UMA telecon 2022-09-08
- Alec Laws
UMA telecon 2022-09-08
Date and Time
Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
Screenshare and dial-in:Â https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
United States: +1 (224) 501-3316, Access Code: 485-071-053
See UMA calendar for additional details:Â http://kantara.atlassian.net/wiki/display/uma/Calendar
Agenda
Approve minutes since UMA telecon 2022-06-30
Core UMA content (no use-case)
FAPI discussion
AOB
Attendees
NOTE: As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
Alec
Peter
Non-voting participants:
Regrets:
Steve
Quorum: No
Meeting Minutes
Approve previous meeting minutes
Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25
Deferred - no quorum
Topics
Core UMA content (no use-case)
https://docs.google.com/document/d/1YU-AjYx6xmolHGowrlkC2fg_QRXjoP7BuAW7JuCaMM8/edit#Â (will need to request access)
FAPI discussion
Part 1: Baseline https://openid.net/specs/openid-financial-api-part-1-1_0.html
https://openid.net/specs/openid-financial-api-part-2-1_0.html
AOB
could VCs be used to model polices, and the combination of user and system policies?
use case is joint custodianship of data, eg me and the hospital that took an medical image, or an issuer that is legally obligated to control where data is shared
hard for an organization to maintain compliance and give me complete control
ex, a RS issues a VC to me, with some attached policies. When presenting that VC, I should respect the system policy. IN the reverse I can push policy that intersects with system policies
back to policy manager concept that requires some API language to model the policies (where the policy manager work stalled somewhat)
similar to resource description and scope description, could have baseline ‘policy description’ to give some transferable language about policies
resource_id,
some previous notes around what’s required in a policy: UMA telecon 2020-10-08
VCs have some concept of predicates around presentation
Â
Â
Â
Potential Future Work Items / Meeting Topics
100 FAPI Review (FAPI + UMA)Â
scope: how the FAPI work could be applied to UMA ecosystems
review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI
20 Confluence clean up, archive old items and promote the latest & greatest
10 UMA glossary – Steve has startedÂ
600 Review of the email-poc correlated authorization specification
120 A financial use-case report (following the Julie healthcare template)
either open banking or pensions dashboard
openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
300 mDL + UMA
scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMAÂ
is there a role for UMA in token fabrication and referencing it as the RS?
500 UMA + GNAP https://oauth.xyz/specs/Â
would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP)Â
will GNAP meet all the UMA outcomes?
170 UMA + Verifiable Credentials
how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA
There are openapi specs for VC formats
Could UMA protect a VC presentation or issuance endpoint?
There's a lot of openid4vc profilesÂ
IDPro knowledge base articles
UMA 2 playground/sandbox
150 Minor profiling work,
resource scopes → scopesÂ
PAR as dynamic scopes eg fhir query params
policy manager & policy description
110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL
use-case, consent as claims (needs_info),
if the client has gathered RqP consent, can it be presented to the AS
the policy to access a resource says "you must have agreed to this TOS/consent"
compare to interactive claims gathering where the AS would present this consent/TOS to the RqP
intersection with ANCR/consent receipt/trust registry work in other Kantara groups
Upcoming Conferences
IIW 35, November 15 - 17