There will be no press release/promotion while the invitation to tender is open, until ~September.
There have been a few RFX's that have included UMA in past couple years. Can we collect some of the references together? Alec will look at some Canadian ones
Relationship Manager Review
In the recent RM draft, the concept of exposing the resource to the client works nicely, as it closely follows the UMA Fedz resource registration api. However, the addition of authorization server management and protection here has been awkward. In some of the early proposed "Wallet" profile drafts, this concept doesn't exist. Instead the Wallet Client (Relationship Manager) registers a credential (pub key) with the RS, allowing i) the RM to create signed permissions at the AS, over the Policy API and ii) the RS to verify the permission is signed by the credential, eg directly trace to the RO, not only trusting the AS. This mechanism also worked with the Resource Definition profile, as the RS has registered general resource types with the AS, it can get a specific resource conveyed through the RO permission. The credential idea becomes an intersections between the W3C standards and UMA, now using W3C Verifiable Credentials instead of the loose proposal in the Wallet draft. We looked at a OIDC based credential issuance api, and spoke about how it could be used to issues UMA resource definitions as credentials to the RM.
As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve)
- Steve V, Recently joined Forgerock, history working with IAM going back to Boeing.