UMA telecon 2018-03-01

Date and Time

• Thursdays 9am PT
  • Screenshare and dial-in: https://global.gotomeeting.com/join/857787301
  • See UMA calendar for additional details: http://kantara.atlassian.net/wiki/display/uma/Calendar

Agenda

• Roll call
• Approve minutes
  • Approve minutes of UMA telecon 2018-02-22 
• Report on number of downloads
• Call for interest in RS/C open source
• Scope expression extension discussion
• AOB

Minutes

Roll call

Quorum was reached.

Approve minutes

Approve minutes of UMA telecon 2018-02-22: APPROVED.

Report on number of downloads

Downloads of the PDF versions of the Recommendations on the increase, seemingly because of the press release that was put out.

Call for interest in RS/C open source

Eve is increasingly asked about libraries for RS's and clients.

Gluu's OXD has a lot of language support. Its approach is to have a middleware service, with connectors. They're working on a Kong proxy that acts as an UMA RS. It swaps the contents of the authorization header for an RPT. Mike thinks the barrier to writing UMA client software is pretty high; the same is sort of true for OIDC, as demonstrated by the sheer number of libraries. So maybe with UMA a "clean slate" approach could be taken vs. just making random libraries.

The demand surely seems to be there. Might this an IIW topic? Who is attending in the spring (Apr 3-5)? Mike, Eve, Sal possible, Thomas hopefully.

Scope expression extension discussion

Mike's email proposal is here. The idea is that it wasn't clear whether somebody meant "this scope AND this scope" or "this scope OR this scope" in selecting scopes in a policy-setting interface. He came across JSON Logic, a standard format for expressing Boolean expressions in JSON. There are some GUI tools out there with the ability to take JSON Logic and do something with it. He proposes extending the resource description with a scope_expressions parameter, which adds relationships of the scopes provided in the resource_scopes parameter.

Example: An RS admin configures a /profile path into their API gateway; in order to do a GET on that endpoint, you need either a Customer or Partner scope and must have the 2Factor and FraudOk scopes. This drives resource registration. (The Gluu Gateway, coming out in roughly early April, will be MIT-license open source, but OXD will be a licensed solution, Mike says.)

In FedAuthz Sec 3.1, notice that we've been somewhat ambiguous about whether any resource_scopes are required to be supplied: "resource_scopes: REQUIRED. An array of strings..."

Conclusion for now: There's no particular urgency around this. It would be good if Gluu writes up a "clean' extension document that could enable others to interoperate on the basis of this extension parameter and its operating rules. If there ends up being a community of interest around the extension, then that suggests it's worth taking up as a work item in the WG.

Upcoming work

Unless a request for an extension erupts, let's not meet next week.

Note that gathering new security considerations also counts as "enhancing the current specs" for purposes of the fresh roadmap/charter we just hammered out.

Attendees

As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve, Mike, Cigdem)

1. Domenico
2. Sal
3. Andi
4. Maciej
5. Eve
6. Mike
7. Cigdem

Non-voting participants:

• Yuriy
• Thomas