[Openid-specs-native-apps] Minutes - Dec 10

Paul Madsen paul.madsen at gmail.com
Tue Dec 10 16:52:46 UTC 2013


attending

John Bradley, Paul Madsen, Mike Varley, Darren Platt, Thomas
DeBenning,Brian Campbell,Nat Sakimura, Morteza Ansari

Paul taking notes

Nat asks whether this is 1st or 2nd meeting of working group , John
confirms we adopted scope at 1st meeting. provisionally accepted input
document , presuming IPR agreements have been accepted - which has happened

Nat moves to accept previously provisionally accepted document as accepted
input doc
John seconds

John moves that the input document become the basis for workgroup activities
Darren seconds

John took the group through the current document.

nat asked about Step 5 - should be both arrows up/down

Nat posed question about how the TA obtains access tokens - whether from
the Token Endpoint or some dedicated API - allowing for triples to be
returned

John points out advantage of Token Endpoint, allowing for the TA to
authenticate when obtaining access tokens

We can have

1) TA uses refresh token on call to Token Endpoint
2) TA uses access token on call to 'AppInfo' API
3) both

More discussion

Nat suggests the TA might , on install, register a key pair, or do dynamic
registration, to use subsequently to the AS

Nat suggests that credential provisioning is important . John agrees but
argues that this spec neednt necessarily specify that

Consensus is that TA SHOULD be a confidential client, as opposed to MUST

Nat points out that the TA aggregates risk, and that may push the SHOULD to
MUST for deployments

Morteza asks about how discovery might work, and goes onto ask about the
scope of interoperability, ie is the goal that a given app work with any
TA, or a specific TA?

John answer is that we need to explore what the mobile OSs provide

Morteza asks 'Will we have different bindings for the different OSs'?
Things will change.

John suggests that the bindings will change evolve as the OSs change, and
so may not belong in the same document.

Group agrees. What to call it? Or are there individual docs for each OS &
version?

John will take first stab at pulling the content out.

John asks 'whether the AppInfo API definition belongs in the main spec?'
Group says keep it in for now

Discussion as to what the TA should pass to the apps, just an access token,
or also a refresh token, or maybe an id_token etc? Future discussion
required

Brian has questions/concerns about the TBD of 7.4.3, ie how a TA uses an
id-token to obtain access tokens. More discussion required

People dont like the 'provisioning' in current spec title - has existing
connotation. Agree to change spec names to

Native Apps Core
Native Apps OS Bindings

Agree to have call bi-weekly, alternating between Tuesday 10 AM EST &
Wednesday 6 PM EST.




-- 
Paul Madsen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20131210/1ca67389/attachment.html>


More information about the Openid-specs-native-apps mailing list