[Openid-specs-ab] Spec call notes 25-Jul-11

Breno de Medeiros breno at google.com
Wed Jul 27 01:16:20 UTC 2011

Google's IDP requires NativeApps to implement code flow for security
reasons, since we don't think the native app context is sufficiently
secure for auto-approval, and we don't issue long-lived access tokens.

In any case, I don't think NativeApp needs to be captured in 'RP lite'
anyways. There are fairly fundamental reasons why Native App is more
complex than a JS app.

On Tue, Jul 26, 2011 at 18:08, Nat Sakimura <sakimura at gmail.com> wrote:
> I suppose the compliance for RP and IdP differs.
> We could require RP to support only implicit flow while IdP to support
> both.
> =nat
> On Wed, Jul 27, 2011 at 9:39 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>> No, I think the conclusion we are coming to is that while it would be nice
>> for everyone to support both.
>> A minimal RP only needs the Token flow in Lite .
>> Is there any reason a OP wouldn't support the Token (implicit) flow?
>> Hoving to support two flows complicates the minimal RP.
>> John B.
>> On 2011-07-26, at 12:49 PM, Mike Jones wrote:
>> Per the call yesterday, John and I investigated whether the implicit
>> (token) grant type can be effectively used with native client applications.
>> The Native Applications section of the OAuth spec makes it clear that it
>> can.  Given that most OAuth interactions today use the implicit grant type,
>> we want to confirm the tentative decision made on the call yesterday to have
>> the implicit grant type be the one required flow in the Lite spec.
>>                                                             -- Mike & John
>> From: openid-specs-ab-bounces at lists.openid.net
>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
>> Sent: Monday, July 25, 2011 4:06 PM
>> To: openid-specs-ab at lists.openid.net
>> Subject: [Openid-specs-ab] Spec call notes 25-Jul-11
>> Spec call notes 25-Jul-11
>> Nat Sakimura
>> Mike Jones
>> John Bradley
>> Edmund Jay
>> Breno de Medeiros
>> Agenda:
>>                Reviewing proposed edits by Breno and Casper Biering
>>                Edits for Lite spec
>>                Feedback from Torsten
>> Reviewing Breno's proposed edits
>>                Other than those we comment on here, we are using the
>> resolutions in Nat's response note
>>                Should indicate the fact that the two flows can be used in
>> combination
>>                when a client consists of different components that both
>> maintain user
>>                signed-in state
>>                               Nat will take a stab at text for this
>>                               John asked whether this should be supported
>> in Lite
>>                                              This should be in "Standard"
>> - not in "Lite"
>>                Related question - do we want code flow in Lite as well as
>> implicit or just implicit?
>>                               We should go with just implicit to keep Lite
>> as simple as possible
>>                Breno's comments about cross-domain post message and HTML5
>> (starting "- Client sends a request to authorization server -> Client
>> submits"...)
>>                               Somebody (probably Breno) needs to propose
>> normative text for this
>>                               Since it affects interop
>>                               In further discussions, we agreed that we
>> want to mostly refer to OAuth 2 and not do Connect-specific things when
>> possible
>>                                              So post message flow should
>> happen in OAuth 2 - not OpenID Connect
>>                Per Breno's comments about code+token
>>                               We agreed that this doesn't belong in Lite
>>                               (Per OAuth draft 19 & 20, this also becomes
>> "code token")
>>                JWT format will used for id_token, but id_token is not part
>> of Lite
>> Reviewing Caspar's proposed edits
>>                Nat agrees with all of Caspar's proposed edits - Mike to
>> review and check in
>>                We agreed that redirect_uri should be required for now (as
>> it already is)
>> Breno requested that remove the native application text in the session
>> management spec
>>                We're not sure that this is right yet
>>                Code flow needed for Native apps
>>                               We need to investigate this if we're only
>> mandating token flow in Lite
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list