https://kantara.atlassian.net/wiki/spaces/uma/pages/79101953/UMA+telecon+20…
UMA telecon 2022-10-06Date and Time
-
Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
-
Screenshare and dial-in:
https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
-
United States: +1 346 248 7799, Access Code: 994 8781 4311
-
See UMA calendar for additional details:
https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar
<https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518>
Agenda
-
Approve minutes since UMA telecon 2022-06-30
<https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423>
-
Core UMA content/report (no use-case)
-
FAPI Part 2 Review and Discussion
-
Policy Descriptions
-
AOB
Attendees
-
NOTE: As of October 26, 2020, quorum
<http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)
-
Voting:
-
Peter
-
Alec
-
Steve
-
Eve
-
Non-voting participants:
-
Nancy
-
Regrets:
Quorum: No
Meeting Minutes
Approve previous meeting minutes
-
Approve minutes of UMA telecon 2022-08-11
<https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993>, UMA
telecon 2022-08-25
<https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201>, UMA
telecon 2022-09-08
<https://kantara.atlassian.net/wiki/spaces/uma/pages/56459265> , UMA
telecon 2022-09-15
<https://kantara.atlassian.net/wiki/spaces/uma/pages/62029825> , UMA
telecon 2022-09-22
<https://kantara.atlassian.net/wiki/spaces/uma/pages/62980097> , UMA
telecon 2022-09-29
<https://kantara.atlassian.net/wiki/spaces/uma/pages/74055681>
-
Deferred - no quorum
TopicsCore UMA content (no use-case)
we have two tracks here:
-
uma in health
-
simpler uma introduction
FAPI 1.0: Part 2 Review and Discussion
https://fapi.openid.net/
Based on the review, if an UMA AS can support OAuth/OIDC, there’s no reason
that FAPI security measures can’t also be achieved. Therefore an UMA AS can
support FAPI
Can UMA protect a userinfo endpoint? Yes
Can UMA be an OIDC server *at the same time*? e.g. accept an openid scope
and issue an IDToken
-
UMA re-naming some OAuth concepts is challenging, redirect_uri and code.
-
Can we even closer align to OAuth? what would be lost in UMA
functionality? multi-step authorization flows,
-
1) UMA-lite with goal of backwards compatibility with OAuth 2) Extension
of UMA-lite to add back the full suite of UMA features to add pct, tickets,
request_submitted
Part 2: Advanced Final: Financial-grade API Security Profile 1.0 - Part 2:
Advanced <https://openid.net/specs/openid-financial-api-part-2-1_0.html>
UMA AS should be able to support the requirements of 5.2.2. Authorization
server
PKCE:
302 Location /authorize?client_id&state&redirect_uri&code_challenge
PAR:
POST /par { client_id&state&redirect_uri } → request_handle
302 Location /authorize?request=request_handle&code_challenge
JARM:
302
/authorize?request_object=JWT{client_id&state&code_challenge&redirect_uri}
Policy Descriptions
Computable Consent
AOB
DirectTrust is working on a lot on similar topics, computable consent, udap
vs uma. Alec is going to connect more with them to see if there’s liason
activities.
-
UMA AS is very similar to an Federated Identity Gateway, very similar
role&responsibilities
-
They have a computable consent workgroup, similar topics as ANCR or
policy manager
-
Look back to the UMA + UDAP (not versus) content
-
goals together
-
will look to create some mapping between DirectTrust and Kantara WGs,
then find the appropriate meetings to bring UMA to that audience
-
terminology alignment
-
hey look UMA has already considered the
Leadership Elections planned for end of year
>
>
> https://kantara.atlassian.net/wiki/spaces/uma/pages/74055681/UMA+telecon+20…
>
> UMA telecon 2022-09-29Date and Time
>
> -
>
> Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
> -
>
> Screenshare and dial-in:
> https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
> -
>
> United States: +1 346 248 7799, Access Code: 994 8781 4311
> -
>
> See UMA calendar for additional details:
> https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518>
>
> Agenda
>
> -
>
> Approve minutes since UMA telecon 2022-06-30
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423>
> -
>
> Core UMA content/report (no use-case)
> -
>
> FAPI Part 1 Review and Discussion
> -
>
> Policy Descriptions
> -
>
> AOB
>
> Attendees
>
> -
>
> NOTE: As of October 26, 2020, quorum
> <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
> 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)
> -
>
> Voting:
> -
>
> Alec
> -
>
> Steve
> -
>
> Sal
> -
>
> Non-voting participants:
> -
>
> Scott
> -
>
> Chris
> -
>
> Hanfei
> -
>
> Regrets:
>
> Quorum: No
>
>
>
> Meeting Minutes
>
> Approve previous meeting minutes
>
> -
>
> Approve minutes of UMA telecon 2022-08-11
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993>, UMA
> telecon 2022-08-25
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201>, UMA
> telecon 2022-09-08
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/56459265> , UMA
> telecon 2022-09-15
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/62029825> , UMA
> telecon 2022-09-22
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/62980097>
> -
>
> Deferred - no quorum
>
> TopicsCore UMA content (no use-case)
>
> Continue discussion ‘UMA by example’ content
>
>
>
> audience: NOT technical, business people - what value does uma provide a
> data custodian, users(?) - what value does uma provide the resource owner
>
> -
>
> problem that UMA addresses, user-mediate fine-grained authorization.
> person not present during access
> -
>
> physical access example(s), car or documents or airbnb(access to a
> physical space, RS) vs the specific thing (resource)
> -
>
> shift to access to digital resources/documents,
> -
>
> distributed nature of information: some at home, some with bank
> (safe deposit box), some with HCP,
> -
>
> controlling organization, who enforces access
> -
>
> GAP today: broadness of access, synchronous RO-only access, controlled
> by single org at a time
> -
>
> UMA applied to example
>
>
>
> physical access vs digital access vs uma against use-case: car, documents,
> building access
>
>
>
> General intro to Authorization: through example, lending
>
> base example, lending car or documents? → broad authZ open garage
> everything is there. In uma, only the car is there
>
>
>
> home example, loaning car in the garage
>
> condo example, valet key
>
> digital example: car manufacturer managed sharing,
>
> uma example: user managed sharing
>
>
>
> car, access to the garage, key to the car → broad since can access
> anything in the garage, key to glovebox. “Allowed to drive between 12-3,
> not more than 20mi”
>
> condo concierge: RO not present, with someone enforcing my wishes
>
>
>
> → shift to digital
>
>
> FAPI Part 1 Review and Discussion
>
> https://fapi.openid.net/
>
> Part 1: Baseline
> https://openid.net/specs/openid-financial-api-part-1-1_0.html
>
>
>
> *5.2.2. Authorization server*
>
> 15. shall return the list of granted scopes with the issued access token
> if the request was passed in the front channel and was not integrity
> protected;
>
> -
>
> which request, token request? scopes in token response? when would
> there not be 'integrity protected'? there would always be TLS/client authn?
> is this for public clients?
>
> 17. should clearly identify the details of the grant to the user during
> authorization as in 16.18 of OIDC
> <https://openid.net/specs/openid-connect-core-1_0.html>;
>
> -
>
> for pushed claims, would the Client have this responsibility? or would
> pushed claims need to be ‘off’ in FAPI
>
> *NOTE*: The requirement to return the list of granted scopes allows
> clients to detect when the authorization request was modified to include
> different scopes. Servers must still return the granted scopes if they are
> different from those requested.
>
> -
>
> always return scopes or only under conditions of #15?
>
>
>
> Could an UMA Auth Server support OIDC and the openid scope? tentative yes
>
> -
>
> there are naming differences eg redirect_uri vs claims_redirect_uri,
> code vs ticket
>
>
>
> Overall, and UMA AS should be able to support FAPI basiline profile (part
> 1)
>
https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201/UMA+telecon+20…
UMA telecon 2022-08-25Date and Time
- Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
- Screenshare and dial-in:
https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
-
United States: +1 (224) 501-3316, Access Code: 485-071-053
- See UMA calendar for additional details:
http://kantarainitiative.org/confluence/display/uma/Calendar
Agenda
- Approve minutes since UMA telecon 2022-06-30
<https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…>
- UDAP Spec Reviews/ Next Steps
- Determine next work items
- AOB
Attendees
- NOTE: As of October 26, 2020, quorum
<http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
- Voting:
- Alec
- Peter
- Steve
- Non-voting participants:
- Lenore
- Nancy
- Regrets:
Quorum: No
Meeting Minutes
Approve previous meeting minutes
- Approve minutes of UMA telecon 2022-08-11
<https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993/UMA+telecon+20…>
- Deferred - no quorum
TopicsUDAP Spec Reviews
- We need to come to their groups to advocate for UMA
- HL7 FAST Infrastructure Group:
https://confluence.hl7.org/pages/viewpage.action?pageId=134938778 <<<
this is the one folks should attend
- There is an upcoming connect-a-thon (in person ONLY, registration
is open):
https://confluence.hl7.org/display/FAST/FAST+-+HL7+FHIR+Connectathon+-+Sept…
One of our questions around UDAP is that it's not an implementation
profile, HL7 has created IGs that use UDAP as the base profile here:
https://build.fhir.org/ig/HL7/fhir-udap-security-ig/branches/main/user.html
Determine next work items
What do we want to do next? Lots of ideas below, what's most important
Current WIP
- Update Julie Report to v0.4 – Nancy to accept suggested changed,
reviewed with group ~1month ago
- New report with core UMA (no use-case) content from Julie Report →
could evolve to IDPro article? – Alec
- UMA Glossary – Steve
- Confluence Clean Up: activate new links + archive old content +
general usability of the wiki – Alec / Steve,
We prioritized the list below, lower numbers = higher priority. Nothing is
"final", feel free to comment
- one driver is if the item was of interest to many or few member
- other consideration is who is motivated to lead the item
AOB
Potential Future Work Items / Meeting Topics
- 100 FAPI Review (FAPI + UMA)
- scope: how the FAPI work could be applied to UMA ecosystems
- review may inform what profiling work is required, eg if UMA must
support PAR to work with FAPI
- 20 Confluence clean up, archive old items and promote the latest &
greatest
- 10 UMA glossary – Steve has started
- 600 Review of the email-poc correlated authorization specification
- https://github.com/umalabs/correlated-authorization
-
https://groups.google.com/g/kantara-initiative-uma-wg/c/BntTknCOAAE/m/EzL9i…
-
https://groups.google.com/g/kantara-initiative-uma-wg/c/ablVJ9cAreg/m/a_ZpC…
- 120 A financial use-case report (following the Julie healthcare
template)
- either open banking or pensions dashboard
- openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ
protocol profile)
- Who would lead this/ needs this for UMA in open banking contexts?
Should come after FAPI review?
- 300 mDL + UMA
- scope: how mDL could work in UMA ecosystems, how mDL could be a
claim to UMA
- is there a role for UMA in token fabrication and referencing it as
the RS?
- 500 UMA + GNAP https://oauth.xyz/specs/
- would we have an UMA GNAP version (eg extension of GNAP or UMA?
UMAonGNAP)
- will GNAP meet all the UMA outcomes?
- 170 UMA + Verifiable Credentials
- how would VCs work in an UMA ecosystem? How could VCs be used as
claims in UMA
- There are openapi specs for VC formats
- Could UMA protect a VC presentation or issuance endpoint?
- There's a lot of openid4vc profiles
- IDPro knowledge base articles
- UMA 2 playground/sandbox
- eg https://developers.google.com/oauthplayground/,
https://www.oauth.com/playground/
- 150 Minor profiling work,
- resource scopes → scopes
- PAR as dynamic scopes eg fhir query params
- 110 pushed claims types: templates + profiles (beyond IDTokens):
171 VCs, 113 consent, policy, mDL
- use-case, consent as claims (needs_info),
- if the client has gathered RqP consent, can it be presented
to the AS
- the policy to access a resource says "you must have agreed to
this TOS/consent"
- compare to interactive claims gathering where the AS would
present this consent/TOS to the RqP
- intersection with ANCR/consent receipt/trust registry work in
other Kantara groups