<div dir="ltr"><div dir="ltr">A little bit off topic, but I finally uploaded the file as<div><a href="https://bitbucket.org/openid/connect/src/default/draft-oidf-connect-nativesso.xml">https://bitbucket.org/openid/connect/src/default/draft-oidf-connect-nativesso.xml</a><br></div><div>so that you guys can start filling the issues and firing up a pull-requests. </div><div><br></div><div>Cheers, </div><div><br></div><div>Nat</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Mar 9, 2019 at 11:58 PM Torsten Lodderstedt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi George, <br>
<br>
I read your proposal and I (believe to) understand that the device secret is introduced as kind of a device identifier (+ some additional data) grouping tokens issued to different apps residing on the same device.<br>
<br>
A question popped up: Why do you use an id token and the token exchange to obtain fresh access tokens? Wouldn't it be sufficient to share the refresh token among those apps? Even if the refresh token is rotated, the legit apps are supposed to share some state on the device, so any of those apps could use the currently valid refresh token to perform the flow (again). <br>
<br>
best regards,<br>
Torsten. <br>
<br>
<br>
> Am 08.01.2019 um 00:22 schrieb George Fletcher via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>>:<br>
> <br>
> Per the working group call today, bumping to the top of the list.<br>
> <br>
> <br>
> -------- Forwarded Message --------<br>
> Return-Path: <<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>><br>
> Received: from <a href="http://silver.osuosl.org" rel="noreferrer" target="_blank">silver.osuosl.org</a> (<a href="http://mpq410.aol.prodcr.mail.ne1.yahoo.com" rel="noreferrer" target="_blank">mpq410.aol.prodcr.mail.ne1.yahoo.com</a> [140.211.166.136]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by <a href="http://mtaiw-mbd02.mx.aol.com" rel="noreferrer" target="_blank">mtaiw-mbd02.mx.aol.com</a> (Internet Inbound) with ESMTPS id 15F89700000B2 for <<a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a>>; Fri, 22 Jun 2018 13:30:26 -0400 (EDT)<br>
> X-Apparently-To: <a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a>; Fri, 22 Jun 2018 17:30:25 +0000<br>
> Date: Fri, 22 Jun 2018 13:30:08 -0400<br>
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0<br>
> Subject: [Openid-specs-ab] Submission: Native SSO for Mobile Apps (txt and xml)<br>
> From: George Fletcher via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
> Reply-To: George Fletcher <<a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a>><br>
> Sender: "Openid-specs-ab" <<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>><br>
> <br>
> <br>
> <br>
> Per the notes from Thursday's OpenID Connect working group call, here are text and xml formatted version of the Native SSO for Mobile apps spec.<br>
> <br>
> Please note, the core text is here but this is no where near final. Note that the text for additions for dynamic client registration and other IANA registrations are text from the "front channel logout" spec. I left the sections there as they will likely be needed.<br>
> <br>
> The purpose here is to get the core text in the proper format.<br>
> <br>
> Thanks,<br>
> George<br>
> <br>
> <br>
> <br>
> -- <br>
> Identity Standards Architect<br>
> Verizon Media Work: <a href="mailto:george.fletcher@oath.com" target="_blank">george.fletcher@oath.com</a><br>
> Mobile: +1-703-462-3494 Twitter: <a href="http://twitter.com/gffletch" rel="noreferrer" target="_blank">http://twitter.com/gffletch</a><br>
> Office: +1-703-265-2544 Photos: <a href="http://georgefletcher.photography" rel="noreferrer" target="_blank">http://georgefletcher.photography</a><br>
> <br>
> <openid-connect-native-sso-1_0.txt><openid-connect-native-sso-1_0.xml><Attached Message Part.txt>_______________________________________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div></div>