[Openid-specs-mobile-profile] MODRNA WG call on July 10th 2018 preliminary minutes

philippe.clement at orange.com philippe.clement at orange.com
Thu Jul 12 08:56:37 UTC 2018

Dear all,

Please find below the preliminary minutes of our call on Tuesday July 10th of 2018.
In case of error or misunderstanding of the talks, please let me know

Roll Call (extract from gotomeeting session participants)
Bjorn Hjelm, John Bradley, Philippe Clement (Orange), Gonza, Jörg, Petteri (Ubisecure), James Manger, Dave Tonge, Brian Campbell,

Adoption of the Agenda [Bjorn/John]

Agenda adopted

Liaisons Updates

  GSMA [Siva]
Not addressed

Working Group Updates

  FAPI WG [John/Dave]
CIBA Discussion (from June 20 call<https://bitbucket.org/openid/fapi/wiki/FAPI_Meeting_Notes_2018-06-20> and at Identiverse<https://bitbucket.org/openid/fapi/wiki/FAPI_Meeting_Notes_2018-06-27>) and Brian's e-mail input on CIBA.

Last week was an F2F meeting to speak of CIBA, which is gaining traction around banking. The question of a FAPI profile of CIBA is raised. OpenBanking will probably not use notification mode.

For FAPI WG, following Brian's and others email<http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20180611/001183.html>, the discussion addressed the concern to post back tokens for the notification mode following the Authentication request. A proposal is to inform rather the client that the token is available at the OP endpoint, thus the way to get back tokens is more simple.

Discussions about the authentication request format, and posting JSON or Web form. Do we need both ? JSON seems more easy to implement. Brian suggests to remove the ambiguity.
==>     Brian to Open an issue on issue tracker.
==>     Gonzalo to fix it on the spec regarding the format of request.

Discussion about Id_token_hint parameter, which seems problematic. Login_token_hint is different. In some cases, it could be impossible to validate signature because of key rotation.

Discussion about elevation of CIBA specs to other ID Connect WG ? legal things to see.
==>     Structure the document anyway. Makes more sense as a profile.

Discussion on account porting: RP doesn't have to make a call to the old IdP.
Consensus on the group to get rid of the access token that the RP pushes back. Round trips to eliminate. Separate issue ?
==>     Brian to put it on the issue tracker

Best regards,


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180712/e583bf0a/attachment.html>

More information about the Openid-specs-mobile-profile mailing list