Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT
Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09
United States: +1 346 248 7799, Access Code: 994 8781 4311
See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar
Approve minutes since UMA telecon 2022-06-30
Core UMA content/report (no use-case)
FAPI Part 2 Review and Discussion
Policy Descriptions
AOB
NOTE: As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)
Voting:
Peter
Alec
Steve
Eve
Non-voting participants:
Nancy
Regrets:
Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25, UMA telecon 2022-09-08 , UMA telecon 2022-09-15 , UMA telecon 2022-09-22 , UMA telecon 2022-09-29
Deferred - no quorum
we have two tracks here:
uma in health
simpler uma introduction
Based on the review, if an UMA AS can support OAuth/OIDC, there’s no reason that FAPI security measures can’t also be achieved. Therefore an UMA AS can support FAPI
Can UMA protect a userinfo endpoint? Yes
Can UMA be an OIDC server at the same time? e.g. accept an openid scope and issue an IDToken
UMA re-naming some OAuth concepts is challenging, redirect_uri and code.
Can we even closer align to OAuth? what would be lost in UMA functionality? multi-step authorization flows,
1) UMA-lite with goal of backwards compatibility with OAuth 2) Extension of UMA-lite to add back the full suite of UMA features to add pct, tickets, request_submitted
Part 2: Advanced Final: Financial-grade API Security Profile 1.0 - Part 2: Advanced
UMA AS should be able to support the requirements of 5.2.2. Authorization server
PKCE:
302 Location /authorize?client_id&state&redirect_uri&code_challenge
PAR:
POST /par { client_id&state&redirect_uri } → request_handle
302 Location /authorize?request=request_handle&code_challenge
JARM:
302 /authorize?request_object=JWT{client_id&state&code_challenge&redirect_uri}
Computable Consent
DirectTrust is working on a lot on similar topics, computable consent, udap vs uma. Alec is going to connect more with them to see if there’s liason activities.
UMA AS is very similar to an Federated Identity Gateway, very similar role&responsibilities
They have a computable consent workgroup, similar topics as ANCR or policy manager
Look back to the UMA + UDAP (not versus) content
goals together
will look to create some mapping between DirectTrust and Kantara WGs, then find the appropriate meetings to bring UMA to that audience
terminology alignment
hey look UMA has already considered the
Leadership Elections planned for end of year