<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">OK, I'll admit that I had assumed these
were the implementer's draft releases, and therefore more final
than what I thought. I would argue that the same brokenness
argument ought to apply here with the other specs. I'm planning to
make the meeting tomorrow so we can hash some things out there.<br>
<br>
Incidentally, I thought that we had all decided at IIW that IdP
initiated login was a bad idea?<br>
<br>
-- Justin<br>
<br>
On 01/02/2013 03:26 PM, Mike Jones wrote:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B1680429673943669F7FBB@TK5EX14MBXC283.redmond.corp.microsoft.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>
<div style="font-family:Calibri,sans-serif; font-size:11pt">Fair
questions, Justin. First, this is not the Implementer's Draft
release. A few more changes still need to be made to get
there, including the ones you're mentioning about discovery
and registration and also IdP initiated login. This was an
interim release to keep Connect on sync with JWT. Because of
the JWT changes, Connect would have been broken without this
release.<br>
<br>
The same isn't true of the discovery and registration changes.
There, I think the working group's conservative approach,
while still encouraging experimentation with the new specs,
remains a good stance for the upcoming implementer's drafts.
We cam discuss that more on tomorrow's call if you like (7am
Pacific).<br>
<br>
Happy New Year!<br>
-- Mike<br>
<br>
</div>
</div>
<hr>
<span style="font-family:Tahoma,sans-serif; font-size:10pt;
font-weight:bold">From:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">Justin
Richer</span><br>
<span style="font-family:Tahoma,sans-serif; font-size:10pt;
font-weight:bold">Sent:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">1/2/2013
9:31 AM</span><br>
<span style="font-family:Tahoma,sans-serif; font-size:10pt;
font-weight:bold">To:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt"><a class="moz-txt-link-abbreviated" href="mailto:openid-connect-interop@googlegroups.com">openid-connect-interop@googlegroups.com</a></span><br>
<span style="font-family:Tahoma,sans-serif; font-size:10pt;
font-weight:bold">Cc:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">Mike
Jones; <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a></span><br>
<span style="font-family:Tahoma,sans-serif; font-size:10pt;
font-weight:bold">Subject:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">Re:
December 27, 2012 OpenID Connect Release</span><br>
<br>
<div>
<div class="moz-cite-prefix">It surprises me that the very
fundamental user_id -> sub breaking change was introduced
in this revision, but the group wanted to hold back on both
registration and discovery until after this publication so as
to limit the number of deep compatibility breaks. I guess what
I don't understand is the willingness to break things in one
area but hesitance in others, especially since the user_id
-> sub change came up only very recently. Don't get me
wrong, I'm very much in favor of *all* of these changes, but I
don't understand the logic in how we're deciding what gets
broken and when.<br>
<br>
Also, as I recall the discussion, both of these documents were
supposed to have a note at the top of them pointing them to
the appropriate upstream draft (oauth2-dyn-reg and webfinger,
respectively) as an impending change. I can only guess that
these notes got lost during the holiday shuffle and the
barrage of JOSE-related changes, but if there's any good way
to get these pointers in place, I believe we should do so.<br>
<br>
-- Justin<br>
<br>
On 12/28/2012 08:09 PM, Mike Jones wrote:<br>
</div>
<blockquote type="cite">
<style>
<!--
@font-face
{font-family:Wingdings}
@font-face
{font-family:Wingdings}
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
span.EmailStyle17
{font-family:"Calibri","sans-serif";
color:windowtext}
.MsoChpDefault
{}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.WordSection1
{}
ol
{margin-bottom:0in}
ul
{margin-bottom:0in}
-->
</style>
<div class="WordSection1">
<p class="MsoNormal">New versions of the OpenID Connect
specifications have been released resolving numerous open
issues raised by the working group. The most significant
change is changing the name of the <span
style="font-family:"Courier New"">user_id</span>
claim to <span style="font-family:"Courier
New"">sub</span> (subject) so that ID Tokens
conform to the
<a moz-do-not-send="true"
href="http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04">OAuth
JWT Bearer Profile specification</a>, and so they can be
used as OAuth assertions. (Also, see the related
<a moz-do-not-send="true"
href="http://self-issued.info/?p=916">coordinated change
to the OAuth JWT specifications</a>.) A related
enhancement was extending our use of the <span
style="font-family:"Courier New"">aud</span>
(audience) claim to allow ID Tokens to have multiple
audiences. Also, a related addition was defining the <span
style="font-family:"Courier New"">azp</span>
(authorized party) claim to allow implementers to
experiment with this proposed functionality. (This is a
slightly more general form of the <span style="">cid</span>
claim that Google and Nat Sakimura had proposed.)</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Other updates were:</p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span>The <span
style="font-family:"Courier New"">offline_access</span>
scope value was defined to request that a refresh token be
returned when using the code flow that can be used to
obtain an access token granting access to the users
UserInfo endpoint even when the user is not present.</p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span>A new <span
style="font-family:"Courier New"">tos_url</span>
registration parameter was added so that the terms of
service can be specified separately from the usage policy.</p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span>Clarified that <span
style="font-family:"Courier New"">jwk_url</span>
and <span style="font-family:"Courier New"">jwk_encryption_url</span>
refer to documents containing JWK Sets - not single JWK
keys.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Implementers need to apply these name
changes to their code:</p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-family:"Courier New"">user_id</span>
-> <span style="font-family:"Courier New"">
sub</span></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-family:"Courier New"">prn</span>
-> <span style="font-family:"Courier New"">
sub</span></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-family:"Courier New"">user_id_types_supported</span>
->
<span style="font-family:"Courier New"">subject_types_supported</span></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-family:"Courier New"">user_id_type</span>
->
<span style="font-family:"Courier New"">subject_type</span></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-family:"Courier New"">acrs_supported</span>
->
<span style="font-family:"Courier New"">acr_values_supported</span></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-family:"Courier New"">alg</span>
-> <span style="font-family:"Courier New"">
kty</span> (in JWKs)</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">See the Document History section of
each specification for more details about the changes
made.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">This release is part of a coordinated
release of JOSE, OAuth, and OpenID Connect
specifications. You can read about the other releases
here:
<a moz-do-not-send="true"
href="http://self-issued.info/?p=913">JOSE Release Notes</a>,
<a moz-do-not-send="true"
href="http://self-issued.info/?p=916">
OAuth Release Notes</a>.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The new specification versions are:</p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-basic-1_0-22.html">http://openid.net/specs/openid-connect-basic-1_0-22.html</a></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-implicit-1_0-05.html">http://openid.net/specs/openid-connect-implicit-1_0-05.html</a></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-messages-1_0-14.html">http://openid.net/specs/openid-connect-messages-1_0-14.html</a></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-standard-1_0-15.html">http://openid.net/specs/openid-connect-standard-1_0-15.html</a></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-discovery-1_0-11.html">http://openid.net/specs/openid-connect-discovery-1_0-11.html</a></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-registration-1_0-13.html">http://openid.net/specs/openid-connect-registration-1_0-13.html</a></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span
style="font-family:Symbol"><span style="">·<span
style="font:7.0pt "Times New Roman"">
</span></span></span><a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-session-1_0-10.html">http://openid.net/specs/openid-connect-session-1_0-10.html</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">
-- Mike</p>
<p class="MsoNormal"> </p>
</div>
</blockquote>
<br>
</div>
</blockquote>
<br>
</body>
</html>