UMA telecon 2023-01-26

Date and Time

• Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT

  • Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09

  • United States: +1 346 248 7799, Access Code: 994 8781 4311

  • See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar

Agenda

• Approve minutes since https://kantara.atlassian.net/wiki/spaces/uma/pages/134512641

• Julie Use-case, move from draft to v1

• IDPro knowledge base / general UMA articles - discuss updates

• Pensions Dashboard Use-case report

• AOB

Attendees

• NOTE: As of Sept 15, 2022, quorum is 4 of 6. (Peter, Sal, Alec, Eve, Steve, Sophia)

• Voting:

  • Peter

  • Alec

  • Sal

• Non-voting participants:

  • Hanfei

• Regrets:

  • Steve

Quorum: No

Meeting Minutes

Approve previous meeting minutes

• Approve minutes of https://kantara.atlassian.net/wiki/spaces/uma/pages/134512641 https://kantara.atlassian.net/wiki/spaces/uma/pages/137462845

• Deferred - no quorum

Topics

Julie Use-case, move from draft to v1

Alec’s going to publish a v1 and upload the PDF to our confluence page

Pensions Dashboard / Open Banking Use-case report, initial discussion

Draft will be worked on here:

UK Pensions is separate from openbanking in general, however, it’s in the same financial vertical and shows a real UMA application

IDPro knowledge base / general UMA articles

AOB

How could an app be an RS or AS, universal links starts to help with this issue however there are other considerations e.g. the client requests must originate from the same device/browser, otherwise, it’s routed to the single backend server and not the user’s installed app

Could we profile or create an IG around using notice & consent receipts with an UMA AS, e.g. to present terms and purposes to be accepted by the RqP/RO. This comes back to having a defined language for policy vs leaving it open to the AS

is hosting a workshop tomorrow (Jan 27) about transparency performance indicators and how they can be related to a controller credential, something that people make

Potential Future Work Items / Meeting Topics

Tentative 2023 roadmap:

• 120 A financial use-case report (following the Julie healthcare template)

  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

  • 123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case

    • Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?

    • https://www.pensionsdashboardsprogramme.org.uk/wp-content/uploads/2022/11/PDP-Technical-standards-Nov-2022.pdf

  • 127 Open Banking Report → requires more research, determine use case

    • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

• 130 IDPro knowledge base articles

• 140 Wikipedia article refresh:

• UMA simple value explainers, business and technical ‘marketing’

Full list:

• 20 Confluence clean up, archive old items and promote the latest & greatest

  • 10 UMA glossary – Steve has started 

• 100 FAPI Review (FAPI + UMA) 

  • scope: how the FAPI work could be applied to UMA ecosystems

  • review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI

• 120 A financial use-case report (following the Julie healthcare template)

  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

  • 123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case

    • Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?

    • https://www.pensionsdashboardsprogramme.org.uk/wp-content/uploads/2022/11/PDP-Technical-standards-Nov-2022.pdf

  • 127 Open Banking Report → requires more research, determine use case

    • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

• 130 IDPro knowledge base articles

• 140 Wikipedia article refresh

• 150 Minor profiling work,

  • resource scopes → scopes 

  • PAR as dynamic scopes eg fhir query params

  • policy manager & policy description

  • 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL

    • use-case, consent as claims (needs_info),

      • if the client has gathered RqP consent, can it be presented to the AS

      • the policy to access a resource says "you must have agreed to this TOS/consent"

      • compare to interactive claims gathering where the AS would present this consent/TOS to the RqP

      • intersection with ANCR/consent receipt/trust registry work in other Kantara groups

• 170 UMA + Verifiable Credentials

  • how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA

  • There are openapi specs for VC formats

  • Could UMA protect a VC presentation or issuance endpoint?

  • There's a lot of openid4vc profiles 

• 300 mDL + UMA

  • scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA 

  • is there a role for UMA in token fabrication and referencing it as the RS?

• 600 Review of the email-poc correlated authorization specification

  • https://github.com/umalabs/correlated-authorization

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/BntTknCOAAE/m/EzL9i_VIAwAJ

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/ablVJ9cAreg/m/a_ZpCVrcCQAJ

• 500 UMA + GNAP https://oauth.xyz/specs/ 

  • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 

  • will GNAP meet all the UMA outcomes?

• UMA 2 playground/sandbox

  • eg https://developers.google.com/oauthplayground/, https://www.oauth.com/playground/

Upcoming Conferences