- WG-UMA - mailman.kantarainitiative.org

Draft Minutes of UMA telecon 2022-08-11
by Alec Laws 18 Aug '22

18 Aug '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993/UMA+telecon+20… Attendees - NOTE: As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve) - Voting: - Sal - Alec - Peter - Steve - Eve - Domenico - Non-voting participants: - Zhen/Jen - Regrets: Quorum: Yes Meeting Minutes Approve previous meeting minutes - Approve minutes of UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> , UMA telecon 2022-07-07 <https://kantara.atlassian.net/wiki/spaces/uma/pages/17891329/UMA+telecon+20…> , UMA telecon 2022-07-14 <https://kantara.atlassian.net/wiki/spaces/uma/pages/21299201/UMA+telecon+20…> , UMA telecon 2022-07-21 <https://kantara.atlassian.net/wiki/spaces/uma/pages/24510465/UMA+telecon+20…> , UMA telecon 2022-07-28 <https://kantara.atlassian.net/wiki/spaces/uma/pages/28180481/UMA+telecon+20…> , UMA telecon 2022-08-04 <https://kantara.atlassian.net/wiki/spaces/uma/pages/33751041/UMA+telecon+20…> - Eve moves to approve, Peter seconds. Minutes Approved! Topics UDAP Spec Reviews - tiered oauth https://www.udap.org/udap-client-authorization-grants.html Why can't OAuth be profiled directly, the UDAP profiles require further profiles to get to an implementable level of specificity Some of the examples create new risks, or could lead to new risks, eg around end-user identifiers Few UMA members have stated interests in working with US health care and UDAP and/or UMA adoption in this space. We don't want UMA to be excluded because of *perceived* overlap with UDAP. Do we need to explicitly show how UMA and UDAP can work together, eg through some report of udap profile? What do we want to produce, if/how do we engaged with the UDAP folks? Charter Refresh Draft Charter 2022 <https://kantara.atlassian.net/wiki/spaces/uma/pages/4850242/Draft+Charter+2…> Eve moves to accept the 2022 charter. Sal seconds. motion passes!! Alec will move it in place on our confluence and inform the LC AOB - Alec will check the calendar links - UMA implementors page, solicit updates from members (eg Keycloak → Redhat) - Steve will take a first pass of a list of terms for a glossary - prior lexicon here: Lexicon <https://kantara.atlassian.net/wiki/spaces/uma/pages/4857823/Lexicon> - there's some terms defined in the Julie use-case - Steve to take a look at updating the specs page (consolidate old/new) - Domenico will send the source files for the uma logo

2 1

Agenda for UMA telecon 2022-08-11
by Alec Laws 11 Aug '22

11 Aug '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993/UMA+telecon+20… UMA telecon 2022-08-11Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> - UDAP Spec Reviews - client authZ with JWT grant - Charter Refresh - vote if quorum - AOB

1 0

Draft minutes of UMA telecon 2022-08-04
by Alec Laws 04 Aug '22

04 Aug '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/33751041/UMA+telecon+20… UMA telecon 2022-08-04Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> - UDAP Spec Reviews - tiered oauth - Charter Refresh - vote if quorum - Home Page Refresh - review/publish draft!? - AOB Attendees - NOTE: As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve) - Voting: - Sal - Steve - Alec - Non-voting participants: - Chris - Regrets: Quorum: No Meeting Minutes Approve previous meeting minutes - Approve minutes of UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> , UMA telecon 2022-07-07 <https://kantara.atlassian.net/wiki/spaces/uma/pages/17891329/UMA+telecon+20…> , UMA telecon 2022-07-14 <https://kantara.atlassian.net/wiki/spaces/uma/pages/21299201/UMA+telecon+20…> , UMA telecon 2022-07-21 <https://kantara.atlassian.net/wiki/spaces/uma/pages/24510465/UMA+telecon+20…> , UMA telecon 2022-07-28 <https://kantara.atlassian.net/wiki/spaces/uma/pages/28180481/UMA+telecon+20…> - Deferred - no Quorum Topics UDAP Spec Reviews - tiered oauth https://www.udap.org/udap-user-auth.html Background, the UDAP profiles are in consideration to be recommends for use in US Health care. A few groups have/are running connect-a-thons testing their use (hl7: https://confluence.hl7.org/pages/viewpage.action?pageId=90362084, carin?) https://groups.google.com/g/udap-discuss ## purpose: "This distributed framework allows the reuse of existing user credentials and improves security by providing user data directly to the Resource Holder rather than passing it through a third party such as a client application." "providing user data directly to the Resource Holder rather than passing it through a third party such as a client application." - eg the AS gets claims directly instead of through the client app ## how to use: Use of this extension is requested by Client Apps and Resource Holders by including the “udap” scope in their requests to the upstream authorization endpoint. ## Q&A & Comments resource holder? is the RS + AS what does this mean for the SW client developer perspective? add 'udap' as scopes to requests? we already use certs to enable TLS. there is mTLS as server-server authentication, however this pulls the certs up into the OAuth protocol layer. This allows additional requirements about what certs must contain/convey to other parties beyond key material Are certs only being used to establish trust between services? If so, why does this need to make changes at the protocol layer? Can these profiles be prepared without the need for the 'udap' params? If the main idea is certificate based endorsements and trust policies, why does it need to get to the protocol level? Can they include more contextual specificity, eg what are the allowed acr values, how will cert based policy decisions work? Implementations need to define another layer of profile/ implementation guide to make this useful, the HL FAST group has more specific use-case based IGs: https://www.udap.org/udap-ig-consumer-facing-health-apps https://www.udap.org/udap-ig-b2b-health-apps It's already fairly normal for IDPs to federate to other downstream IDPS eg a standard feature of most IDP products? if UDAP becomes federally mandated in US Health care who owns the IP for the protocols/profiles? will be open or contributed to a standards body (eg IETF?) Would be great to see this open to comments in a public non-profit space How does this relate to user managed access aka patient directed exchange? The trust between services is still based on the trust policies of the operators and the certificates they can present https://groups.google.com/g/udap-discuss ## how it works summary: client requests authZ with a idp_uri, the AS federates to that idp for user authN 1 GET resource_holder_uri/.well-known/udap { "x5c" : ["{cert1}", "{cert2}", …] } - to check if they trust this RH(AS)? - equivalent to a jwks endpoint? - why does UDAP *mandate* certificates? 2 GET /authorize? ... normal oauth/oidc params ... *scope=udap*+ other scopes& *idp=https://idp.example.com/optionalpath& <https://idp.example.com/optionalpath&>* 3 3.1 is the requested idp trusted? - "retrieving the IdP’s UDAP metadata from https://idp.example.com/optionalpath/.well-known/udap - *evaluating the IdP’s certificate against the Resource Holder’s local trust policies.*" 3.2 if nessecary, RH(AS) does DCR with the upstream IDP 3.3 if a and/or fail, the RH(AS) may present list of other idps - if can't agree on idp, return new(?) error code `invalid_idp` 3.4 the RS(AS) acts as an OIDC client to the upstream idp (redirect to /authorize + includes the 'udap' scope) 4 normal OIDC except: the token requests includes an param `udap=1` required idtoken claims (mostly normal, requires acr/amr) iss: IdP’s unique identifying URI (matches idp parameter from Step 2) sub: unique identifier for user in namespace of issuer, i.e. iss + sub is globally unique aud: client_id of Resource Holder (matches client_id in Resource Holder request in Step 3.4) exp: expire time (should be short-lived) iat: issued at time auth_time: time that user last authenticated (optional) nonce: when included in Resource Holder’s request, must match nonce value from Step 3.4 acr: http://udap.org/[ial1-3|loa1-4] amr: http://udap.org/[aal1-3|loa1-4] "If the subject identifier included in the ID token has not been previously mapped to a local user or role" the RH may request the userinfo - Q. otherwise it can't request the info? RH completes the oauth flow with the client app (callback with code) ## Comparison with UMA Grant: 3.3.2 "The client redirects an end-user requesting party to the authorization server's claims interaction endpoint for one or more interactive claims-gathering processes as the authorization server requires. These can include direct interactions, such as account registration and authentication local to the authorization server as an identity provider, filling out a questionnaire, or asking the user to authorize subsequent collection of claims by interaction or pushing, and persistent storage of such claims (for example, as associated with a PCT). *Interactions could also involve further redirection, for example, for federated (such as social) authentication at a remote identity provider*, and other federated claims gathering. See Section 5.7 and Section 6.2 for security and privacy considerations regarding pushing and persistence of claims." eg you can federate to other idps UMA ASs can support the udap params + metadata ## Comparison with OIDC: 3.1.2.1. Authentication Request login_hint / id_token_hint, closest mechanism? "Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone number in the format specified for the phone_number Claim. *The use of this parameter is left to the OP's discretion.*" eg it can be a previous sub, or an email (which implies an authN domain), or up to the OPs discretion (eg could be an idp uri) Charter Refresh Draft Charter 2022 <https://kantara.atlassian.net/wiki/spaces/uma/pages/4850242/Draft+Charter+2…> Home Page Refresh UMA WG: User Managed Access (DRAFT) <https://kantara.atlassian.net/wiki/spaces/uma/pages/4850191> Alec will move the draft in place as the new homepage later today! Julie Use Case - review updates https://docs.google.com/document/d/1aG88GJMxOdYoEjQIAyzoTrUnFud-cnpmPD1rt9X… AOB - next week will discuss another UDAP spec

1 0

Agenda for UMA telecon 2022-08-04
by Alec Laws 03 Aug '22

03 Aug '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/33751041/UMA+telecon+20… UMA telecon 2022-08-04Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> - UDAP Spec Reviews - tiered oauth - Charter Refresh - vote if quorum - Home Page Refresh - review/publish draft!? - AOB

1 0

Agenda for UMA telecon 2022-07-28
by Alec Laws 27 Jul '22

27 Jul '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/28180481/UMA+telecon+20… UMA telecon 2022-07-28Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> - Charter Refresh - vote if quorum - Home Page Refresh - review draft! - Julie Use Case - review updates - AOB

1 0

Agenda for UMA telecon 2022-07-21
by Alec Laws 20 Jul '22

20 Jul '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/24510465/UMA+telecon+20… UMA telecon 2022-07-21Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> - Charter Refresh - vote if quorum - Home Page Refresh - Julie Use Case - review updates - AOB

1 0

Agenda for UMA telecon 2022-07-14
by Alec Laws 13 Jul '22

13 Jul '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/21299201/UMA+telecon+20… UMA telecon 2022-07-14Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> - Charter Refresh - Home Page Refresh - AOB

1 0

Drafts minutes of UMA telecon 2022-07-07
by Alec Laws 07 Jul '22

07 Jul '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/17891329/UMA+telecon+20… Attendees - NOTE: As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve) - Voting: - Steve - Eve - Alec - Sal - Non-voting participants: - Scott - George - Nancy - Regrets: Quorum: No Meeting MinutesApprove previous meeting minutes - Approve minutes of UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> - Deferred - no Quorum Topics Home Page Refresh Draft New Home Page <https://kantarainitiative.org/confluence/display/uma/Draft+New+Home+Page> Charter Refresh Draft Charter 2022 <https://kantara.atlassian.net/wiki/spaces/uma/pages/4850242/Draft+Charter+2…> Julie Use Case - pp2pi has renamed themselves to shift - current plan: update the existing paper to incorporate feedback (comments in the google doc describe this) - move sections 3-7 into a standalone UMA paper, no pp2pi use-case AOB FAST Security & Identity Directory Exchange, https://confluence.hl7.org/pages/viewpage.action?pageId=130482809

1 0

Agenda for UMA telecon 2022-07-07
by Alec Laws 06 Jul '22

06 Jul '22

https://kantara.atlassian.net/wiki/spaces/uma/pages/17891329/UMA+telecon+20… UMA telecon 2022-07-07Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+20…> - Charter Refresh - Home Page Refresh - AOB

1 0

2022 Charter - draft for review
by Alec Laws 30 Jun '22

30 Jun '22

Hi all, It's time for us to re-charter! We reviewed a draft this week: https://kantara.atlassian.net/wiki/spaces/uma/pages/4850242/Draft+Charter+2… Please reply with any feedback or items you'd like to work on this year We'll look for a quorum to adopt this on our July 14th call -- voting members, please let me know if you can't attend that day Cheers, - Alec

1 0