Child pages
  • UMA telecon 2017-05-25
Skip to end of metadata
Go to start of metadata

UMA telecon 2017-05-25

Date and Time


  • Roll call

  • Approve minutes of UMA telecon 2017-05-18 

  • Logistics/timing:
    • Final Draft Specification to be remanded to Kantara staff TODAY
  • UMA V2.0 work:
    • All GitHub issues for V2.0/dynamic swimlane (not updated to the spec refactor)
    • Eve has implemented all decisions where possible and is expecting final Justin comment by this morning
  • AOB


Roll call

Quorum was reached.

Approve minutes

Approve minutes of UMA telecon 2017-05-18: APPROVED.


  • Final Draft Specification to be remanded to Kantara staff TODAY

UMA V2.0 work

We discussed FedAuthz Sec 3.2 in the scratch draft and changed editorial text to ensure that the UMA errors for the resource registration endpoint are clarified to be MAYs while the HTTP errors are MUSTs. (Take out of hanging list.) By contrast, we confirmed our understanding that Sec 4.3 – "the authorization server responds with an HTTP 400 (Bad Request) status code and includes one of the following error codes" – stays declarative and thus is definitely still implicitly a MUST in the fashion of our issue #312 decision.

Issue #313: We needed more explanation from Justin. He meant that the phrase "human-readable" needs better definition. The method suggested is to do what RFC IETF 7591 Sec 2 does, which is say "The value of this field MAY be internationalized, as described in (7591) Section 2.2." Since that section already says it's OPTIONAL for the AS to do anything with it, and all other details are already covered, that's all we need to do; we can remove the paragraph.

Issue #315: Reverse the wording so that REQUIRED is first.

Issue #316: A big problem is the example of a hash of the session cookie, which is a really unusual way of doing things. Justin can do a pull request by 2pm ET.

Issue #317: The two logical response options, = and <, shouldn't say MUST; for consistency they should just say "the authorization server responds...". (Yes, Justin did mean non-null!)

Issue #323: Regarding 3.3.6: invalid_scope should also cover cases where the client asked for a scope it's not registered for: In Sec 3.3.4, mention that if the client requests a scope that it didn't pre-register for, it's not an error (at the RPT request stage) because, during the authorization assessment process, the RequestedScopes might include scopes requested on the client's behalf by the RS. However, it is not included as a requested scope.

Issue #323: s/other entity other/any entity other/

Issue #323: PoP: Let's keep as is.


  • Catch curly quotes.
  • Catch out-of-date references.
  • Update publication dates.
  • Choose the correct Status of This Document.
  • Close issues!


Eve and Justin will get the spec drafts ready in the next hour for Kantara staff to publish.

Other artifact work: Let's work on those things casually next week and in the interim. Items include:

  • UIG (Eve)
  • Wikipedia page (Domenico will work on Italian one; Eve will reach out to others who have edited other pages in the past)
  • Release notes
  • FAQ (Eve has one to add)
  • Case Studies page
  • Swimlane (Eve)
  • Implementation page (Maciej)
  • ...


As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve, Mike, Cigdem)

  1. Domenico
  2. Sal
  3. Andi
  4. Maciej
  5. Eve
  6. Mike
  7. Cigdem

Non-voting participants:

  • Kathleen
  • No labels