Authorization Code Grant
Initial Thoughts/questions:
• Seems strange to get emailed a callback url, would the RqP have to open that link in the same browser?
• Mixing the purpose of UMA with authentication?
• Where is the response to request 2? that's a 302 to the AS
• Seems to have some relationship with the OAuth device code flow to perform some out-of-band authorization of a user-agent? Similar to the CIBA discussion, more in scope as CIBA was RO authn, while this is RqP authN
Assume these pre-reqs:
• Alice has shared a link with Bob
• Alice has setup her AS to anyone who can demonstrate control of bob@email.com
Nice feature:
• The AS can authenticate the email without a direct integration to that email provider as an issuer(IDP or for claims pushing)
Suggested Changes:
• RqPClient does RPT less request to RS to get the ticket
• Line 2 is a uma token request with a 'request_submitted' response
• 3, 4, 5 should be 'out of scope'
• 6 is a uma token request that 'work', returns a token
https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2021-03-25_______________________________________________Minutes
Roll call
Quorum was NOT reached.
Approve minutes
- Approve minutes of UMA telecon 2021-03-18
Deferred
Pensions Dashboard
All sorted, waiting for final review & confirmation of final licenses
ONC Annual Meeting, Virtual Booth
https://www.healthit.gov/news/events/2021-onc-annual-meeting March 29-30
Authorization Code Grant
https://groups.google.com/g/kantara-initiative-uma-wg/c/OHYcZe8l8Vs
Initial Thoughts/questions:
- Seems strange to get emailed a callback url, would the RqP have to open that link in the same browser?
- Mixing the purpose of UMA with authentication?
- Where is the response to request 2? that's a 302 to the AS
- Seems to have some relationship with the OAuth device code flow to perform some out-of-band authorization of a user-agent? Similar to the CIBA discussion, more in scope as CIBA was RO authn, while this is RqP authN
- Does the link need to be RqP specific? No because the token request includes bob's email as a pushed claim
Assume these pre-reqs:
- Alice has shared a link with Bob
- Alice has setup her AS to anyone who can demonstrate control of bob@email.com
Nice feature:
- The AS can authenticate the email without a direct integration to that email provider as an issuer(IDP or for claims pushing)
Suggested Changes:
- RqPClient does RPT less request to RS to get the ticket
- Line 2 is a uma token request with a 'request_submitted' response
- 3, 4, 5 should be 'out of scope'
- 6 is a uma token request that 'work', returns a token
Profiles Discussion, relationship manager draft
???: Can one resource be protected by two Authorization Servers?
???: Can one resource be registered multiple times as the SAME AS? Not prevented by UMA Fedz, are there any use-cases for this? Yes, nothing prevents this
THere is discussion of some of these topic here: https://kantarainitiative.org/confluence/display/uma/UMA+Implementer's+Guide#UMAImplementer'sGuide-perm-request-patternsConsiderationsRegardingResourceServerPermissionRequests
Should we provide additional guidance on this topic?
There is also no restriction for the RS to have only 1 URI for a resource.
THere was some previous discussion around wild-card in resource path, other templating
- How does Alice know the URL of the resource?
AOB
Attendees
As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve)
Voting:
- Eve
- Peter
- Michael
- Alec
Non-voting participants:
- Nancy
- Colin
- Scott
- Ian
- Tim
Regrets:
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-uma