[Openid-specs-ab] Spec Call Notes 30-Jul-20

Mike Jones Michael.Jones at microsoft.com
Thu Jul 30 16:38:12 UTC 2020


Spec Call Notes 30-Jul-20

Nat Sakimura
Tim Cappalli
Brian Campbell
Bjorn Hjelm
Mike Jones
Tom Jones
John Bradley
Filip Skokan

OAuth JAR
              Nat published -26, addressing comments by Ben Kaduk
              Nat will reach out to Ben after IETF finishes

Adopting RP-Initiated Logout Spec
              Mike called for adoption of the RP-Initiated Logout spec
                           https://openid.net/specs/openid-connect-rpinitiated-1_0.html
              It consists entirely of content extracted from the Session Management spec
              Those on the call were in favor of adoption
              Unless objections are heard within two weeks, it will be adopted

Aggregated Claims Draft
              It is intended to make aggregated and distributed claims interoperable
              Nat mailed it to the working group
                            http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20200720/007857.html
              It was discussed during the second SIOP meetup
              Nat called for it to be adopted
              Those on the call were in favor of adoption
              Unless objections are heard within two weeks, it will be adopted

Certification
              Nat and Edmund have submissions ready for Basic and Implicit OP
              They filed https://gitlab.com/openid/conformance-suite/-/issues/792
                           Nat will add that the Python suite passed when nonce not returned from the authorization endpoint
                           Related to https://bitbucket.org/openid/connect/issues/1052/make-clear-that-nonce-is-always-required
              We got a full set of OP submissions from Filip
              Filip discovered that the RP Config and RP Dynamic profiles aren't yet in the Java suite

SIOP Meeting Follow-up
              We agreed to follow up on the laundry list and break it into individual issues
              We agreed dedicate the Pacific call to mostly discuss SIOP issues
                            We can also discuss this at times on the Atlantic call

Logout and Session Issues
              At https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Logout
              and https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Session
              #1003 - Document possible impacts of disabling third-party cookies on front-channel logout
                           Mike will propose warning text in the Implementation Consideration sections
              #1017 - Session management: RP-init logout: Proposal for optional ui_locales parameter
                           Mike will ask in the issue whether the OP already knows the locale info
              #1056 - Use of id_token in RP-Initiated Logout as the id_token_hint
                           Should we allow POST to the logout endpoint?
                           Filip said that Connect requires POST support to the authorization endpoint
                                         But it's a MAY in OAuth
              #1022 - Session Management OP Frame message origin assertion
                           Filip to review the issue and propose specific changes
              #1047 - session_state - upon authentication failure?
                           Filip to review the issue and propose specific changes

Key Recovery
              We discussed Tom and Tobias' key recovery proposals
              John described possible use of WebAuthn for this
              We also touched on Tom's persistent ID proposal
                           Nat said that this is potentially related to the MODRNA Account Porting specification
              We will work on open tickets related to these
              A draft may be created and submitted to the WG
              John and Kim Cameron discussed encrypting bootstrap info into the DID document
                           and then using WebAuthn to decrypt the info in a wallet after the user has authenticated via WebAuthn
              John: You could also include the WebAuthn credentialID in the did document as well
                           Only the person with the authenticator would be able to decrypt the key info

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              (No additional open issues were discussed)

Next Call
              The next working group call is Monday, August 3 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200730/8e172bf0/attachment-0001.html>


More information about the Openid-specs-ab mailing list