3B/ IIW 101 Session: UMA/User Managed Access

From IIW
IIW 101 Session: UMA/User Managed Access

Tuesday 3B

Convener: Alec Laws

Notes-taker(s):  Alec Laws

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

Session Slides presented: https://identos-public-dropbox.s3.ca-central-1.amazonaws.com/uma/2021-10-13+IIW+UMA+101.pdf

Highlighted key differences between standard OAuth and UMA. Including the difference technical, business, legal and privacy goals and outcomes

Discussed the role of data schemas and standards

- uma doesn't specify data standards

- RSs own the definition of resources and scope, and their registration at an authorization server

- authZ server follows authorization assessment set math to make policy decisions over registered resources and user policy

- some profile/extension work has been done to consider an AuthZ Server that defines or coordinates data schemas to drive RP/RS interop in wide ecosystems

Discussed the intersection of UMA with SSI and verifiable credentials

  • UMA is separate from identity systems by design

  • Has hooks and patterns to work with existing identities (OIDC, SAML, SSI or otherwise)

  • Through claims gathering or pushing depending on the ecosystem size