https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201/UMA+telecon+202... UMA telecon 2022-08-25Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 (224) 501-3316, Access Code: 485-071-053 - See UMA calendar for additional details: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Approve minutes since UMA telecon 2022-06-30 https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423/UMA+telecon+202... - UDAP Spec Reviews/ Next Steps - Determine next work items - AOB Attendees - NOTE: As of October 26, 2020, quorum http://kantarainitiative.org/confluence/display/uma/Participant+Roster is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve) - Voting: - Alec - Peter - Steve - Non-voting participants: - Lenore - Nancy - Regrets: Quorum: No Meeting Minutes Approve previous meeting minutes - Approve minutes of UMA telecon 2022-08-11 https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993/UMA+telecon+202... - Deferred - no quorum TopicsUDAP Spec Reviews - We need to come to their groups to advocate for UMA - HL7 FAST Infrastructure Group: https://confluence.hl7.org/pages/viewpage.action?pageId=134938778 <<< this is the one folks should attend - There is an upcoming connect-a-thon (in person ONLY, registration is open): https://confluence.hl7.org/display/FAST/FAST+-+HL7+FHIR+Connectathon+-+Septe... One of our questions around UDAP is that it's not an implementation profile, HL7 has created IGs that use UDAP as the base profile here: https://build.fhir.org/ig/HL7/fhir-udap-security-ig/branches/main/user.html Determine next work items What do we want to do next? Lots of ideas below, what's most important Current WIP - Update Julie Report to v0.4 – Nancy to accept suggested changed, reviewed with group ~1month ago - New report with core UMA (no use-case) content from Julie Report → could evolve to IDPro article? – Alec - UMA Glossary – Steve - Confluence Clean Up: activate new links + archive old content + general usability of the wiki – Alec / Steve, We prioritized the list below, lower numbers = higher priority. Nothing is "final", feel free to comment - one driver is if the item was of interest to many or few member - other consideration is who is motivated to lead the item AOB Potential Future Work Items / Meeting Topics - 100 FAPI Review (FAPI + UMA) - scope: how the FAPI work could be applied to UMA ecosystems - review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI - 20 Confluence clean up, archive old items and promote the latest & greatest - 10 UMA glossary – Steve has started - 600 Review of the email-poc correlated authorization specification - https://github.com/umalabs/correlated-authorization - https://groups.google.com/g/kantara-initiative-uma-wg/c/BntTknCOAAE/m/EzL9i_... - https://groups.google.com/g/kantara-initiative-uma-wg/c/ablVJ9cAreg/m/a_ZpCV... - 120 A financial use-case report (following the Julie healthcare template) - either open banking or pensions dashboard - openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile) - Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review? - 300 mDL + UMA - scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA - is there a role for UMA in token fabrication and referencing it as the RS? - 500 UMA + GNAP https://oauth.xyz/specs/ - would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) - will GNAP meet all the UMA outcomes? - 170 UMA + Verifiable Credentials - how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA - There are openapi specs for VC formats - Could UMA protect a VC presentation or issuance endpoint? - There's a lot of openid4vc profiles - IDPro knowledge base articles - UMA 2 playground/sandbox - eg https://developers.google.com/oauthplayground/, https://www.oauth.com/playground/ - 150 Minor profiling work, - resource scopes → scopes - PAR as dynamic scopes eg fhir query params - 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL - use-case, consent as claims (needs_info), - if the client has gathered RqP consent, can it be presented to the AS - the policy to access a resource says "you must have agreed to this TOS/consent" - compare to interactive claims gathering where the AS would present this consent/TOS to the RqP - intersection with ANCR/consent receipt/trust registry work in other Kantara groups