https://kantara.atlassian.net/wiki/spaces/uma/pages/74055681/UMA+telecon+202...

UMA telecon 2022-09-29Date and Time

-

Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT -

Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 -

United States: +1 346 248 7799, Access Code: 994 8781 4311 -

See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar <https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518>

Agenda

-

Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423> -

Core UMA content/report (no use-case) -

FAPI Part 1 Review and Discussion -

Policy Descriptions -

AOB

Attendees

-

NOTE: As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve) -

Voting: -

Alec -

Steve -

Sal -

Non-voting participants: -

Scott -

Chris -

Hanfei -

Regrets:

Quorum: No

Meeting Minutes

Approve previous meeting minutes

-

Approve minutes of UMA telecon 2022-08-11 <https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993>, UMA telecon 2022-08-25 <https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201>, UMA telecon 2022-09-08 <https://kantara.atlassian.net/wiki/spaces/uma/pages/56459265> , UMA telecon 2022-09-15 <https://kantara.atlassian.net/wiki/spaces/uma/pages/62029825> , UMA telecon 2022-09-22 <https://kantara.atlassian.net/wiki/spaces/uma/pages/62980097> -

Deferred - no quorum

TopicsCore UMA content (no use-case)

Continue discussion ‘UMA by example’ content

audience: NOT technical, business people - what value does uma provide a data custodian, users(?) - what value does uma provide the resource owner

-

problem that UMA addresses, user-mediate fine-grained authorization. person not present during access -

physical access example(s), car or documents or airbnb(access to a physical space, RS) vs the specific thing (resource) -

shift to access to digital resources/documents, -

distributed nature of information: some at home, some with bank (safe deposit box), some with HCP, -

controlling organization, who enforces access -

GAP today: broadness of access, synchronous RO-only access, controlled by single org at a time -

UMA applied to example

physical access vs digital access vs uma against use-case: car, documents, building access

General intro to Authorization: through example, lending

base example, lending car or documents? → broad authZ open garage everything is there. In uma, only the car is there

home example, loaning car in the garage

condo example, valet key

digital example: car manufacturer managed sharing,

uma example: user managed sharing

car, access to the garage, key to the car → broad since can access anything in the garage, key to glovebox. “Allowed to drive between 12-3, not more than 20mi”

condo concierge: RO not present, with someone enforcing my wishes

→ shift to digital

FAPI Part 1 Review and Discussion

https://fapi.openid.net/

Part 1: Baseline https://openid.net/specs/openid-financial-api-part-1-1_0.html

*5.2.2. Authorization server*

15. shall return the list of granted scopes with the issued access token if the request was passed in the front channel and was not integrity protected;

-

which request, token request? scopes in token response? when would there not be 'integrity protected'? there would always be TLS/client authn? is this for public clients?

17. should clearly identify the details of the grant to the user during authorization as in 16.18 of OIDC <https://openid.net/specs/openid-connect-core-1_0.html>;

-

for pushed claims, would the Client have this responsibility? or would pushed claims need to be ‘off’ in FAPI

*NOTE*: The requirement to return the list of granted scopes allows clients to detect when the authorization request was modified to include different scopes. Servers must still return the granted scopes if they are different from those requested.

-

always return scopes or only under conditions of #15?

Could an UMA Auth Server support OIDC and the openid scope? tentative yes

-

there are naming differences eg redirect_uri vs claims_redirect_uri, code vs ticket

Overall, and UMA AS should be able to support FAPI basiline profile (part 1)