[Openid-specs-mobile-profile] MODRNA WG call on Sept 04 2018 preliminary minutes
philippe.clement at orange.com
philippe.clement at orange.com
Thu Sep 6 08:04:10 UTC 2018
Please find below the minutes of our MODRNA call on Sept 4th 2018
In case of error or misunderstanding, please let me know
Roll Call (extract from GoToMeeting)
Bjorn Hjelm, Dave.Tonge, John Bradley, Philippe Clement (Orange), Brian Campbell, Charles Marais (Orange), Michael Engan, Petteri (Ubisecure)
Adoption of the Agenda [Bjorn/John]
Working Group Updates
FAPI WG [Nat/Dave]
work on progress on next implementer's draft .
CIBA Core/MODRNA (Dave/Brian/Gonzalo/Axel)
Dave & Brian addressed some issues about merging and 2 or 3 separate drafts
Work correlated to issue solving.
Questions about moving discovery spec forward.
One consideration is to minimize the number of calls the client has to make. But on the other hand, security concerns must be taken into consideration.
Conversations occurred with GSMA about a MODRNA style discovery, and repositories across carriers.
A thing to avoid is that a RP has to register twice.
* #66<https://bitbucket.org/openid/mobile/issues/66/ciba-notification-mode-to-be-notification> CIBA notification mode to be notification only
The question is to not deliver the token directly, but instead inform the RP that it can fetch the token at the token Endpoint. This approach keeps a well-known and unique way for the RP to recover the token, this makes easier the exchanges for the notification endpoint. Creating a new notification mode to the RP is at stake, making 3 ways to deliver the token. This trail is followed by OpenBanking for security reasons.
* #82<https://bitbucket.org/openid/mobile/issues/82/ciba-naming-of-the-3-modes> Naming of the 3 modes
3 initial proposals are :
2- Notification Callback (without the token)
3- Delivery Callback (with the token)
Alternate proposal from John: poll, ping and push
more comments from the group are awaited on this issue
* #81<https://bitbucket.org/openid/mobile/issues/81/ciba-authentication-error-responses-cant> Authentication Error Responses can't all be returned from the Backchannel Authentication Endpoint
What does "access denied" error code mean ? discussion about the semantics and the different flows and conditions in which it can be provided
* #80<https://bitbucket.org/openid/mobile/issues/80/ciba-new-notification-callback-behaviour> New notification callback behaviour when token request is made before notification received
When a client has registered in a ping mode, is it allowed to fetch the token endpoint ?
Brian: the 2 things are just polling... trying to not overcomplicate. One is polling, other is polling with a ping.
A consensus appears towards considering the 2 modes in the same way.
* #77<https://bitbucket.org/openid/mobile/issues/77/ciba-terminology-authentication-result> Terminology - "authentication result"
Authentication response, authorization response...
Authentication result is agreed, review the spec for consistency
* #67<https://bitbucket.org/openid/mobile/issues/67/clarify-ciba-authentication-request-format> Clarify CIBA Authentication Request format
Petteri suggests that issue 73 is correlated.
Discussions around signed request object (OIDC) and OAuth2 request formalism, application/json and application/jwt.
Work in progress.
* "Question: mandatory vs Optional Scopes" [Michael]
* The group to look at Michael email and response before next week.
Do we have to setup other regular calls ? (mail from Bjorn) : yes to schedule, check that the hour is not used.
Please join my meeting from your computer, tablet or smartphone.
You can also dial in using your phone.
United States: +1 (224) 501-3316
Access Code: 927-253-461
More phone numbers
Australia: +61 2 8355 1034
Austria: +43 7 2088 1036
Belgium: +32 28 93 7002
Canada: +1 (647) 497-9372
Denmark: +45 89 88 03 61
Finland: +358 942 45 0382
France: +33 170 950 586
Germany: +49 692 5736 7206
Ireland: +353 19 030 053
Italy: +39 0 693 38 75 53
Netherlands: +31 208 084 055
New Zealand: +64 4 974 7243
Norway: +47 23 96 01 18
Spain: +34 932 20 0506
Sweden: +46 853 527 818
Switzerland: +41 225 3311 20
United Kingdom: +44 330 221 0098
First GoToMeeting? Try a test session: http://link.gotomeeting.com/email-welcome
This event has a Google Hangouts video call.
<< Fichier: ATT00001.txt >>
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile