<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 28-Jul-11<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Johnny Bufu<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda:<o:p></o:p></p>
<p class="MsoNormal"> Specific questions about spec features<o:p></o:p></p>
<p class="MsoNormal"> audience parameter in request<o:p></o:p></p>
<p class="MsoNormal"> nonce parameter in request<o:p></o:p></p>
<p class="MsoNormal"> req -> request in OAuth request<o:p></o:p></p>
<p class="MsoNormal"> Can a redirect_url be a redirect URI?<o:p></o:p></p>
<p class="MsoNormal"> Editing updates<o:p></o:p></p>
<p class="MsoNormal"> IPR Contribution Agreements<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">audience parameter in request<o:p></o:p></p>
<p class="MsoNormal"> A bad RP could put in someone else's audience<o:p></o:p></p>
<p class="MsoNormal"> Do we not pass it and have audience constructed out of return_to?<o:p></o:p></p>
<p class="MsoNormal"> Edmund thought this had to do with input from Breno about native clients<o:p></o:p></p>
<p class="MsoNormal"> We don't have enough information to use it properly - will remove unless clarified<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">nonce parameter in request<o:p></o:p></p>
<p class="MsoNormal"> Should RP supply a nonce or just request that a nonce be used?<o:p></o:p></p>
<p class="MsoNormal"> John asked what the difference between nonce and state is<o:p></o:p></p>
<p class="MsoNormal"> Edmund thought that this was something specific to Facebook<o:p></o:p></p>
<p class="MsoNormal"> Nat pointed out that we haven't said anything about processing rules for the nonce<o:p></o:p></p>
<p class="MsoNormal"> Other than that the value is returned in id_token<o:p></o:p></p>
<p class="MsoNormal"> No rule about verifying nonce, at present<o:p></o:p></p>
<p class="MsoNormal"> John will look at the Facebook documentation and investigate their usage<o:p></o:p></p>
<p class="MsoNormal"> If not required for the Lite spec, it should probably be removed there<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">req -> request in OAuth HTTP request<o:p></o:p></p>
<p class="MsoNormal"> We agreed to make this change<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Can a redirect_url be a redirect URI?<o:p></o:p></p>
<p class="MsoNormal"> We think no<o:p></o:p></p>
<p class="MsoNormal"> This is separate from the js_origin_url<o:p></o:p></p>
<p class="MsoNormal"> (The js_origin_url may not use an http scheme, but is still a redirect target)<o:p></o:p></p>
<p class="MsoNormal"> Nat wondered whether he wanted to change the name just to be closer to OAuth<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Editing updates<o:p></o:p></p>
<p class="MsoNormal"> Mike has reviewed Casper's edits and is ready to check them in, modulo the discussions above<o:p></o:p></p>
<p class="MsoNormal"> John has the Lite spec down to about 15 pages including Security Considerations<o:p></o:p></p>
<p class="MsoNormal"> This includes id_token<o:p></o:p></p>
<p class="MsoNormal"> Without security considerations and references is 10 pages, including 1.5 pages of index<o:p></o:p></p>
<p class="MsoNormal"> Or roughly 8 pages of spec material<o:p></o:p></p>
<p class="MsoNormal"> John reverted the text to use the name "Introspection Endpoint"<o:p></o:p></p>
<p class="MsoNormal"> John asked whether we should copy the relevant portions of the Discovery spec into Lite<o:p></o:p></p>
<p class="MsoNormal"> We agreed no, saying that Discovery is optional and could be replaced by manual configuration<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Besides producing Lite, we also need to produce:<o:p></o:p></p>
<p class="MsoNormal"> Standard <o:p></o:p></p>
<p class="MsoNormal"> Messages (Core and Framework)<o:p></o:p></p>
<p class="MsoNormal"> Already have:<o:p></o:p></p>
<p class="MsoNormal"> Discovery<o:p></o:p></p>
<p class="MsoNormal"> Registration<o:p></o:p></p>
<p class="MsoNormal"> Session Management<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Lite is pared down to the world view of an RP<o:p></o:p></p>
<p class="MsoNormal"> Compliance for IdPs may be different for IdPs than for RPs<o:p></o:p></p>
<p class="MsoNormal"> IdPs should support code and token flows but RPs can just support token<o:p></o:p></p>
<p class="MsoNormal"> Say this in a conformance section in Standard<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">IPR Contribution Agreements<o:p></o:p></p>
<p class="MsoNormal"> Nat will review the list archives and produce a list of people we need IPR agreements from<o:p></o:p></p>
<p class="MsoNormal"> We should not go to an implementer's draft until we have the appropriate agreements in place<o:p></o:p></p>
</div>
</body>
</html>