UMA telecon 2022-09-22

Date and Time

• Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT

  • Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09

  • United States: +1 346 248 7799, Access Code: 994 8781 4311

  • See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar

Agenda

• Approve minutes since UMA telecon 2022-06-30

• Core UMA content/report (no use-case)

• FAPI Part 1 Review and Discussion

• Policy Descriptions

• AOB

Attendees

• NOTE: As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)

• Voting:

  • Steve

  • Alec

• Non-voting participants:

  • Steve

  • Chris

• Regrets:

Quorum: No

Meeting Minutes

Approve previous meeting minutes

• Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25, https://kantara.atlassian.net/wiki/spaces/uma/pages/56459265 , https://kantara.atlassian.net/wiki/spaces/uma/pages/62029825

• Deferred - no quorum

Topics

Core UMA content (no use-case)
https://docs.google.com/document/d/1YU-AjYx6xmolHGowrlkC2fg_QRXjoP7BuAW7JuCaMM8/edit# (will need to request access)

Two goals

1. general UMA business value context

   1. remove health care focus, or

2. Turn it into an IDPro article

3. UMA 101 content refresh

how to show a flow without getting “stuck” into a specific vertical, eg health currently? show many examples in many scenarios?!

Generic, sharing of ‘something’, how can we link to the business problem?

• Two people want to both access some information

• One person wants to share their information with a friend

https://www.forgerock.com/blog/why-forgerock-secure-sharing-trust-and-enforce

You own something and want to allow others to use it, however with some restrictions, constraints or assurances about it’s use

Could we have some building blocks of examples to make it more accessible, from real work analogy to photos/videos to ‘general file sharing’ to health record

• Can we use a real world analogy? Neighbour want to borrow X (car) with some limitation (speed, distance)? Or rental agency

• photos/video sharing, good bridge to digital space.

• add user-directed, self-sufficient capability to the data you hold for people

• banking scenario, individuals have own accounts, want to give some restricted access

  • value: cost savings for the business, allow self-service. Leads into competing policy enforcement (bank regulation vs what’s open for the person to do them self). The system already trusts the person is the account owner. shift liability concern for business to resource owner, parallel to chip cards. win-win outcome, less business liability, risk and cost and more user capability. External financial advisors (outside your bank), currently giving pretty complete access.

sharing lifecycle management, audit (who has access), and revocation (take it back)

other use cases:

ticket sales and sharing, transfer ownership. sharing access to tickets from the purchaser.

airbnb/hotels, shift access to the property (locks), maybe not additional features (hottub, tv subscriptions, internet, themostats - give with some restrictions)

education: grades, reports, transcript sharing. can limit to one org, many edu use cases get into the ‘wide ecosystem’ side around sharing between institutions

open social media, consolidate access across platforms, control who can view/comment your information

employment searching, indeed/headhunting/linkedin, sharing limited data, more as interview process expands.

find the best autoinsurance provider, want to share data and then pull it back. revocable consent, technically very difficult to remove information, RO can make intentions clear to an organization

how to combat the ‘only for wide ecosystem’ thoughts, UMA allows for this and is applicable to a smaller scale. it is oauth, same proven security, open to support delegation/sharing as first class concept.
much more technical value: language to describe resources and scope, leads to easier composability and data minimization

Next steps:

‘UMA by example’, individual stories with increasing complexity. Should we start this as a presentation first → document → video

Audience, general business people, not technical community

Call for good examples you’ve seen, successful deployments

FAPI Part 1 Review and Discussion

https://fapi.openid.net/ 

Part 1: Baseline https://openid.net/specs/openid-financial-api-part-1-1_0.html

https://openid.net/specs/openid-financial-api-part-2-1_0.html

Policy Descriptions

AOB

Potential Future Work Items / Meeting Topics

• 100 FAPI Review (FAPI + UMA) 

  • scope: how the FAPI work could be applied to UMA ecosystems

  • review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI

• 20 Confluence clean up, archive old items and promote the latest & greatest

  • 10 UMA glossary – Steve has started 

• 600 Review of the email-poc correlated authorization specification

  • https://github.com/umalabs/correlated-authorization

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/BntTknCOAAE/m/EzL9i_VIAwAJ

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/ablVJ9cAreg/m/a_ZpCVrcCQAJ

• 120 A financial use-case report (following the Julie healthcare template)

  • either open banking or pensions dashboard

  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

  • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

• 300 mDL + UMA

  • scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA 

  • is there a role for UMA in token fabrication and referencing it as the RS?

• 500 UMA + GNAP https://oauth.xyz/specs/ 

  • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 

  • will GNAP meet all the UMA outcomes?

• 170 UMA + Verifiable Credentials

  • how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA

  • There are openapi specs for VC formats

  • Could UMA protect a VC presentation or issuance endpoint?

  • There's a lot of openid4vc profiles 

• IDPro knowledge base articles

• UMA 2 playground/sandbox

  • eg https://developers.google.com/oauthplayground/, https://www.oauth.com/playground/

• 150 Minor profiling work,

  • resource scopes → scopes 

  • PAR as dynamic scopes eg fhir query params

  • policy manager & policy description

  • 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL

    • use-case, consent as claims (needs_info),

      • if the client has gathered RqP consent, can it be presented to the AS

      • the policy to access a resource says "you must have agreed to this TOS/consent"

      • compare to interactive claims gathering where the AS would present this consent/TOS to the RqP

      • intersection with ANCR/consent receipt/trust registry work in other Kantara groups

Upcoming Conferences

• IIW 35,  November 15 - 17