H.E.A.R.T. Working group session – UMA security profile (Health Relationship Trust)

From IIW

H.E.A.R.T. working group session – UMA security profile

Thursday 5H

Convener: Justin, Eve


Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion, action items, next steps:

Brainstormed list from going through (most of) the existing OAuth profile that was contributed to the HEART WG:

1. UMA usage of embedded OAuth:

  • Relevant to PAT issuance and AAT issuance
  • OIDC/OAuth client authentication implications - use JWT stuff?
  • Add more MTI grant types a la OAuth profile?

2. UMA usage of (extended) JWT when bearer RPT is introspected:

  • Borrow ideas from OAuth profile 2.2?

3. UMA redirect logic:

  • Copy OAuth instructions

4. UMA OAuth client registration (both UMA RS and UMA client):

  • Use JWK advice

5. UMA AS config data:

  • Add a key property?

6. UMA RPT profile:

  • Need to do anything? Already have bearer token that must be introspected to get extended JWT
  • Add time-to-live strategy stuff

Random idea:

Add a diagram to OAuth profile for client trustedness and UX implications?