UMA telecon 2022-08-11

Date and Time

• Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
  • Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09

  • United States: +1 (224) 501-3316, Access Code: 485-071-053

  • See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar

Agenda

• Approve minutes since UMA telecon 2022-06-30
• UDAP Spec Reviews - client authZ with JWT grant
• Charter Refresh - vote if quorum
• AOB

Attendees

• NOTE: As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
• Voting:
  • Sal
  • Alec
  • Peter
  • Steve
  • Eve
  • Domenico
• Non-voting participants:
  • Zhen/Jen
• Regrets:

Quorum: Yes

Meeting Minutes

Approve previous meeting minutes

• Approve minutes of UMA telecon 2022-06-30, UMA telecon 2022-07-07, UMA telecon 2022-07-14, UMA telecon 2022-07-21, UMA telecon 2022-07-28, UMA telecon 2022-08-04

• Eve moves to approve, Peter seconds. Minutes Approved!

Topics

UDAP Spec Reviews - tiered oauth

https://www.udap.org/udap-client-authorization-grants.html

Why can't OAuth be profiled directly, the UDAP profiles require further profiles to get to an implementable level of specificity

Some of the examples create new risks, or could lead to new risks, eg around end-user identifiers

Few UMA members have stated interests in working with US health care and UDAP and/or UMA adoption in this space. We don't want UMA to be excluded because of perceived overlap with UDAP.

Do we need to explicitly show how UMA and UDAP can work together, eg through some report of udap profile? What do we want to produce, if/how do we engaged with the UDAP folks?

Charter Refresh

Draft Charter 2022

Eve moves to accept the 2022 charter. Sal seconds. motion passes!!

Alec will move it in place on our confluence and inform the LC

AOB

• Alec will check the calendar links 
• UMA implementors page, solicit updates from members (eg Keycloak → Redhat)
• Steve will take a first pass of a list of terms for a glossary
  • prior lexicon here: Lexicon
  • there's some terms defined in the Julie use-case
• Steve to take a look at updating the specs page (consolidate old/new)
• Domenico will send the source files for the uma logo

Potential Future Work Items / Meeting Topics

• FAPI Review (FAPI + UMA)
• Confluence clean up, archive old items and promote the latest & greatest
  • UMA glossary
• Review of the email-poc correlated authorization specification
• A financial use-case report (following the Julie healthcare template)
  • either open banking or pensions dashboard
  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
• mDL + UMA
• UMA + GNAP https://oauth.xyz/specs/ 
  • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 
  • will GNAP meet all the UMA outcomes?
• IDPro knowledge base articles
• UMA 2 playground/sandbox
  • eg https://developers.google.com/oauthplayground/, https://www.oauth.com/playground/
• Minor profiling work,
  • resource scopes → scopes 
  • consent as claims (needs_info)
  • PAR as dynamic scopes eg fhir query params
  • claims profiling (beyond IDTokens): VCs, consent, policy

Upcoming Conferences

• IIW 35,  November 15 - 17
• Gartner Identity & Access Management Summit, August 22 – 24, 2022 | Las Vegas, NV
• FedID 2022 • September 6-9, 2022 • Atlanta, GA .