<div dir="ltr">For the Tokyo workshop CfP, an official translation can be found at: <a href="https://www.eventbrite.com/e/openid-summit-tokyo-2015-tickets-18111127871">https://www.eventbrite.com/e/openid-summit-tokyo-2015-tickets-18111127871</a><div><br></div><div>There will be an <a href="http://openid.or.jp">openid.or.jp</a> hosted version of the English site as well eventually. </div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-09-04 0:02 GMT+09:00 Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal">Spec call notes 3-Sep-15<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Mike Jones<u></u><u></u></p>
<p class="MsoNormal">Nat Sakimura<u></u><u></u></p>
<p class="MsoNormal">Brian Campbell<u></u><u></u></p>
<p class="MsoNormal">John Bradley<u></u><u></u></p>
<p class="MsoNormal">Nov Matake<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Agenda<u></u><u></u></p>
<p class="MsoNormal"> Logout<u></u><u></u></p>
<p class="MsoNormal"> New Issues<u></u><u></u></p>
<p class="MsoNormal"> Workshop before IIW<u></u><u></u></p>
<p class="MsoNormal"> Tokyo workshop after IETF 94 Yokohama<u></u><u></u></p>
<p class="MsoNormal"> Certification<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Logout<u></u><u></u></p>
<p class="MsoNormal"> Nat reported some parties may use SAML because OpenID Connect doesn't have a ratified logout spec<u></u><u></u></p>
<p class="MsoNormal"> He also said that some enterprise people are inventing home-grown logout spec<u></u><u></u></p>
<p class="MsoNormal"> Shipping is a feature as well<u></u><u></u></p>
<p class="MsoNormal"> We still need interop testing on the HTTP-based logout<u></u><u></u></p>
<p class="MsoNormal"> The back channel logout spec doesn't yet exist<u></u><u></u></p>
<p class="MsoNormal"> Nat said that some people apparently are using extensions to SCIM for back channel logout<u></u><u></u></p>
<p class="MsoNormal"> He will try to find references to what those people are doing<u></u><u></u></p>
<p class="MsoNormal"> Mike expressed that requiring SCIM to do logout seems like unnecessary complexity<u></u><u></u></p>
<p class="MsoNormal"> For the back channel logout, the OP would send a message to the RP containing the session ID<u></u><u></u></p>
<p class="MsoNormal"> There could be an ID Token authenticating the sender<u></u><u></u></p>
<p class="MsoNormal"> Some will want to log out a particular session - others will want to log out all sessions<u></u><u></u></p>
<p class="MsoNormal"> Back channel logout could be broadly construed - for instance terminating refresh tokens<u></u><u></u></p>
<p class="MsoNormal"> Nat raised the point about sometimes-connect clients<u></u><u></u></p>
<p class="MsoNormal"> Nat said that some parties are interested in receiving logout acknowledgements<u></u><u></u></p>
<p class="MsoNormal"> John said that having some concrete use cases might help<u></u><u></u></p>
<p class="MsoNormal"> Brian stated that expectations for logout appear to differ dramatically<u></u><u></u></p>
<p class="MsoNormal"> In theory, PingFederate supports back-channel logout for SAML<u></u><u></u></p>
<p class="MsoNormal"> But ~90% of integrations don't include the necessary RP support for this<u></u><u></u></p>
<p class="MsoNormal"> Mobile apps make things even harder<u></u><u></u></p>
<p class="MsoNormal"> What is the desired behavior for a mobile app?<u></u><u></u></p>
<p class="MsoNormal"> We can probably say something meaningful for interactive sessions<u></u><u></u></p>
<p class="MsoNormal"> Mobile applications require the back-channel logout<u></u><u></u></p>
<p class="MsoNormal"> Things that could be logged out/revoked include:<u></u><u></u></p>
<p class="MsoNormal"> interactive sessions<u></u><u></u></p>
<p class="MsoNormal"> immediate access and refresh tokens<u></u><u></u></p>
<p class="MsoNormal"> cascaded token revocations<u></u><u></u></p>
<p class="MsoNormal"> native app logins<u></u><u></u></p>
<p class="MsoNormal"> There could be some kind of an ack back to the server for destroyed objects<u></u><u></u></p>
<p class="MsoNormal"> Callbacks? This could be a scalability issue.<u></u><u></u></p>
<p class="MsoNormal"> Callbacks probably should be its own spec, if we ever do it<u></u><u></u></p>
<p class="MsoNormal"> Brian - implementing SAML logout is really hard and all the options only make it harder!<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">New Issues<u></u><u></u></p>
<p class="MsoNormal"> #980 - Where else do we need to specify the use of CORS support?<u></u><u></u></p>
<p class="MsoNormal"> Brian: Discovery, JWKs endpoint<u></u><u></u></p>
<p class="MsoNormal"> John: Authorization endpoint - Mike: You're redirecting there so you don't need CORS<u></u><u></u></p>
<p class="MsoNormal"> John: You may or may not want registration to be open<u></u><u></u></p>
<p class="MsoNormal"> The origin can do direct calls to the dynamic client registration endpoint<u></u><u></u></p>
<p class="MsoNormal"> If you want different client IDs for each JavaScript client instance, CORS would have to be supported<u></u><u></u></p>
<p class="MsoNormal"> Nat: Everything discovery related - including .well-known endpoints<u></u><u></u></p>
<p class="MsoNormal"> It would be deployment policy about whether registration supports CORS<u></u><u></u></p>
<p class="MsoNormal"> Mike will add a comment to the bug and will point people to the bug on e-mail<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Workshop before IIW<u></u><u></u></p>
<p class="MsoNormal"> <a href="http://www.eventbrite.com/e/openid-foundation-workshop-before-fall-2015-iiw-meeting-tickets-17960843366" target="_blank">http://www.eventbrite.com/e/openid-foundation-workshop-before-fall-2015-iiw-meeting-tickets-17960843366</a><u></u><u></u></p>
<p class="MsoNormal"> Mike told Don to remove Nat from the agenda<u></u><u></u></p>
<p class="MsoNormal"> Mike will ask Don what "HMG Cabinet Office Chairs" means for HEART, and if it's correct<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Tokyo workshop after IETF 94 Yokohama<u></u><u></u></p>
<p class="MsoNormal"> <a href="http://www.eventbrite.com/e/openid-summit-tokyo-2015-tickets-18111127871" target="_blank">http://www.eventbrite.com/e/openid-summit-tokyo-2015-tickets-18111127871</a><u></u><u></u></p>
<p class="MsoNormal"> Registration is not yet open for that, but there will be an English registration page<u></u><u></u></p>
<p class="MsoNormal"> Nat translated the Japanese event page to English at <a href="http://j.mp/cfp_oid15" target="_blank">http://j.mp/cfp_oid15</a><u></u><u></u></p>
<p class="MsoNormal"> Session proposals are due by the end of the month but should be sent earlier<u></u><u></u></p>
<p class="MsoNormal"> John will cover RISC with help from Adam<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Certification<u></u><u></u></p>
<p class="MsoNormal"> Roland is back from vacation and actively fixing stuff<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div></div>
</div>