[Openid-specs-ab] More thoughts on the Federation Spec Vote...

Mike Schwartz mike at gluu.org
Tue Jul 24 00:42:30 UTC 2018


And even more thoughts....

This is the first substantive discussion we've had about what is the 
best approach for OpenID Connect federations!

It's like we are deciding what kind of food to eat: mexican, japanese or 
italian (all good choices...).  Someone made the choice Japanese. Why 
are you complaining? We can adjust the sushi order later... But wait! 
Maybe I want pizza! This analogy is probably too fair, because really 
it's like saying we choose: Nekmit food. I don't even know what kind 
that is--but don't worry. We can fix it later after we implement.

Not only is this a new approach--I can't think of anywhere else in the 
industry that is using deeply nested JWT's in this way. Sure--encrypted 
and signed JWTs... but multi-level?

This has been a very closed process... there was no discussion on the 
list about what type of federation is best for OpenID Connect. I wanted 
that discussion to happen. But basically all we could do was wait for 
new drafts to be published. And now we are being asked to vote for 
implementation.

And not one that there is any need to rush--because as far as I can 
tell, what federation is looking to implement in 2018? Or maybe even in 
2019? Why on earth are we rushing?

Phil is pointing out that my issue is a manifestation of the larger 
problem. I think he's right. I don't know all the history, but I suspect 
that the reason is because OpenID Connect has grown in importance, and 
now the process needs to reflect that. So I guess that's a good thing.

- Mike





More information about the Openid-specs-ab mailing list