UMA telecon 2022-10-06

Date and Time

• Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT

  • Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09

  • United States: +1 346 248 7799, Access Code: 994 8781 4311

  • See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar

Agenda

• Approve minutes since UMA telecon 2022-06-30

• Core UMA content/report (no use-case)

• FAPI Part 2 Review and Discussion

• Policy Descriptions

• AOB

Attendees

• NOTE: As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)

• Voting:

  • Peter

  • Alec

  • Steve

  • Eve

• Non-voting participants:

  • Nancy

• Regrets:

Quorum: No

Meeting Minutes

Approve previous meeting minutes

• Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25, UMA telecon 2022-09-08 , UMA telecon 2022-09-15 , UMA telecon 2022-09-22 , UMA telecon 2022-09-29

• Deferred - no quorum

Topics

Core UMA content (no use-case)

we have two tracks here:

• uma in health

• simpler uma introduction

FAPI 1.0: Part 2 Review and Discussion

https://fapi.openid.net/ 

Based on the review, if an UMA AS can support OAuth/OIDC, there’s no reason that FAPI security measures can’t also be achieved. Therefore an UMA AS can support FAPI

Can UMA protect a userinfo endpoint? Yes

Can UMA be an OIDC server at the same time? e.g. accept an openid scope and issue an IDToken

• UMA re-naming some OAuth concepts is challenging, redirect_uri and code.

• Can we even closer align to OAuth? what would be lost in UMA functionality? multi-step authorization flows,

• 1) UMA-lite with goal of backwards compatibility with OAuth 2) Extension of UMA-lite to add back the full suite of UMA features to add pct, tickets, request_submitted

Part 2: Advanced Final: Financial-grade API Security Profile 1.0 - Part 2: Advanced

UMA AS should be able to support the requirements of 5.2.2.  Authorization server

PKCE:
302 Location /authorize?client_id&state&redirect_uri&code_challenge

PAR:
POST /par { client_id&state&redirect_uri } → request_handle
302 Location /authorize?request=request_handle&code_challenge

JARM:

302 /authorize?request_object=JWT{client_id&state&code_challenge&redirect_uri}

Policy Descriptions

Computable Consent

AOB

DirectTrust is working on a lot on similar topics, computable consent, udap vs uma. Alec is going to connect more with them to see if there’s liason activities.

• UMA AS is very similar to an Federated Identity Gateway, very similar role&responsibilities

• They have a computable consent workgroup, similar topics as ANCR or policy manager

• Look back to the UMA + UDAP (not versus) content

• goals together

  • will look to create some mapping between DirectTrust and Kantara WGs, then find the appropriate meetings to bring UMA to that audience

  • terminology alignment

  • hey look UMA has already considered the

Leadership Elections planned for end of year

Potential Future Work Items / Meeting Topics

• 20 Confluence clean up, archive old items and promote the latest & greatest

  • 10 UMA glossary – Steve has started 

• 100 FAPI Review (FAPI + UMA) 

  • scope: how the FAPI work could be applied to UMA ecosystems

  • review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI

• 120 A financial use-case report (following the Julie healthcare template)

  • either open banking or pensions dashboard

  • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

  • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

• 170 UMA + Verifiable Credentials

  • how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA

  • There are openapi specs for VC formats

  • Could UMA protect a VC presentation or issuance endpoint?

  • There's a lot of openid4vc profiles 

• 300 mDL + UMA

  • scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA 

  • is there a role for UMA in token fabrication and referencing it as the RS?

• 600 Review of the email-poc correlated authorization specification

  • https://github.com/umalabs/correlated-authorization

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/BntTknCOAAE/m/EzL9i_VIAwAJ

  • https://groups.google.com/g/kantara-initiative-uma-wg/c/ablVJ9cAreg/m/a_ZpCVrcCQAJ

• 500 UMA + GNAP https://oauth.xyz/specs/ 

  • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 

  • will GNAP meet all the UMA outcomes?

• IDPro knowledge base articles

• UMA 2 playground/sandbox

  • eg https://developers.google.com/oauthplayground/, https://www.oauth.com/playground/

• 150 Minor profiling work,

  • resource scopes → scopes 

  • PAR as dynamic scopes eg fhir query params

  • policy manager & policy description

  • 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL

    • use-case, consent as claims (needs_info),

      • if the client has gathered RqP consent, can it be presented to the AS

      • the policy to access a resource says "you must have agreed to this TOS/consent"

      • compare to interactive claims gathering where the AS would present this consent/TOS to the RqP

      • intersection with ANCR/consent receipt/trust registry work in other Kantara groups

Upcoming Conferences

• IIW 35,  November 15 - 17