UMA telecon 2023-01-12

Date and Time

• Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT

  • Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09

  • United States: +1 346 248 7799, Access Code: 994 8781 4311

  • See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar

Agenda

• Approve minutes since UMA telecon 2022-06-30

• Pensions Dashboard / Open Banking Use-case report, initial discussion

• Leadership elections

• AOB

Attendees

• NOTE: As of Sept 15, 2022, quorum is 3 of 5. (Peter, Sal, Alec, Eve, Steve)

• Voting:

  • Alec

  • Sal

  • Steve

• Non-voting participants:

  • Hanfei

• Regrets:

  •  

Quorum: Yes

Meeting Minutes

Approve previous meeting minutes

• Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25, UMA telecon 2022-09-08 , UMA telecon 2022-09-15 , UMA telecon 2022-09-22 , UMA telecon 2022-09-29 , UMA telecon 2022-10-06 , UMA telecon 2022-10-13 , UMA telecon 2022-10-20 , UMA telecon 2022-10-27 , UMA telecon 2022-11-03 , UMA telecon 2022-11-10 , UMA telecon 2022-11-24 , UMA telecon 2022-12-01 , UMA telecon 2022-12-08 , UMA telecon 2022-12-15 , UMA telecon 2023-01-05

• Alec moves to approve, Sal and Steve 2nd and 3rd it! Motion Passes!!

Topics

Pensions Dashboard / Open Banking Use-case report, initial discussion

Draft will be worked on here: https://kantara.atlassian.net/wiki/spaces/uma/pages/135659525

Goals:

• show UMA being used for a financial section use-case

• UMA implementation and applications

• UMA value add to this solution

• keep it under 10 pages

Audience? Technical or not? Let’s keep it general/accessible and then put technical information into the appendix

Should we follow the TOC of Julie Adam’s use case?

1. Why Read This Report

2. Intro to use case and data-sharing implication/challenges that need to be addressed

• individuals have a pension managed by each company they work for, companies have pension partners that manage it for them

3. The Nuts and BOLTS of Policy and How It Impacts Julie’s Journey – need to look into the UK landscape and what BOLTS are relevant here

• sharing or PI during find, the finding of advisors

•  

4. Overview of the Pensions Dashboard solution + how it uses UMA

• pension provider registration, dashboard registration, user and advisor identity

• find pensions (not uma), pension registration (uma fedz), pension management + delegation (@the uma as), pension viewing (Uma grant)

• not happy paths

5. UMA vs OAuth – what UMA enabled, why UMA

• multiple RSs, federated RSs, delegation/RqP/resource-sharing, self-management of access policy, clients stay unaware of authorization/policy

• it’s not OIDC or identity federation, it’s data access

• without getting too technically deep!

6. Conclusion, extension to openbanking + other use cases, comparison to other places

Appendix A: Kantara + pensions dashboards programme relationship (About This Report and the Standards Mentioned)

Appendix B: References/ Bibliography
Appendix C+: as needed if we want to get into tech/other details

Pension Dashboard/Viewer (many, B2C) *- Pension Authorization Service (1 operated by Gov?, G2C) 1-* Pension Providers (B2B, B2C)

Alec will email the Pensions Dashboard folks to inform them of our intention.

UMA leadership elections upcoming

Sal nominates Alec to stay in the chair role. Sal nominates Steve to remain in the Vice-Chair role

Hearing no objection. Passes by Acclamation!

AOB

• NIST 800-63 rev 4 draft is out: https://csrc.nist.gov/publications/detail/sp/800-63/4/draft

  • Kantara + Better ID Coalition info session coming up on the Jan 24th

  • Will have it on our Agenda sometime in Feb, once we’ve had some time to read and digest

Potential Future Work Items / Meeting Topics

Tentative 2023 roadmap:

• 120 A financial use-case report (following the Julie healthcare template)

  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

  • 123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case

    • Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?

    • https://www.pensionsdashboardsprogramme.org.uk/wp-content/uploads/2022/11/PDP-Technical-standards-Nov-2022.pdf

  • 127 Open Banking Report → requires more research, determine use case

    • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

• 130 IDPro knowledge base articles

• 140 Wikipedia article refresh

Full list:

• 20 Confluence clean up, archive old items and promote the latest & greatest

  • 10 UMA glossary – Steve has started 

• 100 FAPI Review (FAPI + UMA) 

  • scope: how the FAPI work could be applied to UMA ecosystems

  • review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI

• 120 A financial use-case report (following the Julie healthcare template)

  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

  • 123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case

    • Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?

    • https://www.pensionsdashboardsprogramme.org.uk/wp-content/uploads/2022/11/PDP-Technical-standards-Nov-2022.pdf

  • 127 Open Banking Report → requires more research, determine use case

    • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

• 130 IDPro knowledge base articles

• 140 Wikipedia article refresh

• 150 Minor profiling work,

  • resource scopes → scopes 

  • PAR as dynamic scopes eg fhir query params

  • policy manager & policy description

  • 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL

    • use-case, consent as claims (needs_info),

      • if the client has gathered RqP consent, can it be presented to the AS

      • the policy to access a resource says "you must have agreed to this TOS/consent"

      • compare to interactive claims gathering where the AS would present this consent/TOS to the RqP

      • intersection with ANCR/consent receipt/trust registry work in other Kantara groups

• 170 UMA + Verifiable Credentials

  • how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA

  • There are openapi specs for VC formats

  • Could UMA protect a VC presentation or issuance endpoint?

  • There's a lot of openid4vc profiles 

• 300 mDL + UMA

  • scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA 

  • is there a role for UMA in token fabrication and referencing it as the RS?

• 600 Review of the email-poc correlated authorization specification

  • https://github.com/umalabs/correlated-authorization

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/BntTknCOAAE/m/EzL9i_VIAwAJ

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/ablVJ9cAreg/m/a_ZpCVrcCQAJ

• 500 UMA + GNAP https://oauth.xyz/specs/ 

  • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 

  • will GNAP meet all the UMA outcomes?

• UMA 2 playground/sandbox

  • eg https://developers.google.com/oauthplayground/, https://www.oauth.com/playground/

Upcoming Conferences