[Openid-specs-ab] Spec Call Notes 26-Mar-20

Mike Jones Michael.Jones at microsoft.com
Thu Mar 26 15:17:54 UTC 2020


Spec Call Notes 26-Mar-20

Mike Jones
Filip Skokan
Brian Campbell
Tim Cappalli
George Fletcher
Bjorn Hjelm
John Bradley

Introductions
              Tim Cappalli just joined the Microsoft Identity Standards team
              Tim introduced himself and the other participants introduced themselves to Tim

Migration from Mercurial to Git
              Edmund Jay posted a sample conversion in December at https://bitbucket.org/edmund_jay/connect/
                           People are encouraged to review the draft conversion
                           Also review:
                           https://bitbucket.org/edmund_jay/connect/commits/
                           https://bitbucket.org/edmund_jay/connect/src/master/
                                https://bitbucket.org/edmund_jay/connect/issues?status=new&status=open
              It changes the Mercurial commit IDs to Git commit IDs
              Identities should be the same between Mercurial and Git on Bitbucket
              We plan to do the migration for real in early April

Yahoo is turning off OpenID 2.0 support
              They support the OpenID 2.0 to OpenID Connect migration spec

AppAuth
              The AppAuth libraries are a project of the OpenID Connect working group
              George believes there is no current maintainer for AppAuth Android
                           There is a Verizon Media person Anand willing to do it
                           Verizon Media has added WebKit support
                           We could have a whole call on this topic
                           George will ask Anand to join a future call
              William Denniss has been maintaining AppAuth for iOS
                           John says that the iOS library uses the iOS SF authentication controller, which has WebAuthn support
                           See https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
              William had started a JavaScript library but it is currently unmaintained
                           Filip: It is getting ~9000 weekly downloads as a package
                           Filip says that it is not for browsers

Logout Certifications and Spec Review
              We got our first logout RP certifications this week
              People are asked to review the three logout specs in preparation for taking them to final status
              We discussed possibly breaking RP-Initiated Logout out into its own spec (removing it from Session Management)
                           See issue https://bitbucket.org/openid/connect/issues/1162

Logout and Safari/Brave Third Party Cookie Blocking
              Session change notifications don't work with third party cookies disabled
              Front-channel logout also has problems
                           It's the notification channels that are affected
              Back-channel logout continues to work

Proposed IsLoggedIn W3C browser feature
              See https://github.com/WebKit/explainers/tree/master/IsLoggedIn
              People are encouraged to review this

OpenID Connect for Identity Assurance
              The public review for the second Implementer's Draft has started
              https://openid.net/2020/03/24/second-public-review-period-for-openid-connect-for-identity-assurance-specification-started/

App Impersonation on Android
              George suggested we discuss app impersonation on Android
              If using a custom scheme on Android, the OS asks you which app you want to invoke
                           Only asked if multiple apps are registered for the scheme
              John: There is no protection for app impersonation
              John: The way to stop this is to use a claimed URL
              George: Or you can use Dynamic Client Registration
              John: There's currently no way to uniquely identify the app
                           It could be done using WebAuthn, in which the assertion identifies the app
              George: User consent is another defense, but it's a strange UX
              George would like us to provide guidance somewhere
                           John suggested a revision of the Native Application Best Practices specification

OAuth JAR
              Nat is going to update the spec to allow the client_id as a request parameter again

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              We ran out of time and so didn't look at any open issues on this call

Next Call
              The next working group call is Monday, March 30, 2020 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200326/be8c3e87/attachment-0001.html>


More information about the Openid-specs-ab mailing list