathering where the AS would present this consent/TOS to the RqP
intersection with ANCR/consent receipt/trust registry work in other Kantara groups
170 UMA + Verifiable Credentials
how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA
There are openapi specs for VC formats
Could UMA protect a VC presentation or issuance endpoint?
There's a lot of openid4vc profilesÂ
300 mDL + UMA
scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMAÂ
is there a role for UMA in token fabrication and referencing it as the RS?
600 Review of the email-poc correlated authorization specification
500 UMA + GNAP https://oauth.xyz/specs/Â
would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP)Â
will GNAP meet all the UMA outcomes?
UMA 2 playground/sandbox
Upcoming Conferences
Â