[Openid-specs-ab] More thoughts on the Federation Spec Vote...
mike at gluu.org
Tue Jul 24 00:42:30 UTC 2018
And even more thoughts....
This is the first substantive discussion we've had about what is the
best approach for OpenID Connect federations!
It's like we are deciding what kind of food to eat: mexican, japanese or
italian (all good choices...). Someone made the choice Japanese. Why
are you complaining? We can adjust the sushi order later... But wait!
Maybe I want pizza! This analogy is probably too fair, because really
it's like saying we choose: Nekmit food. I don't even know what kind
that is--but don't worry. We can fix it later after we implement.
Not only is this a new approach--I can't think of anywhere else in the
industry that is using deeply nested JWT's in this way. Sure--encrypted
and signed JWTs... but multi-level?
This has been a very closed process... there was no discussion on the
list about what type of federation is best for OpenID Connect. I wanted
that discussion to happen. But basically all we could do was wait for
new drafts to be published. And now we are being asked to vote for
And not one that there is any need to rush--because as far as I can
tell, what federation is looking to implement in 2018? Or maybe even in
2019? Why on earth are we rushing?
Phil is pointing out that my issue is a manifestation of the larger
problem. I think he's right. I don't know all the history, but I suspect
that the reason is because OpenID Connect has grown in importance, and
now the process needs to reflect that. So I guess that's a good thing.
More information about the Openid-specs-ab