[Openid-specs-mobile-profile] MODRNA WG call on July 24th 2018 preliminary minutes
philippe.clement at orange.com
philippe.clement at orange.com
Wed Jul 25 09:30:41 UTC 2018
Please find below the preliminary minutes of our MODRNA call on July 24th 2018
In case of misunderstanding or error please let me know your suggestion.
(Extracted from gotomeeting) Nat Sakimura ; John Bradley ; Philippe Clement (Orange); Siva(GSMA); Brian Campbell ; Dave.Tonge ; Bjorn Hjelm, Mike Engan; Charles Marais (Orange)
Adoption of the Agenda [Bjorn/John]
Working Group Updates
CPAS working on PKI enabler and certificates. In this approach ID Gateway uses a specific key to sign parameters. This enabler could potentially be applicable to any Mobile connect service.
2. GSMA supports polling for CIBA. Work in progress in the CPAS to determine how the polling is used.
4. work on progress about login_hint_token, and token binding parameters.
Question about response_mode in the authentication request, optional in OIDC. Either query parameter or form post options are usable. In case of query parameters, browser could truncate if the payload is too big because of max url size limit. Preference is to avoid to overload browser size limit. Keep the both options open. Delivering the id token directly to the application is a good example.
FAPI WG [John/Dave]
* F2F in Tokyo this morning addressing CIBA and different issues, especially delivery of the token in the notification mode. Option to change the semantics for CIBA to deliver the token is on the table. Open Banking is on its way to support FAPI profile, in a simplified approach.
* Question about FAPI group to support polling. Open Banking people try to avoid notification, are looking for changes to implement it.
Questions about the different mechanisms to provide back the token to the server and how to specify CIBA and locate it regarding the different OIF groups (MODRNA, FAPI...). Is it necessary to create a specific MODRNA profile of CIBA ? notification mode and pushing the token are at stake. This approach relies on the delay to make the token available back to the client.
Maybe it could be interesting to have a fairly good definition of CIBA.
--> John to open an issue on the issue tracker.
Discussions about login_hint, id_token_hint, login_hint_token. Remarks about the fact that the token may be older than a raisonnable period. How id_token identifies a client ? One could simply consider a blob of information that the IdP interprets.
Precisions from SIVA: login_hint_token is used before authentication. id_token_hint concerns a previously authenticated user. Id_token_hint is not audienced, so implies complications.
Suggestion from Brian: don't validate the id_token_hint, but see inside some information to use. Add security considerations.
--> Brian to look at the issue and update the issue tracker according to the discussions regarding id token and delivery modes.
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile