UMA telecon 2024-11-07

Date and Time

Every other Thursday @ 1:00ET/10:00am PT
- Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
- United States: +1 346 248 7799, Access Code: 994 8781 4311
- See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar

Agenda

Review AS vulnerability
Plan for vulnerability report + publication

Attendees

NOTE: As of Sept 15, 2022, quorum is 3 of 5. (Peter, Sal, Alec, Eve, Steve)
Voting:
- Alec
Non-voting participants:
- Mark Wholey
- Gabrial Corona
- Hanfei
Regrets:

Quorum: No

Meeting Minutes

Topics

Review AS vulnerability

Is this available in OAuth also? Yes, if there is DCR from client → AS.

Condition:

DCR aka client doen’t have static/ahead-of-time knowledge of the AS
phishing, client talks to malicious RS
client has to accept arbitrary URIs
RS has to accept arbitrary AS URIs during RO AS selection

does client have to be malicious? No, client only has to accept arbitrary RS URI

doe the RS have to be malicious? it has to have been told to use malicious AS during resource registration

RqP only has knowledge/trust of Client & RS URI, not of the AS

Mitigations:

static registration at the client of RS & AS
showing user appropriate and complete information when granting consent, only applies to interactive claims
for pushed claims

can we separate protocol issues from operational security issues?

yes & no
user thinks authorizing Legit Client to access to RS 1 but is actually authorizing Malicious AS to access to RS2

What is driving this attack, what is an example scenario?
- e.g. what is the malicious client trying to access?

Action item, frame up an example use-case
- access sensitive health info, taking Medicaid payment, claim and payment steal. get and display legitimate test
- financial use, open banking. access info vs authorize payment

Plan for vulnerability report + publication

TODO:

look at similar attack patterns in OAuth2? malicious/phising client

scope of publication?

idea: full BCP. no it’s too broad and would take a long time
let’s focus on these specific vulnerabilities
- two or one? they are very different, esp the mitigations
- separate but follow similar template/format

template format

description of the vulnerability (general)

frame up “real” scenarios to show motivation → help us test mitigations

how do implementors know if they’re impacted?
what are their mitigation option?

Next call, confirm template for reports and start outlining section

AOB

Tentative 2023 roadmap:

120 A financial use-case report (following the Julie healthcare template)
- openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
- 123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case
  - Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?
  - https://www.pensionsdashboardsprogramme.org.uk/wp-content/uploads/2022/11/PDP-Technical-standards-Nov-2022.pdf
- 127 Open Banking Report → requires more research, determine use case
  - Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
130 IDPro knowledge base articles
140 Wikipedia article refresh: User-Managed Access
UMA simple value explainers, business and technical ‘marketing’
170 UMA + Verifiable Credentials OR UMA and Wallets/User Held Credentials (+ mDL?)
- how does a wallet fulfill both an RS and AS responsibility for a user? How are available resources and attributes understandable by a wide-ecosystem
- how does a local/offline wallet act as an RS if it’s offline?
- how to create true user controlled ecosystem, not a few major wallets…

Full list:

20 Confluence clean up, archive old items and promote the latest & greatest
- 10 UMA glossary – Steve has started
100 FAPI Review (FAPI + UMA)
- scope: how the FAPI work could be applied to UMA ecosystems
- review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI
120 A financial use-case report (following the Julie healthcare template)
- openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
- 123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case
  - Let’s reach out to some of the involved people eg at Origo or Forgerock. Were there any gaps in UMA they had to work around?
  - https://www.pensionsdashboardsprogramme.org.uk/wp-content/uploads/2022/11/PDP-Technical-standards-Nov-2022.pdf
- 127 Open Banking Report → requires more research, determine use case
  - Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
130 IDPro knowledge base articles
140 Wikipedia article refresh
150 Minor profiling work,
- resource scopes → scopes
- PAR as dynamic scopes eg fhir query params
- policy manager & policy description
- 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL
  - use-case, consent as claims (needs_info),
    - if the client has gathered RqP consent, can it be presented to the AS
    - the policy to access a resource says "you must have agreed to this TOS/consent"
    - compare to interactive claims gathering where the AS would present this consent/TOS to the RqP
    - intersection with ANCR/consent receipt/trust registry work in other Kantara groups
170 UMA + Verifiable Credentials OR UMA and Wallets/User Held Credentials
- how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA
- There are openapi specs for VC formats
- Could UMA protect a VC presentation or issuance endpoint?
- There's a lot of openid4vc profiles
300 mDL + UMA
- scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA
- is there a role for UMA in token fabrication and referencing it as the RS?
600 Review of the email-poc correlated authorization specification
500 UMA + GNAP Interaction
- would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP)
- will GNAP meet all the UMA outcomes?
UMA 2 playground/sandbox
- eg OAuth 2.0 Playground , OAuth 2.0 Playground

WG - User Managed Access

UMA telecon 2024-11-07

UMA telecon 2024-11-07

Date and Time

Agenda

Attendees

Quorum: No

Meeting Minutes

Topics

Review AS vulnerability

Plan for vulnerability report + publication

AOB

Upcoming Conferences