[Openid-specs-ab] Spec Call note 03-Oct-2013
Michael.Jones at microsoft.com
Thu Oct 3 20:43:37 UTC 2013
Google and Microsoft both have it in production. Edmund has been doing interop testing with Microsoft and plans to do so with Google.
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
Sent: Thursday, October 03, 2013 1:08 PM
To: Edmund Jay; Edmund Jay; openid-specs-ab
Subject: Re: [Openid-specs-ab] Spec Call note 03-Oct-2013
who has actually implemented the session management spec and uses it in production? We didn't and use a redirect/jsonp based approach instead.
Edmund Jay <ejay at mgi1.com<mailto:ejay at mgi1.com>> schrieb:
Spec Call notes 03-Oct-2013
Mike was absent from call so it was not discussed.
#882: All - JWT and JOSE specification versions
#881: Discovery 1 - Relationship to OAuth Dynamic Registration
The above 2 issues are editorial changes
#879: Messages 6.1 - The OpenID Foundation may consider hosting a site https://self-issued.me/
#880: Messages 6.2 - The OpenID Foundation may consider hosting the endpoint https://self-issued.me/registration/1.0/
Nat and Justin suggests using https://self-issued.openid.net/ rather than a domain in another country.
#878: Messages 188.8.131.52 Define "negative response" for id_token_hint
Summary from coversations in the mailing list :
When prompt=none is requested and the user is not logged in, the error response will be login_required
When prompt=none is requested and there is no id_token_hint, Breno suggests trying to satisfy the request
if there is a signed-in user who has approved the application previously
#876: Google "iss" value missing https://
Needs further discussion
#877: Messages 2.1.3 Description of interaction_required, login_required, session_selection_required and consent_required conflicts with prompt none specification
It is agreed that language will be changed to MUST NOT to keep consistency
Needs more interop work
Edmund has session management RP working with Microsoft OP
Currently seeking Google's session management endpoints (please respond if anyone knows)
The Session Management spec is not as mature as the other specs and also subject to cookie and local storage policies.
Will need to explore the possibility of going forward without Session Management
Edmund will suggest text to clarify some points for current doc.
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab