UMA telecon 2013-10-24

Owned by Eve Maler
Last updated: Oct 24, 2013
4 min read

UMA telecon 2013-10-24

Thanks to DomCat for our seasonal UMAnitarian!

Date and Time

Agenda

  • Note: Next week, the US meeting time is canonical, so UK participants and anyone else whose clock has changed should take careful note of the temporarily changed meeting time
  • Demo video status (original rough cut, new beta version)
  • IDESG, MIT conference, and IIW reports
  • Resource descriptions for user attribute retrieval (email thread)
  • SAML IdP+UMA attribute release discussion (email thread)
  • AS=C use case discussion (most recent previous notes) – any conclusions yet?
  • Field interop feature test issues if time
  • AOB

Minutes

Reports from other events

Scott David gave an awesome talk on Entropy at the MIT conference, and the audience even hounded him to keep going past the time slot. (smile) The presentations are available online. Hal Abelson's talk on Information Accountability was also especially interesting and relevant to UMA.

Going in to the IDESG meeting, the challenge was to ratify its new operational model. We believe the plenary approved the proposed governance rules. This means the IDESG can operate as a standalone self-funded entity, apart from the federal government. A lot of questions are still outstanding, regarding (e.g.) current work groups and work streams.

Demo video status

Please see the updated links above to get to the real beta version of the video. It's coming along nicely!

Resource description design

We reviewed Roland's proposal, and realized that it's more about resource sets that have resource subsets (all referring to the same scopes), rather than being about scopes with sub-scopes. So, in OpenID Connect-speak, it's akin to the phone scope resolving to explicit (vs. implicit) phone_number and phone_number_verified claims, so that you can create policies that let Bob access just one and not the other, or that let him access the whole set.

Eve was thinking that there are opportunities for "virtual" or "complex" layers for both resource sets (as Roland has demonstrated) and scopes, e.g., "read" and "write" could combine into "all". If we need resource sub/supersets, here's one design question we need to answer: Is there a need to have multiple overlapping sets of resources (attributes/claims in Roland's case)? Or is a hierarchy completely sufficient?

Thomas ask about the ability to do queries on resources before fetching them. Our resource set "type" property (see the RSR spec) does give the ability to query about the types of available resources, without mandating that the AS support this use case.

A resource set like "photo album" probably has available scopes that are different from a resource set like (individual) "photo" that it contains. So what would it mean to gather together a bunch of protected photo resources under a single protected photo album resource, and what scopes should/would apply to both? A "download" scope could apply to both. But a "resize" scope could only apply to a photo, not a photo album. What's the ideal resource set/scope description mechanism to account for these use cases?

(Eve notes that her email in response to Roland was technically incorrect, as his putative example is about not scope descriptions, but resource set descriptions.) However, her point about JSON Pointer still applies. The owner of an API (or the owner of a standard that the API leverages) could maintain a single scope description document and JSON Pointer could be used in scope URI references in resource set descriptions to "point into" the desired specific scope.

Roland is representing the "I Have A Customer" voice right now (smile), so we want to hear his answers so that we can design the appropriate solution.

Updating the spec and planning for the interop

Eve will set up a meeting for all interop participants around early December, to work on virtual interop plans for the beginning of 2014.

Eve and Thomas will get together soon to work on new spec updates. Maciej notes that the dynamic client registration spec has split into multiple specs, so we need to reference the new stuff, and also be sure that our feature tests are up to date. Also, Eve notes that OpenID Connect has new spec versions, and this involved a consolidation of multiple specs into fewer. And Josh Mandel actually went into GitHub and made a few improvements to our spec!

Thomas has been working with Josh and folks, e.g., at Mass General, and is doing some UMA explication in these forums. There seems to be a keen need to enable patients to share data from medical studies with their primary care physician (which might be entirely outside the Mass General "ecosystem" and even in a totally different geolocation). This makes Eve think we should prioritize the PHealthCloud video highly in December!

Attendees

  • Eve
  • Domenico
  • Thomas
  • Maciej

Next Meetings

  • All-hands meeting on Thursday, October 31, at 9am PT (time chart) - note that US goes off summer time on Nov 3