UMA telecon 2022-08-25
Date and Time
- Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
Agenda
Attendees
- NOTE: As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)
- Voting:
- Non-voting participants:
- Regrets:
Quorum: No
Meeting Minutes
Approve previous meeting minutes
Topics
UDAP Spec Reviews
- We need to come to their groups to advocate for UMA
One of our questions around UDAP is that it's not an implementation profile, HL7 has created IGs that use UDAP as the base profile here: https://build.fhir.org/ig/HL7/fhir-udap-security-ig/branches/main/user.html
Determine next work items
What do we want to do next? Lots of ideas below, what's most important
Current WIP
- Update Julie Report to v0.4 – Nancy to accept suggested changed, reviewed with group ~1month ago
- New report with core UMA (no use-case) content from Julie Report → could evolve to IDPro article? – Alec
- UMA Glossary – Steve
- Confluence Clean Up: activate new links + archive old content + general usability of the wiki – Alec / Steve,
We prioritized the list below, lower numbers = higher priority. Nothing is "final", feel free to comment
- one driver is if the item was of interest to many or few member
- other consideration is who is motivated to lead the item
AOB
Potential Future Work Items / Meeting Topics
- 100 FAPI Review (FAPI + UMA)
- scope: how the FAPI work could be applied to UMA ecosystems
- review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI
- 20 Confluence clean up, archive old items and promote the latest & greatest
- 10 UMA glossary – Steve has started
- 600 Review of the email-poc correlated authorization specification
- 120 A financial use-case report (following the Julie healthcare template)
- either open banking or pensions dashboard
- openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)
- Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?
- 300 mDL + UMA
- scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA
- is there a role for UMA in token fabrication and referencing it as the RS?
- 500 UMA + GNAP https://oauth.xyz/specs/
- would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP)
- will GNAP meet all the UMA outcomes?
- 170 UMA + Verifiable Credentials
- how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA
- There are openapi specs for VC formats
- Could UMA protect a VC presentation or issuance endpoint?
- There's a lot of openid4vc profiles
- IDPro knowledge base articles
- UMA 2 playground/sandbox
- 150 Minor profiling work,
- resource scopes → scopes
- PAR as dynamic scopes eg fhir query params
- 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL
- use-case, consent as claims (needs_info),
- if the client has gathered RqP consent, can it be presented to the AS
- the policy to access a resource says "you must have agreed to this TOS/consent"
- compare to interactive claims gathering where the AS would present this consent/TOS to the RqP
- intersection with ANCR/consent receipt/trust registry work in other Kantara groups