[Openid-specs-ab] Spec call notes 2-Dec-13

Mike Jones Michael.Jones at microsoft.com
Tue Dec 3 00:11:32 UTC 2013

Spec call notes 2-Dec-13

John Bradley
Edmund Jay
Brian Campbell
Nat Sakimura
Mike Jones

               IdP-initiated Login
               Open Issues
               E-mails to the list
               Hosting self-issued.me
               Editing Status

Editing Status:
               Mike applied Justin's Core comments, which resulted in numerous small changes
               There remain about 10 comments tracked in e-mails about 6 as tracked issues
               After applying those, Mike expects to publish new release candidates
               These release candidates will not include the results from the reviews of Discovery & Registration
               New release candidates will be published after these reviews are applied

IdP-initiated Login:
               Also see the thread "Login Initiation endpoint" and issue #904
               John doesn't believe there's a threat with sending id_token_hint as a query parameter
               We should say that the endpoint accepts both HTML form POST and GET
                              This prevents things leaking through redirects
               The id_token parameter could be added as an extension
               Nat asked about preventing XSRF
                              John replied that this can only happen if the third party can trick the OP into sending an ID Token
                              Because only the OP can create a valid ID token
                              Even if the attacker logs in with his own credentials to an IdP, he cannot trigger login to a third party
                                             Because of the protections provided by the Implicit or Code flows
                              Nat is concerned with attackers a user in with the wrong account
               Nat wants to do this an extension so we have time for a thorough security analysis
                              John is OK with this, provided that we allow HTML form post
                              Nat is OK with this too

Open Issues:
               There are no new open issues
               John plans to add one to track his message "Login Initiation endpoint"

E-mails to the list:

Hosting self-issued.me
               John will try to work on this this week
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131203/2152c75c/attachment-0001.html>

More information about the Openid-specs-ab mailing list