https://kantara.atlassian.net/wiki/spaces/uma/pages/79101953/UMA+telecon+202... UMA telecon 2022-10-06Date and Time - Primary-week Thursdays 06:30am PT; Secondary-week Thursdays 10:00am PT - Screenshare and dial-in: https://zoom.us/j/99487814311?pwd=dTAvZi9uN0ZmeXJReWRrc1Zycm5KZz09 - United States: +1 346 248 7799, Access Code: 994 8781 4311 - See UMA calendar for additional details: https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518/Calendar <https://kantara.atlassian.net/wiki/spaces/uma/pages/4857518> Agenda - Approve minutes since UMA telecon 2022-06-30 <https://kantara.atlassian.net/wiki/spaces/uma/pages/14352423> - Core UMA content/report (no use-case) - FAPI Part 2 Review and Discussion - Policy Descriptions - AOB Attendees - NOTE: As of October 26, 2020, quorum <http://kantarainitiative.org/confluence/display/uma/Participant+Roster> is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve) - Voting: - Peter - Alec - Steve - Eve - Non-voting participants: - Nancy - Regrets: Quorum: No Meeting Minutes Approve previous meeting minutes - Approve minutes of UMA telecon 2022-08-11 <https://kantara.atlassian.net/wiki/spaces/uma/pages/39124993>, UMA telecon 2022-08-25 <https://kantara.atlassian.net/wiki/spaces/uma/pages/45875201>, UMA telecon 2022-09-08 <https://kantara.atlassian.net/wiki/spaces/uma/pages/56459265> , UMA telecon 2022-09-15 <https://kantara.atlassian.net/wiki/spaces/uma/pages/62029825> , UMA telecon 2022-09-22 <https://kantara.atlassian.net/wiki/spaces/uma/pages/62980097> , UMA telecon 2022-09-29 <https://kantara.atlassian.net/wiki/spaces/uma/pages/74055681> - Deferred - no quorum TopicsCore UMA content (no use-case) we have two tracks here: - uma in health - simpler uma introduction FAPI 1.0: Part 2 Review and Discussion https://fapi.openid.net/ Based on the review, if an UMA AS can support OAuth/OIDC, there’s no reason that FAPI security measures can’t also be achieved. Therefore an UMA AS can support FAPI Can UMA protect a userinfo endpoint? Yes Can UMA be an OIDC server *at the same time*? e.g. accept an openid scope and issue an IDToken - UMA re-naming some OAuth concepts is challenging, redirect_uri and code. - Can we even closer align to OAuth? what would be lost in UMA functionality? multi-step authorization flows, - 1) UMA-lite with goal of backwards compatibility with OAuth 2) Extension of UMA-lite to add back the full suite of UMA features to add pct, tickets, request_submitted Part 2: Advanced Final: Financial-grade API Security Profile 1.0 - Part 2: Advanced <https://openid.net/specs/openid-financial-api-part-2-1_0.html> UMA AS should be able to support the requirements of 5.2.2. Authorization server PKCE: 302 Location /authorize?client_id&state&redirect_uri&code_challenge PAR: POST /par { client_id&state&redirect_uri } → request_handle 302 Location /authorize?request=request_handle&code_challenge JARM: 302 /authorize?request_object=JWT{client_id&state&code_challenge&redirect_uri} Policy Descriptions Computable Consent AOB DirectTrust is working on a lot on similar topics, computable consent, udap vs uma. Alec is going to connect more with them to see if there’s liason activities. - UMA AS is very similar to an Federated Identity Gateway, very similar role&responsibilities - They have a computable consent workgroup, similar topics as ANCR or policy manager - Look back to the UMA + UDAP (not versus) content - goals together - will look to create some mapping between DirectTrust and Kantara WGs, then find the appropriate meetings to bring UMA to that audience - terminology alignment - hey look UMA has already considered the Leadership Elections planned for end of year