[Openid-specs-ab] Spec call notes 1-Sep-16

Mike Jones Michael.Jones at microsoft.com
Thu Sep 1 16:31:17 UTC 2016


Spec call notes 1-Sep-16

Mike Jones
Prateek Mishra
Phil Hunt
John Bradley

Agenda
              Effects of disabling of 3rd party browser cookies
              Open Issues
              Progressing Front-Channel and Back-Channel Logout
              Certification Update
              Next Call

Effects of disabling of 3rd party browser cookies
              The OP is loading RP iframes
              The iframe will load but because the OP is the origin, the RP won't be able clear the session cookie
              We don't think there are any workarounds
                           If there were workarounds, advertisers, etc. could use them for tracking cookies
              Mike will ask the Microsoft folks who have implemented this about their experience
              This is tracked in issue #1003:
                           Document possible impacts of disabling third-party cookies on front-channel logout
              Mike will take a stab at writing text for the front-channel logout spec

              Back-channel logout and the session management approach still work with 3rd party cookies disabled

Open Issues
              #1003: Document possible impacts of disabling third-party cookies on front-channel logout
                           Discussed above
              #1002: Clarify meaning of exp claim in ID Token
                           John suggests that we add "from the OpenID Provider" to the wording.
                           Phil suggests that we say somewhere that this is unrelated to session lifetime.
                                         ... not intended to set limits on or be related to session lifetime.
                           Mike will take a stab at revised wording.
              #1000: Logout Token has wrong mandatory field (sub vs. jti)
                           "jti" is unique per JWT to prevent replay
                           The Session ID will be the same across multiple ID Tokens for the session
                           The topic really is what does an RP need to know to make use of logout
                                         Phil said that some RPs may not be doing personalization and may not care about "sub"
                           We're already letting RPs that need Session IDs require them
                           The front-channel logout typically doesn't need a Session ID (but RPs can ask for them)
                           We're trying to have the two approaches be as parallel as possible
                           Phil is interested in always having a Session ID
                           John is interested in not always having a Subject and instead using a Session ID
                                         It should be configurable by the client like Session ID

Progressing Front-Channel and Back-Channel Logout
              After one more round of cleanups, we should probably hold implementer's draft votes for these specs
              People should be reviewing the drafts now

Certification Update
              Mike has reviewed the test lists in Roland's RP testing code
              They appear to be ready to go for Basic, Implicit, Config, and Dynamic
              Three new tests (which should be easy to implemented) are needed for Hybrid
              Mike is working with Roland on creating updated testing instructions
                           The structure of the tests changed during CIS based on feedback from Hans Zandbelt
              Mike will send them out for review probably next week
              We appear to be on track for having some launch certifications in time for the Internet Identity Workshop

Next Call
              Our next call will be Wednesday, Sep 7 at 4pm Pacific because that Monday is Labor Day in the US
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160901/62f970c2/attachment.html>


More information about the Openid-specs-ab mailing list