<div dir="ltr">Also of interest - there appears to be some underlying OpenID Connect support as well: <div><br></div><div><a href="https://developer.apple.com/documentation/authenticationservices/asauthorizationsinglesignonprovider?changes=latest_minor">https://developer.apple.com/documentation/authenticationservices/asauthorizationsinglesignonprovider?changes=latest_minor</a><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jun 6, 2019 at 11:04 AM Chuck Mortimore <<a href="mailto:cmortimore@salesforce.com">cmortimore@salesforce.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">We've looked into sign in with apple a bit, and it appears to largely be openid connect. A few things of note<div><ul><li>client_secret is actually an ES256 JWT rather than a shared secret. They did not use RFC7521 format for that.</li><li>there doesn't appear to be a userinfo endpoint</li><li>there's a step where you need to download a signed artifact and host it under .well-known for domain verification</li></ul></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jun 6, 2019 at 10:33 AM Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_5698361551987637444gmail-m_8731466746763401591WordSection1">
<p class="MsoNormal">Spec Call Notes 6-Jun-19<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Mike Jones<u></u><u></u></p>
<p class="MsoNormal">Nat Sakimura<u></u><u></u></p>
<p class="MsoNormal">Bjorn Hjelm<u></u><u></u></p>
<p class="MsoNormal">Brian Campbell<u></u><u></u></p>
<p class="MsoNormal">Rich Levinson<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Login with Apple<u></u><u></u></p>
<p class="MsoNormal"> Apple announced Login with Apple this week at their developer's conference<u></u><u></u></p>
<p class="MsoNormal"> Nov Matake has created a Ruby gem for it, and so knows the ins and outs of the protocol<u></u><u></u></p>
<p class="MsoNormal"> Apparently it is Connect-like but not exactly Connect<u></u><u></u></p>
<p class="MsoNormal"> Nat and Mike have asked Nov if he could summarize how it's the same and different<u></u><u></u></p>
<p class="MsoNormal"> Mike found this after the call <a href="https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple" target="_blank">https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple</a><u></u><u></u></p>
<p class="MsoNormal"> Dick Hart pointed out new app store requirements to use Login with Apple on Twitter<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://twitter.com/DickHardt/status/1135769039043563520" target="_blank">https://twitter.com/DickHardt/status/1135769039043563520</a><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Authentication Failed Error Code Draft<u></u><u></u></p>
<p class="MsoNormal"> Mike sent in a review<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">OpenID Connect for Identity Proofing<u></u><u></u></p>
<p class="MsoNormal"> Mike sent in a review<u></u><u></u></p>
<p class="MsoNormal"> The most important comment was to make it about verified data - not just verified person data<u></u><u></u></p>
<p class="MsoNormal"> Verified person data can still be covered by the draft<u></u><u></u></p>
<p class="MsoNormal"> Nat: It's always good to have a general thing - then you can profile it to meet your specific requirements<u></u><u></u></p>
<p class="MsoNormal"> Tony wrote that we should align with ISO 2903<u></u><u></u></p>
<p class="MsoNormal"> We should also look at the EU minimal viable KYC document<u></u><u></u></p>
<p class="MsoNormal"> PRIORITY GROUP 2 PROPOSAL FOR AN ATTRIBUTE-BASED & LoA-RATED KYC FRAMEWORK FOR THE FINANCIAL SECTOR IN THE DIGITAL AGE<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">EIC<u></u><u></u></p>
<p class="MsoNormal"> The OpenID workshop was very well attended<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Transient Subject Identifier Type<u></u><u></u></p>
<p class="MsoNormal"> Davide Vaghetti wrote a document on this<u></u><u></u></p>
<p class="MsoNormal"> See <a href="https://gist.github.com/daserzw/813023b4e1c04d09beb732ef00d7c9e9" target="_blank">https://gist.github.com/daserzw/813023b4e1c04d09beb732ef00d7c9e9</a><u></u><u></u></p>
<p class="MsoNormal"> People should review his proposal<u></u><u></u></p>
<p class="MsoNormal"> There's a mailing list discussion on whether RPs need to be dynamically told that the subject is transient<u></u><u></u></p>
<p class="MsoNormal"> Some banks are using the transaction ID as the subject, which is problematic<u></u><u></u></p>
<p class="MsoNormal"> Apparently the banks are reluctant to provide user identity<u></u><u></u></p>
<p class="MsoNormal"> It's especially problematic when people have multiple accounts<u></u><u></u></p>
<p class="MsoNormal"> Brian stated that the Open Banking use case was intended to be pure authorization - not identity<u></u><u></u></p>
<p class="MsoNormal"> This has been discussed in the FAPI working group<u></u><u></u></p>
<p class="MsoNormal"> We should explicitly describe the "sub" lifetime expectations in Connect Core<u></u><u></u></p>
<p class="MsoNormal"> Nat filed the issue #1096 - Core - Section 8. Need more subject_type<u></u><u></u></p>
<p class="MsoNormal"> Nat gave the example that passports use time-bound identifiers<u></u><u></u></p>
<p class="MsoNormal"> Nat said that age verification is a possible use case for ephemeral identifiers<u></u><u></u></p>
<p class="MsoNormal"> Nat said that identifier unlinkability is described in ISO 27551<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">EAP<u></u><u></u></p>
<p class="MsoNormal"> We're in the public review period for the two EAP specs<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://openid.net/2019/04/22/public-review-period-for-two-proposed-eap-implementers-drafts/" target="_blank">https://openid.net/2019/04/22/public-review-period-for-two-proposed-eap-implementers-drafts/</a><u></u><u></u></p>
<p class="MsoNormal"> People are encouraged to review them<u></u><u></u></p>
<p class="MsoNormal"> Voting was started<u></u><u></u></p>
<p class="MsoNormal"> However it was blocked by a Ruby application error<u></u><u></u></p>
<p class="MsoNormal"> Mike will have Nov Matake investigate<u></u><u></u></p>
<p class="MsoNormal"> It turns out to have been caused by a Rails version upgrade, which Nov fixed<u></u><u></u></p>
<p class="MsoNormal"> The voting period will need to be rescheduled<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Open Issues<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open" target="_blank">https://bitbucket.org/openid/connect/issues?status=new&status=open</a><u></u><u></u></p>
<p class="MsoNormal"> #1093 - Extensibility: how do we support extensibility for trust frameworks, evidences, verification methods and id documents?<u></u><u></u></p>
<p class="MsoNormal"> Mike will comment on registries, OpenID, and IANA<u></u><u></u></p>
<p class="MsoNormal"> #1094 - How to treat unknown identifiers in claims parameter<u></u><u></u></p>
<p class="MsoNormal"> In general, we ignore not-understood values<u></u><u></u></p>
<p class="MsoNormal"> If a value is required and not understood, and appropriate error can be returned<u></u><u></u></p>
<p class="MsoNormal"> #1095 - Registration - 3 - rotate/renew secret<u></u><u></u></p>
<p class="MsoNormal"> RFC 7592 can be used to do this<u></u><u></u></p>
<p class="MsoNormal"> #1096 - Core - Section 8. Need more subject_type<u></u><u></u></p>
<p class="MsoNormal"> Mike commented about the existing subject types being persistent<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Next Call<u></u><u></u></p>
<p class="MsoNormal"> The next call is Tuesday, June 11 at 4pm Pacific Time<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
</blockquote></div>