[Openid-specs-ab] Spec Call Notes 6-Jun-19

Phil Hunt phil.hunt at oracle.com
Tue Jun 11 20:55:49 UTC 2019


Another article…
https://techcrunch.com/2019/06/07/answers-to-your-burning-questions-about-how-sign-in-with-apple-works/

Apple is requiring prominent position and NASCAR style login. 

Phil Hunt | Cloud Security and Identity Architect
Oracle Corporation, Oracle Cloud Infrastructure
@independentid
www.independentid.com
phil.hunt at oracle.com






> On Jun 11, 2019, at 12:22 PM, Chuck Mortimore via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> Also of interest - there appears to be some underlying OpenID Connect support as well: 
> 
> https://developer.apple.com/documentation/authenticationservices/asauthorizationsinglesignonprovider?changes=latest_minor <https://urldefense.proofpoint.com/v2/url?u=https-3A__developer.apple.com_documentation_authenticationservices_asauthorizationsinglesignonprovider-3Fchanges-3Dlatest-5Fminor&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=1sXeeP122voya6GkTCBab7Y8uEBH1J0gd1dAqw4CM9o&s=pByPjp-wChGrxh0T2ypv-eLWa87M9yrg1LdSd3iozsk&e=>
> 
> On Thu, Jun 6, 2019 at 11:04 AM Chuck Mortimore <cmortimore at salesforce.com <mailto:cmortimore at salesforce.com>> wrote:
> We've looked into sign in with apple a bit, and it appears to largely be openid connect.  A few things of note
> client_secret is actually an ES256 JWT rather than a shared secret.   They did not use RFC7521 format for that.
> there doesn't appear to be a userinfo endpoint
> there's a step where you need to download a signed artifact and host it under .well-known for domain verification
> 
> On Thu, Jun 6, 2019 at 10:33 AM Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> Spec Call Notes 6-Jun-19
> 
>  
> 
> Mike Jones
> 
> Nat Sakimura
> 
> Bjorn Hjelm
> 
> Brian Campbell
> 
> Rich Levinson
> 
>  
> 
> Login with Apple
> 
>               Apple announced Login with Apple this week at their developer's conference
> 
>               Nov Matake has created a Ruby gem for it, and so knows the ins and outs of the protocol
> 
>               Apparently it is Connect-like but not exactly Connect
> 
>               Nat and Mike have asked Nov if he could summarize how it's the same and different
> 
>               Mike found this after the call https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple <https://urldefense.proofpoint.com/v2/url?u=https-3A__developer.okta.com_blog_2019_06_04_what-2Dthe-2Dheck-2Dis-2Dsign-2Din-2Dwith-2Dapple&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=1sXeeP122voya6GkTCBab7Y8uEBH1J0gd1dAqw4CM9o&s=FbbPSLBbhJKjNMfE_dlm6Frh0RhAEIqEsLIv_iSd4SM&e=>
>               Dick Hart pointed out new app store requirements to use Login with Apple on Twitter
> 
>               https://twitter.com/DickHardt/status/1135769039043563520 <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_DickHardt_status_1135769039043563520&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=1sXeeP122voya6GkTCBab7Y8uEBH1J0gd1dAqw4CM9o&s=x-HPL6tC3QGF5s6Dyf_Gq8XAcVYXTMVipuCTFlT3DaE&e=>
>  
> 
> Authentication Failed Error Code Draft
> 
>               Mike sent in a review
> 
>  
> 
> OpenID Connect for Identity Proofing
> 
>               Mike sent in a review
> 
>                            The most important comment was to make it about verified data - not just verified person data
> 
>                            Verified person data can still be covered by the draft
> 
>               Nat: It's always good to have a general thing - then you can profile it to meet your specific requirements
> 
>               Tony wrote that we should align with ISO 2903
> 
>               We should also look at the EU minimal viable KYC document
> 
>                            PRIORITY GROUP 2 PROPOSAL FOR AN ATTRIBUTE-BASED & LoA-RATED KYC FRAMEWORK FOR THE FINANCIAL SECTOR IN THE DIGITAL AGE
> 
>  
> 
> EIC
> 
>               The OpenID workshop was very well attended
> 
>  
> 
> Transient Subject Identifier Type
> 
>               Davide Vaghetti wrote a document on this
> 
>                            See https://gist.github.com/daserzw/813023b4e1c04d09beb732ef00d7c9e9 <https://urldefense.proofpoint.com/v2/url?u=https-3A__gist.github.com_daserzw_813023b4e1c04d09beb732ef00d7c9e9&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=1sXeeP122voya6GkTCBab7Y8uEBH1J0gd1dAqw4CM9o&s=6nzs22RpynztnIp-rfXT2aqpBDXLxtss2rW9hubfBhw&e=>
>                            People should review his proposal
> 
>               There's a mailing list discussion on whether RPs need to be dynamically told that the subject is transient
> 
>               Some banks are using the transaction ID as the subject, which is problematic
> 
>                            Apparently the banks are reluctant to provide user identity
> 
>                            It's especially problematic when people have multiple accounts
> 
>                            Brian stated that the Open Banking use case was intended to be pure authorization - not identity
> 
>                            This has been discussed in the FAPI working group
> 
>               We should explicitly describe the "sub" lifetime expectations in Connect Core
> 
>                            Nat filed the issue #1096 - Core - Section 8. Need more subject_type
> 
>                            Nat gave the example that passports use time-bound identifiers
> 
>                            Nat said that age verification is a possible use case for ephemeral identifiers
> 
>               Nat said that identifier unlinkability is described in ISO 27551
> 
>  
> 
> EAP
> 
>               We're in the public review period for the two EAP specs
> 
>                             https://openid.net/2019/04/22/public-review-period-for-two-proposed-eap-implementers-drafts/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_2019_04_22_public-2Dreview-2Dperiod-2Dfor-2Dtwo-2Dproposed-2Deap-2Dimplementers-2Ddrafts_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=1sXeeP122voya6GkTCBab7Y8uEBH1J0gd1dAqw4CM9o&s=68mObeXwTmpUQERyR0jxmKKUdzFn2o92t4nT7DB2sds&e=>
>                            People are encouraged to review them
> 
>               Voting was started
> 
>                            However it was blocked by a Ruby application error
> 
>                            Mike will have Nov Matake investigate
> 
>                                          It turns out to have been caused by a Rails version upgrade, which Nov fixed
> 
>                            The voting period will need to be rescheduled
> 
>  
> 
> Open Issues
> 
>               https://bitbucket.org/openid/connect/issues?status=new&status=open <https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_connect_issues-3Fstatus-3Dnew-26status-3Dopen&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=1sXeeP122voya6GkTCBab7Y8uEBH1J0gd1dAqw4CM9o&s=qAs3iJdZXpAZyhJaGofKVo6ggzX6qFRoW2yJRLUn54E&e=>
>               #1093 - Extensibility: how do we support extensibility for trust frameworks, evidences, verification methods and id documents?
> 
>                            Mike will comment on registries, OpenID, and IANA
> 
>               #1094 - How to treat unknown identifiers in claims parameter
> 
>                            In general, we ignore not-understood values
> 
>                            If a value is required and not understood, and appropriate error can be returned
> 
>               #1095 - Registration - 3 - rotate/renew secret
> 
>                            RFC 7592 can be used to do this
> 
>               #1096 - Core - Section 8. Need more subject_type
> 
>                            Mike commented about the existing subject types being persistent
> 
>  
> 
> Next Call
> 
>               The next call is Tuesday, June 11 at 4pm Pacific Time
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=1sXeeP122voya6GkTCBab7Y8uEBH1J0gd1dAqw4CM9o&s=zSdCmqsr-MTuEcFxOexi7MkfXfnpgTJM_-SnFuaITKA&e=>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=1sXeeP122voya6GkTCBab7Y8uEBH1J0gd1dAqw4CM9o&s=zSdCmqsr-MTuEcFxOexi7MkfXfnpgTJM_-SnFuaITKA&e= <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=1sXeeP122voya6GkTCBab7Y8uEBH1J0gd1dAqw4CM9o&s=zSdCmqsr-MTuEcFxOexi7MkfXfnpgTJM_-SnFuaITKA&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190611/7f3d94ae/attachment-0001.html>


More information about the Openid-specs-ab mailing list