[Openid-specs-ab] Spec Call Notes 12-Apr-21

Mike Jones Michael.Jones at microsoft.com
Tue Apr 13 02:27:38 UTC 2021

Spec Call Notes 12-Apr-21

Mike Jones
Tony Nadalin
John Bradley
Kristina Yasuda
Adam Lemmon
Tom Jones
Tim Cappalli
Jeremie Miller
Vittorio Bertocci
Dmitri Zagidulin
Edmund Jay
David Waite (DW)

Logout Issues
              1184: Unclear what to do if id_token_hint user does not match currently logged in user at OP
                           Agreed that since logout is idempotent, that repeating a logout is a success
              1216: query over rp initiated logout certification test outcomes for tests that use invalid information
                           Edmund said there's not much point in showing an error, since there's not much the user can do
              1183: Handling errors during OpenID Connect RP-Initiated Logout
                           Edmund will add a comment to this one as well
              1185: Mention of POST requests and SameSite cookie attributes (RP Initiated Logout)
                           Vittorio said that browsers will flag cross-origin posts served by JavaScript from another origin
                           We could use cookies marked as "none", rather than lax
                           Or we could do a GET with a 302 to itself - an approach that DW said that Ping is using
                           Vittorio agreed to send Mike a description to add to the issue

Discussing sending VC objects as claims
              Mike, Kristina, and Oliver wrote https://openid.bitbucket.io/connect/jwt-claims-for-vc-objects-1_0.html to foster discussion
              DW said that the security considerations for JSON-LD are more complicated than pure JSON
                           It brings back of the complexities we jettisoned with XML DSIG
                           He asked about ignoring not-understood claims
                           He said that we could use _claim_sources for VPs
              Tony said that we already have "vp" and "vc" claims
                           The processing rules of those are defined by the W3C VC spec - and they're JSON-LD
                           OpenID Connect defines processing rules for some claims, such as "iss", "aud", etc.
              Jeremie said that you can't take a general JWT and also make it a VC or VP
              Kristina said that the "vp" and "vc" claims are to embed VC-specific context in their JWT representations
              DW reported that the entire JWT using "vp" or "vc" is the VP or VC - not just that in the contained claim
                           He also brought up "alg":"none" issues introduced by the W3C spec
                           He said that embedding those claims in an ID Token would change the security properties of an ID Token
              Dmitri Zagidulin said that there are implementations that stuff entire VPs and VCs into JWTs
                           But they use different claim names, so they're compliant
              DW reported that we could have _claim_sources=(source type), rather than declaring new IANA JWT claims
                           He said that we need to think about both the presentation and holder cases
                           DW said that he'll be submitting something on this topic soon
              Dmitri said that some people are embedding objects
                           And they are requesting "vp" and "vc" as custom claims
              Tim showed an example of how Microsoft is doing that that also uses Presentation Exchange
                           In that case, it truly is layered
                           Kristina also spoke to the layering
              Findings of Fact:
                           The W3C imposes processing rules on JWT claims for its JWT representations
                           It is possible to completely embed W3C VC-defined objects as claim values
              DW would like to explore using _claim_sources as Verifiable Presentations
                           John pointed out that we already have JWT _claim_sources
                           Tom said that the _claim_names are a dictionary
                           DW pointed out that a JSON dictionary could have conflicts with JSON-LD claim renaming rules

SIOP Issues
              We ran out of time to get to this

Open Issues
              We ran out of time to get to this

Next Calls
              The next SIOP special call is Tuesday, April 13th at 3pm Pacific Time
              The next regular Connect call is on Monday, April 19th, 2021 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210413/cfbad3b3/attachment-0001.html>

More information about the Openid-specs-ab mailing list