UMA telecon 2022-10-06

UMA telecon 2022-10-06

Date and Time

Agenda

  • Approve minutes since UMA telecon 2022-06-30

  • Core UMA content/report (no use-case)

  • FAPI Part 2 Review and Discussion

  • Policy Descriptions

  • AOB

Attendees

  • NOTE: As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)

  • Voting:

    • Peter

    • Alec

    • Steve

    • Eve

  • Non-voting participants:

    • Nancy

  • Regrets:

Quorum: No



Meeting Minutes

Approve previous meeting minutes

Topics

Core UMA content (no use-case)

we have two tracks here:

  • uma in health

  • simpler uma introduction

 

FAPI 1.0: Part 2 Review and Discussion

https://fapi.openid.net/ 

Based on the review, if an UMA AS can support OAuth/OIDC, there’s no reason that FAPI security measures can’t also be achieved. Therefore an UMA AS can support FAPI

 

Can UMA protect a userinfo endpoint? Yes

Can UMA be an OIDC server at the same time? e.g. accept an openid scope and issue an IDToken

  • UMA re-naming some OAuth concepts is challenging, redirect_uri and code.

  • Can we even closer align to OAuth? what would be lost in UMA functionality? multi-step authorization flows,

  • 1) UMA-lite with goal of backwards compatibility with OAuth 2) Extension of UMA-lite to add back the full suite of UMA features to add pct, tickets, request_submitted



Part 2: Advanced Final: Financial-grade API Security Profile 1.0 - Part 2: Advanced

UMA AS should be able to support the requirements of 5.2.2.  Authorization server

PKCE:
302 Location /authorize?client_id&state&redirect_uri&code_challenge

PAR:
POST /par { client_id&state&redirect_uri } → request_handle
302 Location /authorize?request=request_handle&code_challenge

JARM:

302 /authorize?request_object=JWT{client_id&state&code_challenge&redirect_uri}

 

 

Policy Descriptions

 

Computable Consent

AOB

 

DirectTrust is working on a lot on similar topics, computable consent, udap vs uma. Alec is going to connect more with them to see if there’s liason activities.

  • UMA AS is very similar to an Federated Identity Gateway, very similar role&responsibilities

  • They have a computable consent workgroup, similar topics as ANCR or policy manager

  • Look back to the UMA + UDAP (not versus) content

  • goals together

    • will look to create some mapping between DirectTrust and Kantara WGs, then find the appropriate meetings to bring UMA to that audience

    • terminology alignment

    • hey look UMA has already considered the

 

 

Leadership Elections planned for end of year

 

 

 

 

Potential Future Work Items / Meeting Topics

  • 20 Confluence clean up, archive old items and promote the latest & greatest

    • 10 UMA glossary – Steve has started 

  • 100 FAPI Review (FAPI + UMA) 

    • scope: how the FAPI work could be applied to UMA ecosystems

    • review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI

  • 120 A financial use-case report (following the Julie healthcare template)

    • either open banking or pensions dashboard

    • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

    • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

  • 170 UMA + Verifiable Credentials

    • how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA

    • There are openapi specs for VC formats

    • Could UMA protect a VC presentation or issuance endpoint?

    • There's a lot of openid4vc profiles 

  • 300 mDL + UMA

    • scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA 

    • is there a role for UMA in token fabrication and referencing it as the RS?

  • 600 Review of the email-poc correlated authorization specification

  • 500 UMA + GNAP https://oauth.xyz/specs/ 

    • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 

    • will GNAP meet all the UMA outcomes?

  • IDPro knowledge base articles

  • UMA 2 playground/sandbox

  • 150 Minor profiling work,

    • resource scopes → scopes 

    • PAR as dynamic scopes eg fhir query params

    • policy manager & policy description

    • 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL

      • use-case, consent as claims (needs_info),

        • if the client has gathered RqP consent, can it be presented to the AS

        • the policy to access a resource says "you must have agreed to this TOS/consent"

        • compare to interactive claims gathering where the AS would present this consent/TOS to the RqP

        • intersection with ANCR/consent receipt/trust registry work in other Kantara groups

Upcoming Conferences

  • IIW 35,  November 15 - 17