Deferred
Working document here: Report on FHIR API Vulnerabilities
Please take a look, all comments/contributions welcomed! There original report is attached to the confluence page
previous discussion: UMA telecon 2021-09-16
Who is the right audience for this content? a version at different 'levels'? Show value to Business & Technical separately,
At biz level, there is buy into 'OAuth is awesome' and creates the question "so why do I need UMA?"
Maybe it's 'what's oauth' and then a 'what's UMA to follow up'
Here' the problem UMA addresses: it allows a person to control their stuff, and how they want to share it with somewhere else. OAuth is an underlying technology to authorize the requestor. eg give Alice the ability to call the help desk to give her Mom or spouse access to her record. UMA gives Alice the ability to do this herself. THe cost reduction of self-service access is similar to removing manual 'forgot password' flow.
By using UMA, it reduces the custom development of these features in existing stacks. UMA services come with these features off the shelf, shift custom impl to configuration. (Except policy which is... left to the reader)
Removes requirements from the enterprise by given the user the direct ability to manage their stuff themselves.
Google drive sharing is the best practical example of this (even though it doens't use UMA ).
What is the best format for this content?
What about UMA vs GNAP? Will GNAP replace OAuth and UMA?
Have never heard a customer request GNAP, only discussion within the IETF/OAuth/UMA communities.
Check out the recent GNAP progress here: https://github.com/ietf-wg-gnap/gnap-core-protocol
Is there a clear UMA → GNAP transition?
PAT lifecycle management, it is a OAuth access token, with expiration and refresh token
When it's needed (eg when a client makes a request) it can be expired
How long should it live?
What to do if the PAT and it's refresh have expired? Need the RO to come back and regenerate it
Depends on the RO model. When the RO is the RS, the RS can always get a new PAT using it's client credentails
If the RO is a proper subject, then these challenges all exist
Could the AS always allow a RS=RO PAT, how would this interact/intersect with proper subject RO bounded PATs?
A not-uma solution (relationship manager solution)
RS <> AS: resources registered (eg /patient)
RS → RO: 'id token' with the subject id (alec123)
RO → AS: the RS knows me as alec123, I want to give Bob access to /patient for that subject
AS → RS: introspection result returns resource and subject id
Next week, Steve will give a de-brief of the FIDO authenticate conference
Outcome of user stories discussion
PDP architecture includes the concept of governance registry/discovery
TOIP/SSI are starting to define this ecosystem function
ANCR records update
Privacy as Expected/ANCR update : 2/3 weeks out (Sal?)
As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
Voting:
Non-voting participants:
Regrets: