H.E.A.R.T. Working group session – UMA security profile (Health Relationship Trust)
H.E.A.R.T. working group session – UMA security profile
Convener: Justin, Eve
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion, action items, next steps:
Brainstormed list from going through (most of) the existing OAuth profile that was contributed to the HEART WG:
1. UMA usage of embedded OAuth:
- Relevant to PAT issuance and AAT issuance
- OIDC/OAuth client authentication implications - use JWT stuff?
- Add more MTI grant types a la OAuth profile?
2. UMA usage of (extended) JWT when bearer RPT is introspected:
- Borrow ideas from OAuth profile 2.2?
3. UMA redirect logic:
- Copy OAuth instructions
4. UMA OAuth client registration (both UMA RS and UMA client):
- Use JWK advice
5. UMA AS config data:
- Add a key property?
6. UMA RPT profile:
- Need to do anything? Already have bearer token that must be introspected to get extended JWT
- Add time-to-live strategy stuff
Add a diagram to OAuth profile for client trustedness and UX implications?