[WG-UMA] Draft minutes of UMA telecon 2022-10-06

Skip to first unread message

Alec Laws

Oct 6, 2022, 2:18:52 PM10/6/22
to wg-uma@kantarainitiative.org WG

UMA telecon 2022-10-06

Date and Time


  • Approve minutes since UMA telecon 2022-06-30

  • Core UMA content/report (no use-case)

  • FAPI Part 2 Review and Discussion

  • Policy Descriptions

  • AOB


  • NOTE: As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Alec, Eve, Steve)

  • Voting:

    • Peter

    • Alec

    • Steve

    • Eve

  • Non-voting participants:

    • Nancy

  • Regrets:

Quorum: No

Meeting Minutes

Approve previous meeting minutes


Core UMA content (no use-case)

we have two tracks here:

  • uma in health

  • simpler uma introduction


FAPI 1.0: Part 2 Review and Discussion


Based on the review, if an UMA AS can support OAuth/OIDC, there’s no reason that FAPI security measures can’t also be achieved. Therefore an UMA AS can support FAPI


Can UMA protect a userinfo endpoint? Yes

Can UMA be an OIDC server at the same time? e.g. accept an openid scope and issue an IDToken

  • UMA re-naming some OAuth concepts is challenging, redirect_uri and code.

  • Can we even closer align to OAuth? what would be lost in UMA functionality? multi-step authorization flows,

  • 1) UMA-lite with goal of backwards compatibility with OAuth 2) Extension of UMA-lite to add back the full suite of UMA features to add pct, tickets, request_submitted

Part 2: Advanced

UMA AS should be able to support the requirements of 5.2.2.  Authorization server

302 Location /authorize?client_id&state&redirect_uri&code_challenge

POST /par { client_id&state&redirect_uri } → request_handle
302 Location /authorize?request=request_handle&code_challenge


302 /authorize?request_object=JWT{client_id&state&code_challenge&redirect_uri}



Policy Descriptions


Computable Consent



DirectTrust is working on a lot on similar topics, computable consent, udap vs uma. Alec is going to connect more with them to see if there’s liason activities.

  • UMA AS is very similar to an Federated Identity Gateway, very similar role&responsibilities

  • They have a computable consent workgroup, similar topics as ANCR or policy manager

  • Look back to the UMA + UDAP (not versus) content

  • goals together

    • will look to create some mapping between DirectTrust and Kantara WGs, then find the appropriate meetings to bring UMA to that audience

    • terminology alignment

    • hey look UMA has already considered the



Leadership Elections planned for end of year

Reply all
Reply to author
0 new messages