https://kantara.atlassian.net/wiki/spaces/uma/pages/79101953/UMA+telecon+20…
UMA telecon 2022-10-06Date and Time
-
Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
-
Screenshare and dial-in:
https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
-
United States: +1 346 248 7799, Access Code: 994 8781 4311
-
See UMA calendar for additional details:
https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar
<https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518>
Agenda
-
Approve minutes since UMA telecon 2022-06-30
<https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423>
-
Core UMA content/report (no use-case)
-
FAPI Part 2 Review and Discussion
-
Policy Descriptions
-
AOB
Attendees
-
NOTE: As of October 26, 2020, quorum
<http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)
-
Voting:
-
Peter
-
Alec
-
Steve
-
Eve
-
Non-voting participants:
-
Nancy
-
Regrets:
Quorum: No
Meeting Minutes
Approve previous meeting minutes
-
Approve minutes of UMA telecon 2022-08-11
<https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993>, UMA
telecon 2022-08-25
<https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201>, UMA
telecon 2022-09-08
<https://kantara.atlassian.net/wiki/spaces/uma/pages/56459265> , UMA
telecon 2022-09-15
<https://kantara.atlassian.net/wiki/spaces/uma/pages/62029825> , UMA
telecon 2022-09-22
<https://kantara.atlassian.net/wiki/spaces/uma/pages/62980097> , UMA
telecon 2022-09-29
<https://kantara.atlassian.net/wiki/spaces/uma/pages/74055681>
-
Deferred - no quorum
TopicsCore UMA content (no use-case)
we have two tracks here:
-
uma in health
-
simpler uma introduction
FAPI 1.0: Part 2 Review and Discussion
https://fapi.openid.net/
Based on the review, if an UMA AS can support OAuth/OIDC, there’s no reason
that FAPI security measures can’t also be achieved. Therefore an UMA AS can
support FAPI
Can UMA protect a userinfo endpoint? Yes
Can UMA be an OIDC server *at the same time*? e.g. accept an openid scope
and issue an IDToken
-
UMA re-naming some OAuth concepts is challenging, redirect_uri and code.
-
Can we even closer align to OAuth? what would be lost in UMA
functionality? multi-step authorization flows,
-
1) UMA-lite with goal of backwards compatibility with OAuth 2) Extension
of UMA-lite to add back the full suite of UMA features to add pct, tickets,
request_submitted
Part 2: Advanced Final: Financial-grade API Security Profile 1.0 - Part 2:
Advanced <https://openid.net/specs/openid-financial-api-part-2-1_0.html>
UMA AS should be able to support the requirements of 5.2.2. Authorization
server
PKCE:
302 Location /authorize?client_id&state&redirect_uri&code_challenge
PAR:
POST /par { client_id&state&redirect_uri } → request_handle
302 Location /authorize?request=request_handle&code_challenge
JARM:
302
/authorize?request_object=JWT{client_id&state&code_challenge&redirect_uri}
Policy Descriptions
Computable Consent
AOB
DirectTrust is working on a lot on similar topics, computable consent, udap
vs uma. Alec is going to connect more with them to see if there’s liason
activities.
-
UMA AS is very similar to an Federated Identity Gateway, very similar
role&responsibilities
-
They have a computable consent workgroup, similar topics as ANCR or
policy manager
-
Look back to the UMA + UDAP (not versus) content
-
goals together
-
will look to create some mapping between DirectTrust and Kantara WGs,
then find the appropriate meetings to bring UMA to that audience
-
terminology alignment
-
hey look UMA has already considered the
Leadership Elections planned for end of year
>
>
> https://kantara.atlassian.net/wiki/spaces/uma/pages/74055681/UMA+telecon+20…
>
> UMA telecon 2022-09-29Date and Time
>
> -
>
> Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
> -
>
> Screenshare and dial-in:
> https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
> -
>
> United States: +1 346 248 7799, Access Code: 994 8781 4311
> -
>
> See UMA calendar for additional details:
> https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518>
>
> Agenda
>
> -
>
> Approve minutes since UMA telecon 2022-06-30
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423>
> -
>
> Core UMA content/report (no use-case)
> -
>
> FAPI Part 1 Review and Discussion
> -
>
> Policy Descriptions
> -
>
> AOB
>
> Attendees
>
> -
>
> NOTE: As of October 26, 2020, quorum
> <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is
> 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)
> -
>
> Voting:
> -
>
> Alec
> -
>
> Steve
> -
>
> Sal
> -
>
> Non-voting participants:
> -
>
> Scott
> -
>
> Chris
> -
>
> Hanfei
> -
>
> Regrets:
>
> Quorum: No
>
>
>
> Meeting Minutes
>
> Approve previous meeting minutes
>
> -
>
> Approve minutes of UMA telecon 2022-08-11
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993>, UMA
> telecon 2022-08-25
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201>, UMA
> telecon 2022-09-08
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/56459265> , UMA
> telecon 2022-09-15
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/62029825> , UMA
> telecon 2022-09-22
> <https://kantara.atlassian.net/wiki/spaces/uma/pages/62980097>
> -
>
> Deferred - no quorum
>
> TopicsCore UMA content (no use-case)
>
> Continue discussion ‘UMA by example’ content
>
>
>
> audience: NOT technical, business people - what value does uma provide a
> data custodian, users(?) - what value does uma provide the resource owner
>
> -
>
> problem that UMA addresses, user-mediate fine-grained authorization.
> person not present during access
> -
>
> physical access example(s), car or documents or airbnb(access to a
> physical space, RS) vs the specific thing (resource)
> -
>
> shift to access to digital resources/documents,
> -
>
> distributed nature of information: some at home, some with bank
> (safe deposit box), some with HCP,
> -
>
> controlling organization, who enforces access
> -
>
> GAP today: broadness of access, synchronous RO-only access, controlled
> by single org at a time
> -
>
> UMA applied to example
>
>
>
> physical access vs digital access vs uma against use-case: car, documents,
> building access
>
>
>
> General intro to Authorization: through example, lending
>
> base example, lending car or documents? → broad authZ open garage
> everything is there. In uma, only the car is there
>
>
>
> home example, loaning car in the garage
>
> condo example, valet key
>
> digital example: car manufacturer managed sharing,
>
> uma example: user managed sharing
>
>
>
> car, access to the garage, key to the car → broad since can access
> anything in the garage, key to glovebox. “Allowed to drive between 12-3,
> not more than 20mi”
>
> condo concierge: RO not present, with someone enforcing my wishes
>
>
>
> → shift to digital
>
>
> FAPI Part 1 Review and Discussion
>
> https://fapi.openid.net/
>
> Part 1: Baseline
> https://openid.net/specs/openid-financial-api-part-1-1_0.html
>
>
>
> *5.2.2. Authorization server*
>
> 15. shall return the list of granted scopes with the issued access token
> if the request was passed in the front channel and was not integrity
> protected;
>
> -
>
> which request, token request? scopes in token response? when would
> there not be 'integrity protected'? there would always be TLS/client authn?
> is this for public clients?
>
> 17. should clearly identify the details of the grant to the user during
> authorization as in 16.18 of OIDC
> <https://openid.net/specs/openid-connect-core-1_0.html>;
>
> -
>
> for pushed claims, would the Client have this responsibility? or would
> pushed claims need to be ‘off’ in FAPI
>
> *NOTE*: The requirement to return the list of granted scopes allows
> clients to detect when the authorization request was modified to include
> different scopes. Servers must still return the granted scopes if they are
> different from those requested.
>
> -
>
> always return scopes or only under conditions of #15?
>
>
>
> Could an UMA Auth Server support OIDC and the openid scope? tentative yes
>
> -
>
> there are naming differences eg redirect_uri vs claims_redirect_uri,
> code vs ticket
>
>
>
> Overall, and UMA AS should be able to support FAPI basiline profile (part
> 1)
>
