UMA telecon 2022-03-31

UMA telecon 2022-03-31

Date and Time

Agenda

Minutes

Roll call

  • Quorum: Yes

Approve minutes

Andi motions to approve ALL the minutes! Sal seconds. Motion Approved


Julie Use-case Report

Have resolved current comments, link to V0.2 Editor's Draft: Notes, drafts, and WIP

Alec motions to move the Report to a Working Group Draft. Andi Seconds. Hearing no objections, motions passes!


Thanks to all the editor's and contributors who got the report to this point!!


UMA and Other Standards (UDAP, etc)

This sheets starts to organize the comparison

https://docs.google.com/spreadsheets/d/1UWxhLoLFsVNmHulGvyS_3vx5hF9u2reFXT3gxc3bRnY/edit#gid=0


The HEART WG is having a session on this topic, will be April 4 2-3PM ET. Link and invite should be shared on the oidc heart mailing list: https://meet.goto.com/785234357 

Eve, Nancy and Alec plan to attend. 

Show UMAs understanding in relation to other standards. Could we introduce UMA to the HL7 connectathons?


Correlated Authorization Updates

https://github.com/umalabs/correlated-authorization



European Identity Conference  May 10-13, 2022 | Berlin

Kantara has a 4-hour workshop the day before the conference. Is anyone planning to attend in person? Steve, Andi, George

Do we want some of that time to present/get feedback on some of our work? Eg to review and solicit feedback on the Julie report


Potential Future Work Items / Meeting Topics

  • UMA vs (OAuth, OIDC, GNAP, UDAP, ....) 
    • compare protocols & features (eg a product comparison type matrix with (tick) and (error) 's)
  • Confluence clean up, archive old items and promote the latest & greatest
  • Review of the email-poc correlated authorization specification
  • A financial use-case report (following the Julie healthcare template)
    • either open banking or pensions dashboard
    • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)


Upcoming Conferences

AOB



Have had questions about UMA + DID and their relationships

Some OAuth folks see UMA as complex, and can rebuild the features with OAuth drafts

UMA is for wide ecosystems where the RO can control policy. OAuth doesn't go this far, everything is still oriented around 1AS/1RS

  • ticket is an auth_code, and an auth_code also binds a lot of server side state. ticket is a more reusable/general conception of an auth_code
  • there is an Oauth 'step-up model' that is more RS first, eg to upgrade or get new access tokens, when the presented one is missing enough something (eg authN)
  • it is possible to use Grant or FedAuthZ independently - maybe a profile of UMA to make it "look" like Oauth would help introduce people to UMA (and not see it as extra complexity)
    • if you limit UMA scope: i) ask for resource ii) sent to prearranged AS iii) claims gathering
    • open source UMA impls: keycloak, gluu
  • Could we present an UMA use-case and ask how it could be solved in OAuth?
    • Alec could host at IIW


Attendees

As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)

Voting:

  • Andi
  • Alec
  • Sal
  • Domenico
  • Steve
  • Eve

Non-voting participants:

  • Hanfei
  • George
  • Nancy
  • Scott
  • Chris

Regrets: