UMA telecon 2022-03-31

Date and Time

Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
- Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
- United States: +1 (224) 501-3316, Access Code: 485-071-053
- See UMA calendar for additional details: http://kantara.atlassian.net/wiki/display/uma/Calendar

Agenda

Approve minutes since UMA telecon 2021-09-09
Kantara Workshop at European Identity Conference
Julie Use-case Report
UMA and Other Standards (UDAP, etc)
Correlated Authorization
AOB

Minutes

Roll call

Quorum: Yes

Approve minutes

Andi motions to approve ALL the minutes! Sal seconds. Motion Approved

Julie Use-case Report

Have resolved current comments, link to V0.2 Editor's Draft: Notes, drafts, and WIP

Alec motions to move the Report to a Working Group Draft. Andi Seconds. Hearing no objections, motions passes!

Thanks to all the editor's and contributors who got the report to this point!!

UMA and Other Standards (UDAP, etc)

This sheets starts to organize the comparison

https://docs.google.com/spreadsheets/d/1UWxhLoLFsVNmHulGvyS_3vx5hF9u2reFXT3gxc3bRnY/edit#gid=0

The HEART WG is having a session on this topic, will be April 4 2-3PM ET. Link and invite should be shared on the oidc heart mailing list: https://meet.goto.com/785234357

Eve, Nancy and Alec plan to attend.

Show UMAs understanding in relation to other standards. Could we introduce UMA to the HL7 connectathons?

Correlated Authorization Updates

https://github.com/umalabs/correlated-authorization

European Identity Conference May 10-13, 2022 | Berlin

Kantara has a 4-hour workshop the day before the conference. Is anyone planning to attend in person? Steve, Andi, George

Do we want some of that time to present/get feedback on some of our work? Eg to review and solicit feedback on the Julie report

Potential Future Work Items / Meeting Topics

UMA vs (OAuth, OIDC, GNAP, UDAP, ....)
- compare protocols & features (eg a product comparison type matrix with and 's)
Confluence clean up, archive old items and promote the latest & greatest
Review of the email-poc correlated authorization specification
A financial use-case report (following the Julie healthcare template)
- either open banking or pensions dashboard
- openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

Upcoming Conferences

Internet Identity Workshop 34 is April 26-28 | Mountain View, CA. UMA attendees: Alec, Steve(tentative), George
Identity North Spring Workshop Apr 4-6
European Identity Conference May 10-13, 2022 | Berlin
https://identiverse.com/ June 21-24, 2022 Denver, Colorado.

AOB

Have had questions about UMA + DID and their relationships

Some OAuth folks see UMA as complex, and can rebuild the features with OAuth drafts

UMA is for wide ecosystems where the RO can control policy. OAuth doesn't go this far, everything is still oriented around 1AS/1RS

ticket is an auth_code, and an auth_code also binds a lot of server side state. ticket is a more reusable/general conception of an auth_code
there is an Oauth 'step-up model' that is more RS first, eg to upgrade or get new access tokens, when the presented one is missing enough something (eg authN)
it is possible to use Grant or FedAuthZ independently - maybe a profile of UMA to make it "look" like Oauth would help introduce people to UMA (and not see it as extra complexity)
- if you limit UMA scope: i) ask for resource ii) sent to prearranged AS iii) claims gathering
- open source UMA impls: keycloak, gluu
Could we present an UMA use-case and ask how it could be solved in OAuth?
- Alec could host at IIW

Attendees

As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)

Voting:

Andi
Alec
Sal
Domenico
Steve
Eve

Non-voting participants:

Hanfei
George
Nancy
Scott
Chris

Regrets: