[Openid-specs-ab] Spec call notes 20-Mar-17

Mike Jones Michael.Jones at microsoft.com
Tue Mar 21 00:00:21 UTC 2017

Spec call notes 20-Mar-17

John Bradley
Phil Hunt
Mike Jones
Edmund Jay

Nat Sakimura and Brian Campbell sent their regrets

The call had been deleted from the calendar again, which may have resulted in the low attendance
                Nat restored it to the shared OpenID calendar right before the call

                Open Issues
                Potential confusion between ID Tokens and other JWTs
                Next Call

Open Issues
                Issue #1010: Create a Threat Document about the Misuse of OAuth
                                Nat created a tracking issue to remind us to create this threat document
                                Phil talked about the need for dual audiences in some native app scenarios
                                In some terrible examples, apps were just passing an e-mail address to a server, which performed no validation
                                Mike suggested that we have an ad-hoc discussion about this next week in Chicago
                                We could try to bang out bullet points for a blog post on this topic
                                John said that a symptom of the problem is some developers don't want to have an OAuth AS for their back-end
                                John called the problem "Fake Federation"

Potential confusion between ID Tokens and other JWTs
                Phil wanted to raise this issue with the Connect working group
                John said that for any generic token format, you'll have to decide how to tell one thing from another
                Phil said that there is no type
                Phil said that a SET is distinguished by having an "events" claim
                                But this can be ignored
                There are things that can be done using the audience
                Phil asked what it means for an event to be expired
                                Phil said that historical statements don't actually expire
                                John said that you want the JWT to expire so you don't have to have an infinite cache
                Phil said that "exp" is to be avoided in SETs to avoid confusion between SETs and access tokens
                                John said that this is problematic because then you don't know when you can evict the JWT from a cache
                                John said that if you remove token lifetime, you will eventually regret it
                                It's really about cache control - how long you look for duplicate "jti" values
                Mike pointed out that, as was said on the just-finished RISC call, SET design should primarily happen in the IETF SecEvent WG
                                That way, all the SecEvent WG members can participate in the discussions
                Mike said that confusion between ID Tokens and SETs isn't possible in practice
                                A SET doesn't have a nonce, which ID Tokens for all but response_type=code must
                                For response_type=code, a SET wouldn't be returned as an id_token value by the Token Endpoint
                Mike said that distinguishing between SETs and access tokens should be discussed at IETF
                                A problem is that OAuth says nothing about access token contents
                                Therefore, to even have that discussion, we'd have to start making assumptions about the contents of JWT access tokens
                John said that using different audiences for different protocols is a security best practice that probably applies here
                John said that clients don't currently publish identifiers for themselves, other than the client ID
                                He said that that's probably a mistake
                                Some use cases want an identifier that's dereferenceable
                                John then realized that the sector identifier URI is actually such as thing
                Mike asked whether Roland's federation spec has a dereferenceable client identifier
                                John thinks that it may have dereferenceable client URLs
                John said that having an identifier that's verifiable and not just self-asserted has proven valuable for the Connect issuer
                                We may want to do that for other participants
                                We can talk about this (and many other things!) in Chicago next week

Next Call
                The next call was scheduled for Thursday, March 30th at 7am Pacific Time
                                We decided to cancel that one because of IETF meeting
                The next call will be in two weeks at 4pm Pacific Time on Monday, April 3rd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170321/8534c4f4/attachment-0001.html>

More information about the Openid-specs-ab mailing list