UMA telecon 2017-05-18

UMA telecon 2017-05-18

Date and Time

Agenda

  • Roll call

  • Approve minutes of UMA telecon 2017-04-27 

  • Logistics/timing:
    • Candidate motion for consideration:
      • "Approve the draft UMA 2.0 specifications [as amended according to the instructions of UMA telecon 2017-05-18] as Draft Recommendations for public comment and IPR review."
    • Assuming we approve and forward the specs today, how to structure the next 45 days' worth of time?
  • UMA V2.0 work:
  • AOB

Minutes

Roll call

Quorum was reached.

Approve minutes

Approve minutes of UMA telecon 2017-04-27: APPROVED by acclamation.

Logistics

  • Candidate motion for consideration:
    • "Approve the draft UMA 2.0 specifications [as amended according to the instructions of UMA telecon 2017-05-18] as Draft Recommendations for public comment and IPR review."
  • Assuming we approve and forward the specs today, how to structure the next 45 days' worth of time?

UMA V2.0 work

We reviewed the recommendations of UMA telecon 2017-05-12 and everything seemed to be acceptable. We have consensus.

Issue #312: Consensus to remove the language (option 2).

Issue #313: Copy the text instead of move it. The second paragraph is not entirely relevant to Grant, so only a subset should be copied over.

Issue #314: The RS, along with the AS, has to manage mappings of resource IDs to specific resource owners. Let's drop the note.

Issue #315: Eve has suggested wording. This is practically editorial. We should say "pre-registered" instead of "registered". Should we say first "Only if the client has pre-registered a single full claims redirection URI, this is OPTIONAL." and then put the other proposed wording at the end? Yes.

Issue #317: Did Justin mean "also non-null", or did he mean "also null"?

Gluu first gets a token with no scopes, and then adds scopes to it. Is that first token a true RPT? It doesn't have permissions associated with it, so this could be a sort of interim step.

It's certainly okay for a client not to pre-register for/request scopes. And we decided that it's okay for the RS to include zero scopes in its permission ticket. (Justin had made a separate comment about some inconsistency in FedAuthz about our language on this point.) So if we were serious about allowing zero scopes in RequestedScopes, then if that is null too, then it should be possible to issue a token with "nothing – that's what you wanted, and you'll like it!" But if it was non-null, that should result in a hard error. So we need to break this out into two bullets, with the two different conditions. Or the more elegant solution is to remove "is non-null" from the current last bullet, because if CandidateGrantedScopes is null and RequestedScopes is non-null, then the former is < the latter, and it would come under the third bullet. There should be only two logical bullets: = and <.

Issue #322: We made a strong decision to make permissions be a SHOULD for extensibility reasons, in case someone wanted to experiment with the dividing line between AS and RS responsibilities. However, token introspection is already optional in OAuth, and with the spec refactoring, maybe this isn't necessary anymore. And changing from a SHOULD to a MUST is backwards incompatible, whereas the reverse isn't (it would break implementations to change it in this direction). Consensus to change to a MUST.

Issue #320: We don't understand this one. Hopefully this will result in only non-normative language later.

Issue #321: Simple fix.

Issue #318: This is a normative change, but we should do it for consistency. (This also changes the WSD.)

Issue #316: Eve will work with Justin to ensure it says everything he wants, in addition to reiterating any OAuth messages as appropriate. Mike also notes that FAPI from OIDC went beyond requiring state (but of course that is an industry profile).

Attend to: Issues #319 and #323 and the following editorial instruction:

  • Remove "Note:" from beginnings of "For an example of how..." references.

A candidate motion:

MOTION: Mike moves and Maciej seconds: Approve the draft UMA 2.0 specifications, Grant rev 04 and FedAuthz rev 04, as amended according to the instructions of UMA telecon 2017-05-18, as Draft Recommendations for public comment and IPR review. APPROVED by unanimous consent.

AI: Eve, Justin, and Maciej: Edit! and ensure the Draft Recommendation markers are properly in place.

AI: Eve: Work with Kantara staff on review/publication next steps.

Logistics

Note that, once this 45-day review has begun, any substantive (think backwards-incompatible) changes will require going back to another such review. We should review the 05 drafts ASAP to catch any text implementation boo-boos before this goes out the door – even before next Thursday.

Maybe we can also figure out #320 before publication as well.

Let's try to make hay early next week while the sun shines. Maybe Eve will even call an ad hoc.

We can figure out our meeting schedule after that.

Note: No meeting the week of CIS (June 22).

Attendees

As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve, Mike, Cigdem)

  1. Domenico
  2. Sal
  3. Andi
  4. Maciej
  5. Eve
  6. Mike
  7. Cigdem

Non-voting participants:

  • James
  • Jin

Guest:

  • Jim Willeke

Regrets:

  • John W
  • Justin

Â