[Openid-specs-risc] Fwd: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth Token Revocation etc

Adam Dawes adawes at google.com
Mon Nov 2 14:12:05 UTC 2015

Here's a summary of a meeting from IETF to talk about Identity events which
will work across standards including RISC. I did not attend the meeting but
the group is looking to create a mailing list for further discussion and
I'll post details on that when that is all set up.


---------- Forwarded message ----------
From: Phil Hunt <phil.hunt at oracle.com>
Date: Sun, Nov 1, 2015 at 10:43 PM
Subject: Re: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth
Token Revocation etc
To: Barry Leiba <barryleiba at computer.org>
Cc: John Bradley <ve7jtb at ve7jtb.com>, William Denniss <wdenniss at google.com>,
Tony Nadalin <tonynad at microsoft.com>, Morteza Ansari <morteza at sharppics.com>,
Adam Dawes <adawes at google.com>, Justin Richer <jricher at mit.edu>, Ian Glazer
<iglazer at salesforce.com>, Kelly Grizzle <kelly.grizzle at sailpoint.com>, Erik
Wahlström neXus <erik.wahlstrom at nexusgroup.com>, Mike Jones <
Michael.Jones at microsoft.com>

Thanks for the meeting.  Here is a quick summary.  Please reply with any

Adding Barry to the thread (Barry see request at bottom).

Attendees:  Phil Hunt, Mike Jones, Justin Richer, John Bradley, William

Summary:  there are a number of different initiatives that are all starting
to generate events around identity. We got together to talk about whether
we should be aligning our efforts. The areas that may be interested are:

OIDC - Session Logout / Revocation
OAuth - Token Revocation
RISC - Account events (take over, account reset, etc)
SCIM - Provisioning events (has overlap with RISC)
Consent - Tracking and delivery of consent events (e.g. in a distributed
healthcare system).

the group had agreement that there should be a core “event” JWT
specification developed at the IETF. This becomes the basic information
packet that can be delivered via HTTP and other protocols.  Once the Event
JWT is defined, each group can create profiles appropriate to their

The general feeling was that all cases need a publish and subscribe model,
but that different areas might have widely varying types of subscriptions.
*  1:1 - a web app getting notifications about changes to a user’s profile
or a de-provisioning notification
*  1:secured set of RPs - e.g. notifying RPs about session or token
*  1:domain - inter-domain state change notifications
-  broadcast - e.g. sending out a RISC event to interested subscriber

While I suggested the Pub/Sub/Hub model that SCIM Notify has (see the URL
in a pervious msg), there was no immediate consensus that this was the
right approach. We’ll have to keep talking.  I also mentioned the WebPUSH
work which has been going. We think this work does not really apply since
WebPUSH does not really handle one-to-many message delivery.

We also talked that the message system should be self-healing. There might
need to be a way for a subscriber to detect or confirm if it has missed any
messages. E.g. clients could check message-id numbers etc. We would also
like to ensure, for scalability and security reasons, that messages are not
kept for long periods of time.

One of the questions that John Bradley raised early in the discussion was
how subscribers attach meaning to resource identifiers from an event
publisher.  This definitely remains a question mark in some cases.  I
believe may SCIM have its own solution, but to be honest, we hadn’t really
gone to far down the path. With that said, I think we concluded that each
interest group would have to address this issue, but that we could build
some advice in the event spec.

As an action item, the group agreed to approach Barry Leiba (cc’d) about
starting a discussion list for events that could eventually lead to having
the work assigned to an existing WG or a new one being created.  We
discussed whether this fits in OAuth, SCIM, or JOSE. It seems like none of
these is a good fit due to the generalized objective.  Instead, we would
expect WGs like SCIM and OAuth to profile the event system for their own
subject area.

If folks are ok with it, I can cross-post this message on the SCIM and
OAuth WG lists so we can open up the discussion.  I could alternatively
wait for the event list and then let the other WG’s know about the list and
the summary of this meeting.

Thanks everyone for the meeting!


phil.hunt at oracle.com

On Nov 2, 2015, at 2:09 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:

Phil, Justin, and I are conference room 313. Are any of the rest of you

-- Mike
From: Phil Hunt <phil.hunt at oracle.com>
Sent: ‎11/‎2/‎2015 1:56 PM
To: John Bradley <ve7jtb at ve7jtb.com>
Cc: Mike Jones <Michael.Jones at microsoft.com>; William Denniss
<wdenniss at google.com>; Anthony Nadalin <tonynad at microsoft.com>; Morteza
Ansari <morteza at sharppics.com>; Adam Dawes <adawes at google.com>; Justin
Richer <jricher at mit.edu>
Subject: Re: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth
Token Revocation etc

Me too!


phil.hunt at oracle.com

On Nov 2, 2015, at 1:45 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

I am free now I have room 313 we can use for the next hour or so.

On Nov 2, 2015, at 1:40 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:

This means that we’ll miss the CRFG meeting at 3:20, but I’ll prioritize
this over CFRG, if that’s what it takes.

If people aren’t doing anything important now, I’d rather leave httpbis and
have the discussion now than miss CRFG, given the new crypto algorithms are
being discussed there and I should probably attend.

Would meeting during the current session work for people?

                                                            -- Mike

*From:* Phil Hunt [mailto:phil.hunt at oracle.com <phil.hunt at oracle.com>]
*Sent:* Monday, November 02, 2015 11:12 AM
*To:* William Denniss
*Cc:* Anthony Nadalin; Morteza Ansari; John Bradley; Adam Dawes; Mike Jones
*Subject:* Re: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth
Token Revocation etc

Adding mike to the list.

So far 3 seems best. John has to leave at 3:45. We can always continue the
conversation at dinner after tokbind.

I hear the concern about jwt confusiin. I think what I meant was events
expressed in a jwt like form based on JOSE. Signing and encryption which
are important for events.

I propose we meet in the registration area and can decide where to go from


On Nov 2, 2015, at 10:55, William Denniss <wdenniss at google.com> wrote:

I'm keen to talk about this at 3p today Phil.

Have been doing some thinking in the RISC context (cc:Adam). We were
thinking of using JWTs, but of course would need to make sure they were not
also valid ID Tokens (which the logout spec achieves by not including the
'nonce' claim – but makes me regret that there wasn't a "type" claim in the
ID Token spec).

On Mon, Nov 2, 2015 at 9:31 AM, Phil Hunt <phil.hunt at oracle.com> wrote:

There seem to be a number of event proposals coming out (OAuth, OIDC RISC,
OIDC Logout, and SCIM) that could be optimized if they all shared a common
protocol for event delivery. While all of the proposals so far use JWTs, it
seems like we could make this happen faster if all of them worked from a
common notification protocol.  I note that all proposals are actually at an
early stage — so generalizing won’t delay any single case. It may speed
them up.

For those at IETF this week, maybe we can meet some time early in the week
and discuss informally to kick things off?

I have some time this week, and would be happy to put together a new
straw-man proposal so we can take it back to the SCIM and OIDC communities.

I have an open time slot between 3 and 5PM today (or tonight) for those
that are interested.
ps. There is a crypto forum between 3 and 5 as well.


phil.hunt at oracle.com

Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20151102/5d4bab81/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_5380.jpg
Type: image/jpeg
Size: 1112074 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20151102/5d4bab81/attachment-0001.jpg>

More information about the Openid-specs-risc mailing list