[Openid-specs-ab] WG Meeting notes - 9-9-2021
George Fletcher
gffletch at aol.com
Thu Sep 9 14:59:00 UTC 2021
OpenID Connect Working Group - 9/9/2021
Attendees:
Mike Jones
Torsten Lodderstedt
David Chadwick
Tim Cappalli
Bjorn Hjelm
Tom Jones
Kristina Yasuda
Edmund Jay
George Fletcher
Drafts that need to be published
* Torsten - will publish a new draft of Verifiable Presentations
* Mike published updates for prompt=create and self-issued
* Edmund to update the claims aggregation draft
Update on Federation Draft
* Editors went through comments that had been received. Roland made updates
to address the comments. Also replied to the commentors.
* Mike to publish a new Federation draft for the OIDF workshop at EIC on
Monday
Update on Prompt=create Draft
* George gave an update the changes
* Discussion about how the errors are returned. Just an OAuth error
response.
* -- error is HTTP 400 (Bad Request) error=invalid_request
OIDC Status updates
* RP-Initiated Logout - Mike to update in the next couple days
* Initiating User Registration via OpenID Connect - George has updated
the draft
* Core Error Code - spec is stable, recommending as final version (WG to
review)
* Native SSO for Mobile App - George to review any issues, Tim C to review,
then move to Implementors Draft
* Profile for SCIM - (inactive for years) don't know if it's been used or
implemented
* Claims Aggregation - Nat to work with Edmund to publish an updated draft
* Self Issued Identifiers - Tom, no update
* Self Issued OpenID Provider - just published v3 to specs page
* Verifiable Presentations - Torsten to publish an updated draft
Logout specs
* Mike to address issues for other logout Drafts
* Mike recommends taking these logout drafts to final
Moderna working Group
* Took CIBA spec to final, used by FAPI Profile
* Mike - How does this apply to SIOP multi-party flow?
AOB
* Multiple-device use case
* -- user on their laptop and wants to pick up verifiable credentials
from the user's mobile phone
* Torsten to show a demo of the "cross-device flow" in the OIDF workshop
at EIC
Pull Requests - https://bitbucket.org/openid/connect/pull-requests/
* #46 - Kristina to review and merge
* #44 - Ongoing discussion with DIF. There is an alternate proposal.
Torsten working on a consolidated draft
* #33 - Torsten has an implementation, Daniel Fett has done a security
review. Some discussions around the protocol implementation
(response_mode). Torsten believes it's ready for merging.
* -- Tim C, showing security indicators to users hasn't worked for
browsers. Wondering how well it will work in this context.
* -- Security considerations will be added to the spec
* -- Torsten: CIBA has similar issues in regards to notifying users
* -- Agreement to merge into current spec
* -- Mike: there is a typo in the PR that needs to be fixed before merging
* -- Torsten to fix in the process of merging the PR -- completed (9/9/2021)
* #40 - Mike to review as it's part of the Federation spec
* #45 - Needs more reviewers. Torsten published the current draft
without merging this PR
Issues - https://bitbucket.org/openid/connect/issues
* #1269 - Ongoing discussions. Daniel Fett working on security aspects.
Kristina has summarized the options. Kristina opened a new issue (#1335)
for the parts of the discussion that extended outside the context of
security considerations.
* - Discussion around whether cross-device SIOP is suitable for
authentication
* -- needs a threat analysis
* -- would like to understand John Bradley's statement about it not
being usable for authentication
* -- Tim - believes the key here is that this is not an un-phishable
solution
* -- Update security considerations to include description of how
phishing can occur with cross-device SIOP
* -- Daniel Fett to publish a PR with updated security considerations.
Assigning issue to Daniel
* #1335 -- assigned as open to Kristina
* #1334 -- Placeholder issue to address how ID Tokens and VPs work together
* -- Kristina to pick up this issue
More information about the Openid-specs-ab
mailing list