UMA telecon 2022-10-06

Date and Time

• Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT

  • Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09

  • United States: +1 346 248 7799, Access Code: 994 8781 4311

  • See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar

Agenda

• Approve minutes since UMA telecon 2022-06-30

• Core UMA content/report (no use-case)

• FAPI Part 2 Review and Discussion

• Policy Descriptions

• AOB

Attendees

• NOTE: As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)

• Voting:

  • Peter

  • Alec

  • Steve

  • Eve

• Non-voting participants:

  • Nancy

• Regrets:

Quorum: No

Meeting Minutes

Approve previous meeting minutes

• Approve minutes of UMA telecon 2022-08-11, UMA telecon 2022-08-25, UMA telecon 2022-09-08 , UMA telecon 2022-09-15 , UMA telecon 2022-09-22 , UMA telecon 2022-09-29

• Deferred - no quorum

Topics

Core UMA content (no use-case)

we have two tracks here:

• uma in health

• simpler uma introduction

FAPI 1.0: Part 2 Review and Discussion

https://fapi.openid.net/ 

Based on the review, if an UMA AS can support OAuth/OIDC, there’s no reason that FAPI security measures can’t also be achieved. Therefore an UMA AS can support FAPI

Can UMA protect a userinfo endpoint? Yes

Can UMA be an OIDC server at the same time? e.g. accept an openid scope and issue an IDToken

• UMA re-naming some OAuth concepts is challenging, redirect_uri and code.

• Can we even closer align to OAuth? what would be lost in UMA functionality? multi-step authorization flows,

• 1) UMA-lite with goal of backwards compatibility with OAuth 2) Extension of UMA-lite to add back the full suite of UMA features to add pct, tickets, request_submitted

Part 2: Advanced Final: Financial-grade API Security Profile 1.0 - Part 2: Advanced

UMA AS should be able to support the requirements of 5.2.2.  Authorization server

PKCE:
302 Location /authorize?client_id&state&redirect_uri&code_challenge

PAR:
POST /par { client_id&state&redirect_uri } → request_handle
302 Location /authorize?request=request_handle&code_challenge

JARM:

302 /authorize?request_object=JWT{client_id&state&code_challenge&redirect_uri}

Policy Descriptions

Computable Consent

AOB

DirectTrust is working on a lot on similar topics, computable consent, udap vs uma. Alec is going to connect more with them to see if there’s liason activities.

• UMA AS is very similar to an Federated Identity Gateway, very similar role&responsibilities

• They have a computable consent workgroup, similar topics as ANCR or policy manager

• Look back to the UMA + UDAP (not versus) content

• goals together

  • will look to create some mapping between DirectTrust and Kantara WGs, then find the appropriate meetings to bring UMA to that audience

  • terminology alignment

  • hey look UMA has already considered the

Leadership Elections planned for end of year