[Openid-specs-native-apps] Oct 1 call Minutes

[Paul Madsen]

John Bradley
William Dennis
Edmund Jay

We discussed the possibility of using the extensions mechanism in iOS 8 rather than custom scheme URI to get around the app spoofing issues.

Doing context switches to and from the TA run the risk of getting rejected by Apple for being ugly, if we want to use sPoP for the TA initiated flow.

One of the reasons for wanting the apps to have refresh tokens is to avoid context switching in the UI to get a new AT.

We discussed the idea of always returning a assertion to the app (with PoP) that it could then use to get it's own AT and refresh token from the target AS.

William liked the idea of keeping the first and third party AS flows as similar as possible and pointed out that open-source libs to include in the client app that do the id_token to AT swap would keep the level of complexity for the apps down.  That doing the exchange in the TA to reduce complexity is not the only way.

We then discussed some changes to the sPoP spec to support protection of the challenge value by hashing it on the call from the app to the AS authorization endpoint.
We will add a second method to the sPoP spec using SHA256.