UMA telecon 2023-07-13

Date and Time

• Every other Thursday @ 1:00ET/10:00am PT

  • Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09

  • United States: +1 346 248 7799, Access Code: 994 8781 4311

  • See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar

Agenda

• Approve minutes since https://kantara.atlassian.net/wiki/spaces/uma/pages/134512641

• Check-in, Pensions Dashboard Use-case report

• Federated Authorization Only (no grant) use cases

• How could we use funding from Kantara?

• AOB

Attendees

• NOTE: As of Sept 15, 2022, quorum is 4 of 6. (Peter, Sal, Alec, Eve, Steve, Sophia)

• Voting:

  • Steve

  • Alec

  • Peter

  • Sal

• Non-voting participants:

  • Nancy

• Regrets:

  •  

Quorum: Yes

Meeting Minutes

Approve previous meeting minutes

• Approve minutes of https://kantara.atlassian.net/wiki/spaces/uma/pages/134512641 https://kantara.atlassian.net/wiki/spaces/uma/pages/137462845 , , , , , , , , , , , , , ,

• Alec motions to approve the minutes, Steve seconds.

• Motion passes

Topics

Pensions Dashboard Use-case report

Draft will be worked on here:

• could we add a section that extends this pattern to other areas (eg Healthcare HIEs as a record locator)

Please update the mailing list when your action item is complete!

Federated Authorization Only (no UAM Grant) use cases

Cross-agency data sharing, health to DMV.

Person is trying to apply to the DMV, Person has previously done an evaluation with their Health Care Provider which is stored in a Health DB, available via API.

ACME runs a shared Identity Provider and AS(UMA) for individuals, where both Health and DMV are clients of this identity service.

ACME provides different subjects to each clients, so it’s difficult for those organizations to determine who the individual is by the identifier.

ACME -(subjectA)-> OrgA
ACME -(subjectB)-> OrgB
Person1 is both subjectA and subjectB

OrgB has information about Person1 that OrgA would like to request

New linking subject approach (custom):

OrgA -(request identifier in OrgB namespace)-> AMCE -(subjectC mapped to Person1)-> OrgA

UMA approach:

OrgB -(login request w/ Person1 w/ uma_protection scope)-> ACME (authenticates Person1) -(PAT with subjectB)-> OrgB

OrgB -(register UMA resource for subjectB’s PAT)-> ACME -(resource id X)-> OrgB

* OrgB -(personalized resource location /patient/randomid)-> Person1

…later

* Person1 -(personalized resource location)-> OrgA
* these steps put the onus on the end-user to transfer this URL

OrgA -(login request w/ Person1 w/ ??? scope)-> ACME -(access token, resource id X)-> OrgA
OrgA -(data request (for resourceidX) w/ access token)-> OrgB -(introspection what PAT?)-> ACME → (resource id X + scopes)-> OrgB -(subjectBs information)-> Org A

• instead of having the Person get a URL from OrgB and give it to OrgA, could the AS give OrgA the resourceid based on a scope?

• what is the actual information being disclosed? does it matter?

How could we use funding from Kantara?

AOB

• mDL ISO-7 has an OIDC profile that we should investigate, specifically, there are some out-of-scope items

• Consent in Healthcare, people want to know more about UMA, how can we facilitate a session around this, or gather some input for what people want to know

  • could we get a HL7 steam of work/connectathon going? under an existing work group?

  • Stewards of Change has a consent working session with a group that is potentially ready to engage

  • do we need to bring content to them? or have them join a call with us where this is the one topic?

  • It’s very early days even for federated identity, let alone authorization…

• Alec will remove Sophia from voting status after this call, due to their lack of attendance

• We will cancel the July 27th call, our next call with be Aug 10th where we will review the Pension Dashboard report

•  

Potential Future Work Items / Meeting Topics

Tentative 2023 roadmap:

• 120 A financial use-case report (following the Julie healthcare template)

  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

  • 123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case

    • Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?

    • https://www.pensionsdashboardsprogramme.org.uk/wp-content/uploads/2022/11/PDP-Technical-standards-Nov-2022.pdf

  • 127 Open Banking Report → requires more research, determine use case

    • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

• 130 IDPro knowledge base articles

• 140 Wikipedia article refresh:

• UMA simple value explainers, business and technical ‘marketing’

Full list:

• 20 Confluence clean up, archive old items and promote the latest & greatest

  • 10 UMA glossary – Steve has started 

• 100 FAPI Review (FAPI + UMA) 

  • scope: how the FAPI work could be applied to UMA ecosystems

  • review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI

• 120 A financial use-case report (following the Julie healthcare template)

  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

  • 123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case

    • Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?

    • https://www.pensionsdashboardsprogramme.org.uk/wp-content/uploads/2022/11/PDP-Technical-standards-Nov-2022.pdf

  • 127 Open Banking Report → requires more research, determine use case

    • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

• 130 IDPro knowledge base articles

• 140 Wikipedia article refresh

• 150 Minor profiling work,

  • resource scopes → scopes 

  • PAR as dynamic scopes eg fhir query params

  • policy manager & policy description

  • 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL

    • use-case, consent as claims (needs_info),

      • if the client has gathered RqP consent, can it be presented to the AS

      • the policy to access a resource says "you must have agreed to this TOS/consent"

      • compare to interactive claims gathering where the AS would present this consent/TOS to the RqP

      • intersection with ANCR/consent receipt/trust registry work in other Kantara groups

• 170 UMA + Verifiable Credentials

  • how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA

  • There are openapi specs for VC formats

  • Could UMA protect a VC presentation or issuance endpoint?

  • There's a lot of openid4vc profiles 

• 300 mDL + UMA

  • scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA 

  • is there a role for UMA in token fabrication and referencing it as the RS?

• 600 Review of the email-poc correlated authorization specification

  • https://github.com/umalabs/correlated-authorization

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/BntTknCOAAE/m/EzL9i_VIAwAJ

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/ablVJ9cAreg/m/a_ZpCVrcCQAJ

• 500 UMA + GNAP https://oauth.xyz/specs/ 

  • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 

  • will GNAP meet all the UMA outcomes?

• UMA 2 playground/sandbox

  • eg https://developers.google.com/oauthplayground/, https://www.oauth.com/playground/

Upcoming Conferences