UMA telecon 2022-10-06
UMA telecon 2022-10-06
Date and Time
Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
Screenshare and dial-in:Â https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
United States: +1 346 248 7799, Access Code: 994 8781 4311
See UMA calendar for additional details:Â https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar
Agenda
Approve minutes since UMA telecon 2022-06-30
Core UMA content/report (no use-case)
FAPI Part 2 Review and Discussion
Policy Descriptions
AOB
Attendees
NOTE: As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)
Voting:
Peter
Alec
Steve
Eve
Non-voting participants:
Nancy
Regrets:
Quorum: No
Meeting Minutes
Approve previous meeting minutes
Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25, UMA telecon 2022-09-08 , UMA telecon 2022-09-15 , UMA telecon 2022-09-22 , UMA telecon 2022-09-29
Deferred - no quorum
Topics
Core UMA content (no use-case)
we have two tracks here:
uma in health
simpler uma introduction
Â
FAPI 1.0: Part 2 Review and Discussion
Based on the review, if an UMA AS can support OAuth/OIDC, there’s no reason that FAPI security measures can’t also be achieved. Therefore an UMA AS can support FAPI
Â
Can UMA protect a userinfo endpoint? Yes
Can UMA be an OIDC server at the same time? e.g. accept an openid scope and issue an IDToken
UMA re-naming some OAuth concepts is challenging, redirect_uri and code.
Can we even closer align to OAuth? what would be lost in UMA functionality? multi-step authorization flows,
1) UMA-lite with goal of backwards compatibility with OAuth 2) Extension of UMA-lite to add back the full suite of UMA features to add pct, tickets, request_submitted
Part 2: Advanced Final: Financial-grade API Security Profile 1.0 - Part 2: Advanced
UMA AS should be able to support the requirements of 5.2.2. Authorization server
PKCE:
302 Location /authorize?client_id&state&redirect_uri&code_challenge
PAR:
POST /par { client_id&state&redirect_uri } → request_handle
302 Location /authorize?request=request_handle&code_challenge
JARM:
302 /authorize?request_object=JWT{client_id&state&code_challenge&redirect_uri}
Â
Â
Policy Descriptions
Â
Computable Consent
AOB
Â
DirectTrust is working on a lot on similar topics, computable consent, udap vs uma. Alec is going to connect more with them to see if there’s liason activities.
UMA AS is very similar to an Federated Identity Gateway, very similar role&responsibilities
They have a computable consent workgroup, similar topics as ANCR or policy manager
Look back to the UMA + UDAP (not versus) content
goals together
will look to create some mapping between DirectTrust and Kantara WGs, then find the appropriate meetings to bring UMA to that audience
terminology alignment
hey look UMA has already considered the
Â
Â
Leadership Elections planned for end of year
Â
Â
Â
Â
Potential Future Work Items / Meeting Topics
20 Confluence clean up, archive old items and promote the latest & greatest
10 UMA glossary – Steve has startedÂ
100 FAPI Review (FAPI + UMA)Â
scope: how the FAPI work could be applied to UMA ecosystems
review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI
120 A financial use-case report (following the Julie healthcare template)
either open banking or pensions dashboard
openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
170 UMA + Verifiable Credentials
how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA
There are openapi specs for VC formats
Could UMA protect a VC presentation or issuance endpoint?
There's a lot of openid4vc profilesÂ
300 mDL + UMA
scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMAÂ
is there a role for UMA in token fabrication and referencing it as the RS?
600 Review of the email-poc correlated authorization specification
500 UMA + GNAP https://oauth.xyz/specs/Â
would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP)Â
will GNAP meet all the UMA outcomes?
IDPro knowledge base articles
UMA 2 playground/sandbox
150 Minor profiling work,
resource scopes → scopesÂ
PAR as dynamic scopes eg fhir query params
policy manager & policy description
110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL
use-case, consent as claims (needs_info),
if the client has gathered RqP consent, can it be presented to the AS
the policy to access a resource says "you must have agreed to this TOS/consent"
compare to interactive claims gathering where the AS would present this consent/TOS to the RqP
intersection with ANCR/consent receipt/trust registry work in other Kantara groups
Upcoming Conferences
IIW 35, November 15 - 17