H.E.A.R.T. Working group session – UMA security profile (Health Relationship Trust)

From IIW

H.E.A.R.T. working group session – UMA security profile

Thursday 5H

Convener: Justin, Eve

Notes-taker(s):

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion, action items, next steps:


Brainstormed list from going through (most of) the existing OAuth profile that was contributed to the HEART WG:


1. UMA usage of embedded OAuth:

  • Relevant to PAT issuance and AAT issuance
  • OIDC/OAuth client authentication implications - use JWT stuff?
  • Add more MTI grant types a la OAuth profile?


2. UMA usage of (extended) JWT when bearer RPT is introspected:

  • Borrow ideas from OAuth profile 2.2?


3. UMA redirect logic:

  • Copy OAuth instructions


4. UMA OAuth client registration (both UMA RS and UMA client):

  • Use JWK advice


5. UMA AS config data:

  • Add a key property?


6. UMA RPT profile:

  • Need to do anything? Already have bearer token that must be introspected to get extended JWT
  • Add time-to-live strategy stuff


Random idea:

Add a diagram to OAuth profile for client trustedness and UX implications?