UMA telecon 2014-04-03

Owned by Eve Maler
Last updated: Apr 03, 2014

UMA telecon 2014-04-03

Date and Time

Agenda

  • Action item review
  • Implementation news and interop planning
    • Need Gluu and Cloud Identity details - others too?
    • Virtual interop period, ground rules, other needed data?
    • IIW planning?
  • Begin planning Q2 webinar
    • Theme: UMA, OpenID Connect, and personal data stores
    • Key participants: Cloud Identity? Others?
    • Date?
    • Sponsorship interest?
  • Claim profiling review
  • AOB

Minutes

UMA and IoT

We're keeping in touch with the Twitter person who told us he's working on this combination, and Eve has learned about some serious efforts to apply UMA to IoT communications security use cases. Domenico mentions water/power provider use cases (industrial and also consumer?). Eve mentions camera use cases, e.g. where the scopes could differentiate between "streaming" and "downloading a single image" and "detecting motion" etc. IoT use cases have some unique characteristics:

  • The "things" tend to be multiuser.
  • A very constrained device might have to interact with the Internet through a proxy service, so it's like the "RS" is split across two entities (even if they're not exposed to the UMA protocol).
  • The resource owner might very well be the operator of the Internet-connected service/device, a la cardiac defibrillators.

The key challenges appear to be: How would you provision a PAT (or AAT) to the "thing"? These are questions Sal and George have been mulling of late. A key design principle that is being applied by some is to stick with HTTP-based solutions as far as possible – no premature optimization!

Implementations

Lukasz will look at the Implementations page to update it as necessary.

Interop

Roland expressed willingness to run an IIW session on his implementation and interop test suite.

The OpenID Connect folks are holding a half-day meeting prior to IIW, on the Monday afternoon. George is attending. George and Jin and the MIT folks are also participating in Blue Button+ efforts, which will very likely have a presence at IIW.

UMA scenario adoption profiles

George observes that relatively tightly bounded areas such as EHRs and IoT are likelier venues for UMA adoption than free-for-all ecosystems. Eve adds that the enterprise use case is also a "closed ecosystem" type of use case that is likelier to see adoption faster, due to fewer interop challenges. Mark sees a lot of people talking about Privacy by Design principles, and he points out in such cases that UMA can help! Jin draws our attention to the Jeeves language (main site) (GitHub) being developed at MIT, which is meant to enforce privacy programmatically.

AI: Zhanna: Analyze Jeeves wrt UMA.

Webinar planning

Theme: We're agreed on OIDC/PDS.

Participants: Cloud Identity Ltd is willing to demo. Can we get the Open Mustard Seed folks and/or the MIT Personal Data Service planners involved? What about AXN?

AI: Eve: Ask Thomas/Dazza/Justin/Dave Coxe about involvement in the Q2 webinar.

AI: Domenico: Reach out to Oracle management about potentially sponsoring the webinar.

AI: Jin: Reach out to McKesson management about potentially sponsoring the webinar (or the Q3 health-focused webinar).

AI: Eve: Reach out to John Bradley and Nat Sakimura about a more formal OIDC connection to the webinar.

June is fair game for doing the Q2 webinar. How about June 19 at 8am PT/11am ET/4pm UK/5pm CET? Done!

Cloud Identity Summit

Jin and his team are attending in force. George and Eve hope to attend. George submitted a talk around IoT, UMA, and OAuth; we'll see if it gets accepted.

Claim profiling

Should the section currently called the Redirect Framework for Claim Profiling simply be the "Redirect Claim Profile"? The client has to be only clever enough to redirect the requesting party. Or maybe it has to be clever enough to redirect the user to specific choices of AS endpoints? It seems the biggest impact of the different scenarios for what Bob has to do at the AS is in the realm of the user experience; he might be warned that he's going to be redirected and may be put through a variety of claims-gathering flows. Those flows could involve login, and/or web forms, and/or further redirecting.

The core spec currently has some non-normative color commentary; should it move to the claim profiling spec? "Where a claim profile dictates end-user interaction, a further variety of options is possible. The end-user could be required to register for and/or log in to an account or personal profile, or fill in a questionnaire, or complete a purchase. Several of these operations could even be required, where the order is treated as significant for evaluating resource owner policies."

Eve suggests that it's better for the AS, in the need_claims response, to send only the state that the client will need to "attach" to the user that it will redirect over, and to preconfigure the redirection endpoint that the client should use. This is generally good for security. It seems we do need a whole new endpoint at the AS for this purpose. What should its name be? It's about the requesting party; "user" is ambiguous. It's about claims-gathering from a live human being. What about "claims_interaction_endpoint" (that would be the config data declaration property)? Or "requesting party claims"? It definitely can't be the same endpoint as the regular authorization data request endpoint. Let's go with "requesting party claims".

We think this new endpoint and its config data declaration should be defined right in the Redirect Framework/Profile, since this whole thing is no longer in the Core spec. Is it a Profile vs. a Framework? We think it's a perfectly usable profile all by itself.

Attendees

  • Eve
  • Mark
  • Zhanna
  • Jin
  • Domenico
  • George
  • Lukasz
  • Maciej

Next Meetings

  • Focus meeting Thu Apr 10 8:30-10am PT (time chart)
  • Focus meeting Thu Apr 17 8:30-10am PT (time chart)
  • All-hands meeting Thu Apr 24 8:30-10am PT (time chart)