- WG-UMA - mailman.kantarainitiative.org

Draft minutes of UMA telecon 2022-10-06
by Alec Laws 06 Oct '22

06 Oct '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/79101953/UMA+telecon+20… UMA telecon 2022-10-06Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 346 248 7799, Access Code: 994 8781 4311 - See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar <https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518> Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423> - Core UMA content/report (no use-case) - FAPI Part 2 Review and Discussion - Policy Descriptions - AOB Attendees - NOTE: As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve) - Voting: - Peter - Alec - Steve - Eve - Non-voting participants: - Nancy - Regrets: Quorum: No Meeting Minutes Approve previous meeting minutes - Approve minutes of UMA telecon 2022-08-11 <https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993>, UMA telecon 2022-08-25 <https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201>, UMA telecon 2022-09-08 <https://kantara.atlassian.net/wiki/spaces/uma/pages/56459265> , UMA telecon 2022-09-15 <https://kantara.atlassian.net/wiki/spaces/uma/pages/62029825> , UMA telecon 2022-09-22 <https://kantara.atlassian.net/wiki/spaces/uma/pages/62980097> , UMA telecon 2022-09-29 <https://kantara.atlassian.net/wiki/spaces/uma/pages/74055681> - Deferred - no quorum TopicsCore UMA content (no use-case) we have two tracks here: - uma in health - simpler uma introduction FAPI 1.0: Part 2 Review and Discussion https://fapi.openid.net/ Based on the review, if an UMA AS can support OAuth/OIDC, there’s no reason that FAPI security measures can’t also be achieved. Therefore an UMA AS can support FAPI Can UMA protect a userinfo endpoint? Yes Can UMA be an OIDC server *at the same time*? e.g. accept an openid scope and issue an IDToken - UMA re-naming some OAuth concepts is challenging, redirect_uri and code. - Can we even closer align to OAuth? what would be lost in UMA functionality? multi-step authorization flows, - 1) UMA-lite with goal of backwards compatibility with OAuth 2) Extension of UMA-lite to add back the full suite of UMA features to add pct, tickets, request_submitted Part 2: Advanced Final: Financial-grade API Security Profile 1.0 - Part 2: Advanced <https://openid.net/specs/openid-financial-api-part-2-1_0.html> UMA AS should be able to support the requirements of 5.2.2. Authorization server PKCE: 302 Location /authorize?client_id&state&redirect_uri&code_challenge PAR: POST /par { client_id&state&redirect_uri } → request_handle 302 Location /authorize?request=request_handle&code_challenge JARM: 302 /authorize?request_object=JWT{client_id&state&code_challenge&redirect_uri} Policy Descriptions Computable Consent AOB DirectTrust is working on a lot on similar topics, computable consent, udap vs uma. Alec is going to connect more with them to see if there’s liason activities. - UMA AS is very similar to an Federated Identity Gateway, very similar role&responsibilities - They have a computable consent workgroup, similar topics as ANCR or policy manager - Look back to the UMA + UDAP (not versus) content - goals together - will look to create some mapping between DirectTrust and Kantara WGs, then find the appropriate meetings to bring UMA to that audience - terminology alignment - hey look UMA has already considered the Leadership Elections planned for end of year

1 0

Agenda for UMA telecon 2022-10-06
by Alec Laws 05 Oct '22

05 Oct '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/79101953/UMA+telecon+20… UMA telecon 2022-10-06Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 346 248 7799, Access Code: 994 8781 4311 - See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar <https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518> Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423> - Core UMA content/report (no use-case) - FAPI Part 2 Review and Discussion - Policy Descriptions - AOB

1 0

Draft minutes of UMA telecon 2022-09-29
by Alec Laws 01 Oct '22

01 Oct '22

> > > https://kantara.atlassian.net/wiki/spaces/uma/pages/74055681/UMA+telecon+20… > > UMA telecon 2022-09-29Date and Time > > - > > Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT > - > > Screenshare and dial-in: > https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 > - > > United States: +1 346 248 7799, Access Code: 994 8781 4311 > - > > See UMA calendar for additional details: > https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar > <https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518> > > Agenda > > - > > Approve minutes since UMA telecon 2022-06-30 > <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423> > - > > Core UMA content/report (no use-case) > - > > FAPI Part 1 Review and Discussion > - > > Policy Descriptions > - > > AOB > > Attendees > > - > > NOTE: As of October 26, 2020, quorum > <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is > 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve) > - > > Voting: > - > > Alec > - > > Steve > - > > Sal > - > > Non-voting participants: > - > > Scott > - > > Chris > - > > Hanfei > - > > Regrets: > > Quorum: No > > > > Meeting Minutes > > Approve previous meeting minutes > > - > > Approve minutes of UMA telecon 2022-08-11 > <https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993>, UMA > telecon 2022-08-25 > <https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201>, UMA > telecon 2022-09-08 > <https://kantara.atlassian.net/wiki/spaces/uma/pages/56459265> , UMA > telecon 2022-09-15 > <https://kantara.atlassian.net/wiki/spaces/uma/pages/62029825> , UMA > telecon 2022-09-22 > <https://kantara.atlassian.net/wiki/spaces/uma/pages/62980097> > - > > Deferred - no quorum > > TopicsCore UMA content (no use-case) > > Continue discussion ‘UMA by example’ content > > > > audience: NOT technical, business people - what value does uma provide a > data custodian, users(?) - what value does uma provide the resource owner > > - > > problem that UMA addresses, user-mediate fine-grained authorization. > person not present during access > - > > physical access example(s), car or documents or airbnb(access to a > physical space, RS) vs the specific thing (resource) > - > > shift to access to digital resources/documents, > - > > distributed nature of information: some at home, some with bank > (safe deposit box), some with HCP, > - > > controlling organization, who enforces access > - > > GAP today: broadness of access, synchronous RO-only access, controlled > by single org at a time > - > > UMA applied to example > > > > physical access vs digital access vs uma against use-case: car, documents, > building access > > > > General intro to Authorization: through example, lending > > base example, lending car or documents? → broad authZ open garage > everything is there. In uma, only the car is there > > > > home example, loaning car in the garage > > condo example, valet key > > digital example: car manufacturer managed sharing, > > uma example: user managed sharing > > > > car, access to the garage, key to the car → broad since can access > anything in the garage, key to glovebox. “Allowed to drive between 12-3, > not more than 20mi” > > condo concierge: RO not present, with someone enforcing my wishes > > > > → shift to digital > > > FAPI Part 1 Review and Discussion > > https://fapi.openid.net/ > > Part 1: Baseline > https://openid.net/specs/openid-financial-api-part-1-1_0.html > > > > *5.2.2. Authorization server* > > 15. shall return the list of granted scopes with the issued access token > if the request was passed in the front channel and was not integrity > protected; > > - > > which request, token request? scopes in token response? when would > there not be 'integrity protected'? there would always be TLS/client authn? > is this for public clients? > > 17. should clearly identify the details of the grant to the user during > authorization as in 16.18 of OIDC > <https://openid.net/specs/openid-connect-core-1_0.html>; > > - > > for pushed claims, would the Client have this responsibility? or would > pushed claims need to be ‘off’ in FAPI > > *NOTE*: The requirement to return the list of granted scopes allows > clients to detect when the authorization request was modified to include > different scopes. Servers must still return the granted scopes if they are > different from those requested. > > - > > always return scopes or only under conditions of #15? > > > > Could an UMA Auth Server support OIDC and the openid scope? tentative yes > > - > > there are naming differences eg redirect_uri vs claims_redirect_uri, > code vs ticket > > > > Overall, and UMA AS should be able to support FAPI basiline profile (part > 1) >

1 0

Agenda for UMA telecon 2022-09-28
by Alec Laws 28 Sep '22

28 Sep '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/74055681/UMA+telecon+20… UMA telecon 2022-09-29Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 346 248 7799, Access Code: 994 8781 4311 - See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar <https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518> Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423> - Core UMA content/report (no use-case) - FAPI Part 1 Review and Discussion - Policy Descriptions - AOB

1 0

Agenda for UMA telecon 2022-09-22
by Alec Laws 20 Sep '22

20 Sep '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/62980097/UMA+telecon+20… UMA telecon 2022-09-22Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 346 248 7799, Access Code: 994 8781 4311 - See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar <https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518> Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423> - Core UMA content/report (no use-case) - FAPI Part 1 Review and Discussion - Policy Descriptions - AOB

1 0

Agenda for UMA telecon 2022-09-15
by Alec Laws 15 Sep '22

15 Sep '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/62029825/UMA+telecon+20… UMA telecon 2022-09-15Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423> - Core UMA content/report (no use-case) - FAPI Part 1 Review and Discussion - Policy Descriptions - AOB

2 3

Agenda for UMA telecon 2022-09-08
by Alec Laws 07 Sep '22

07 Sep '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/56459265/UMA+telecon+20… UMA telecon 2022-09-08Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> - Core UMA content (no use-case) - FAPI discussion - AOB

1 0

Cancelling Sept 1 meeting
by Alec Laws 01 Sep '22

01 Sep '22

Hi all, cancelling tomorrow’s call, I and some others can’t make it Talk next week! Best, - Alec

1 0

Draft minutes of UMA telecon 2022-08-25
by Alec Laws 26 Aug '22

26 Aug '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201/UMA+telecon+20… UMA telecon 2022-08-25Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> - UDAP Spec Reviews/ Next Steps - Determine next work items - AOB Attendees - NOTE: As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve) - Voting: - Alec - Peter - Steve - Non-voting participants: - Lenore - Nancy - Regrets: Quorum: No Meeting Minutes Approve previous meeting minutes - Approve minutes of UMA telecon 2022-08-11 <https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993/UMA+telecon+20…> - Deferred - no quorum TopicsUDAP Spec Reviews - We need to come to their groups to advocate for UMA - HL7 FAST Infrastructure Group: https://confluence.hl7.org/pages/viewpage.action?pageId=134938778 <<< this is the one folks should attend - There is an upcoming connect-a-thon (in person ONLY, registration is open): https://confluence.hl7.org/display/FAST/FAST+-+HL7+FHIR+Connectathon+-+Sept… One of our questions around UDAP is that it's not an implementation profile, HL7 has created IGs that use UDAP as the base profile here: https://build.fhir.org/ig/HL7/fhir-udap-security-ig/branches/main/user.html Determine next work items What do we want to do next? Lots of ideas below, what's most important Current WIP - Update Julie Report to v0.4 – Nancy to accept suggested changed, reviewed with group ~1month ago - New report with core UMA (no use-case) content from Julie Report → could evolve to IDPro article? – Alec - UMA Glossary – Steve - Confluence Clean Up: activate new links + archive old content + general usability of the wiki – Alec / Steve, We prioritized the list below, lower numbers = higher priority. Nothing is "final", feel free to comment - one driver is if the item was of interest to many or few member - other consideration is who is motivated to lead the item AOB Potential Future Work Items / Meeting Topics - 100 FAPI Review (FAPI + UMA) - scope: how the FAPI work could be applied to UMA ecosystems - review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI - 20 Confluence clean up, archive old items and promote the latest & greatest - 10 UMA glossary – Steve has started - 600 Review of the email-poc correlated authorization specification - https://github.com/umalabs/correlated-authorization - https://groups.google.com/g/kantara-initiative-uma-wg/c/BntTknCOAAE/m/EzL9i… - https://groups.google.com/g/kantara-initiative-uma-wg/c/ablVJ9cAreg/m/a_ZpC… - 120 A financial use-case report (following the Julie healthcare template) - either open banking or pensions dashboard - openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile) - Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review? - 300 mDL + UMA - scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA - is there a role for UMA in token fabrication and referencing it as the RS? - 500 UMA + GNAP https://oauth.xyz/specs/ - would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) - will GNAP meet all the UMA outcomes? - 170 UMA + Verifiable Credentials - how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA - There are openapi specs for VC formats - Could UMA protect a VC presentation or issuance endpoint? - There's a lot of openid4vc profiles - IDPro knowledge base articles - UMA 2 playground/sandbox - eg https://developers.google.com/oauthplayground/, https://www.oauth.com/playground/ - 150 Minor profiling work, - resource scopes → scopes - PAR as dynamic scopes eg fhir query params - 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL - use-case, consent as claims (needs_info), - if the client has gathered RqP consent, can it be presented to the AS - the policy to access a resource says "you must have agreed to this TOS/consent" - compare to interactive claims gathering where the AS would present this consent/TOS to the RqP - intersection with ANCR/consent receipt/trust registry work in other Kantara groups

1 0

Agenda for UMA telecon 2022-08-25
by Alec Laws 24 Aug '22

24 Aug '22

Hi all, really sorry I wasn't able to make last week happen :/ Let's chat this week about our next work items - Alec https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201/UMA+telecon+20… UMA telecon 2022-08-25Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> - UDAP Spec Reviews/ Next Steps - Determine next work items - AOB Attendees - NOTE: As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve) - Voting: - Non-voting participants: - Regrets:

1 0