[Openid-specs-risc] Fwd: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth Token Revocation etc

Nat Sakimura sakimura at gmail.com
Mon Nov 2 15:09:59 UTC 2015


What would be its relation to Mile WG works? 

=nat via iPhone

2015/11/02 23:12、Adam Dawes <adawes at google.com> のメッセージ:

> Here's a summary of a meeting from IETF to talk about Identity events which will work across standards including RISC. I did not attend the meeting but the group is looking to create a mailing list for further discussion and I'll post details on that when that is all set up.
> 
> thanks,
> AD
> 
> 
> ---------- Forwarded message ----------
> From: Phil Hunt <phil.hunt at oracle.com>
> Date: Sun, Nov 1, 2015 at 10:43 PM
> Subject: Re: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth Token Revocation etc
> To: Barry Leiba <barryleiba at computer.org>
> Cc: John Bradley <ve7jtb at ve7jtb.com>, William Denniss <wdenniss at google.com>, Tony Nadalin <tonynad at microsoft.com>, Morteza Ansari <morteza at sharppics.com>, Adam Dawes <adawes at google.com>, Justin Richer <jricher at mit.edu>, Ian Glazer <iglazer at salesforce.com>, Kelly Grizzle <kelly.grizzle at sailpoint.com>, Erik Wahlström neXus <erik.wahlstrom at nexusgroup.com>, Mike Jones <Michael.Jones at microsoft.com>
> 
> 
> Thanks for the meeting.  Here is a quick summary.  Please reply with any corrections. 
> 
> Adding Barry to the thread (Barry see request at bottom).
> 
> Attendees:  Phil Hunt, Mike Jones, Justin Richer, John Bradley, William Denniss
> 
> Summary:  there are a number of different initiatives that are all starting to generate events around identity. We got together to talk about whether we should be aligning our efforts. The areas that may be interested are:
> 
> OIDC - Session Logout / Revocation
> OAuth - Token Revocation
> RISC - Account events (take over, account reset, etc)
> SCIM - Provisioning events (has overlap with RISC)
> Consent - Tracking and delivery of consent events (e.g. in a distributed healthcare system).
> 
> the group had agreement that there should be a core “event” JWT specification developed at the IETF. This becomes the basic information packet that can be delivered via HTTP and other protocols.  Once the Event JWT is defined, each group can create profiles appropriate to their constituency. 
> 
> The general feeling was that all cases need a publish and subscribe model, but that different areas might have widely varying types of subscriptions.  E.g.
> *  1:1 - a web app getting notifications about changes to a user’s profile or a de-provisioning notification
> *  1:secured set of RPs - e.g. notifying RPs about session or token revocations
> *  1:domain - inter-domain state change notifications
> -  broadcast - e.g. sending out a RISC event to interested subscriber domains.
> 
> While I suggested the Pub/Sub/Hub model that SCIM Notify has (see the URL in a pervious msg), there was no immediate consensus that this was the right approach. We’ll have to keep talking.  I also mentioned the WebPUSH work which has been going. We think this work does not really apply since WebPUSH does not really handle one-to-many message delivery.
> 
> We also talked that the message system should be self-healing. There might need to be a way for a subscriber to detect or confirm if it has missed any messages. E.g. clients could check message-id numbers etc. We would also like to ensure, for scalability and security reasons, that messages are not kept for long periods of time.
> 
> 
> 
> One of the questions that John Bradley raised early in the discussion was how subscribers attach meaning to resource identifiers from an event publisher.  This definitely remains a question mark in some cases.  I believe may SCIM have its own solution, but to be honest, we hadn’t really gone to far down the path. With that said, I think we concluded that each interest group would have to address this issue, but that we could build some advice in the event spec.
> 
> As an action item, the group agreed to approach Barry Leiba (cc’d) about starting a discussion list for events that could eventually lead to having the work assigned to an existing WG or a new one being created.  We discussed whether this fits in OAuth, SCIM, or JOSE. It seems like none of these is a good fit due to the generalized objective.  Instead, we would expect WGs like SCIM and OAuth to profile the event system for their own subject area.
> 
> If folks are ok with it, I can cross-post this message on the SCIM and OAuth WG lists so we can open up the discussion.  I could alternatively wait for the event list and then let the other WG’s know about the list and the summary of this meeting.
> 
> Thanks everyone for the meeting!
> 
> Phil
> 
> @independentid
> www.independentid.com
> phil.hunt at oracle.com
> 
>> On Nov 2, 2015, at 2:09 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
>> 
>> Phil, Justin, and I are conference room 313. Are any of the rest of you coming?
>> 
>> -- Mike
>> From: Phil Hunt
>> Sent: ‎11/‎2/‎2015 1:56 PM
>> To: John Bradley
>> Cc: Mike Jones; William Denniss; Anthony Nadalin; Morteza Ansari; Adam Dawes; Justin Richer
>> Subject: Re: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth Token Revocation etc
>> 
>> Me too!
>> 
>> Phil
>> 
>> @independentid
>> www.independentid.com
>> phil.hunt at oracle.com
>> 
>>> On Nov 2, 2015, at 1:45 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>> 
>>> I am free now I have room 313 we can use for the next hour or so.
>>> 
>>> 
>>>> On Nov 2, 2015, at 1:40 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
>>>> 
>>>> This means that we’ll miss the CRFG meeting at 3:20, but I’ll prioritize this over CFRG, if that’s what it takes.
>>>>  
>>>> If people aren’t doing anything important now, I’d rather leave httpbis and have the discussion now than miss CRFG, given the new crypto algorithms are being discussed there and I should probably attend.
>>>>  
>>>> Would meeting during the current session work for people?
>>>>  
>>>>                                                             -- Mike
>>>>  
>>>> From: Phil Hunt [mailto:phil.hunt at oracle.com] 
>>>> Sent: Monday, November 02, 2015 11:12 AM
>>>> To: William Denniss
>>>> Cc: Anthony Nadalin; Morteza Ansari; John Bradley; Adam Dawes; Mike Jones
>>>> Subject: Re: Unifying Event Messaging for RISC, SCIM, OIDC Logout, OAuth Token Revocation etc
>>>>  
>>>> Adding mike to the list. 
>>>>  
>>>> So far 3 seems best. John has to leave at 3:45. We can always continue the conversation at dinner after tokbind. 
>>>>  
>>>> I hear the concern about jwt confusiin. I think what I meant was events expressed in a jwt like form based on JOSE. Signing and encryption which are important for events. 
>>>>  
>>>> I propose we meet in the registration area and can decide where to go from there. 
>>>> 
>>>> Phil
>>>> 
>>>> On Nov 2, 2015, at 10:55, William Denniss <wdenniss at google.com> wrote:
>>>> 
>>>> I'm keen to talk about this at 3p today Phil.
>>>>  
>>>> Have been doing some thinking in the RISC context (cc:Adam). We were thinking of using JWTs, but of course would need to make sure they were not also valid ID Tokens (which the logout spec achieves by not including the 'nonce' claim – but makes me regret that  there wasn't a "type" claim in the ID Token spec).
>>>>  
>>>> On Mon, Nov 2, 2015 at 9:31 AM, Phil Hunt <phil.hunt at oracle.com> wrote:
>>>>  
>>>> There seem to be a number of event proposals coming out (OAuth, OIDC RISC, OIDC Logout, and SCIM) that could be optimized if they all shared a common protocol for event delivery. While all of the proposals so far use JWTs, it seems like we could make this happen faster if all of them worked from a common notification protocol.  I note that all proposals are actually at an early stage — so generalizing won’t delay any single case. It may speed them up.
>>>>  
>>>> For those at IETF this week, maybe we can meet some time early in the week and discuss informally to kick things off?
>>>>  
>>>> I have some time this week, and would be happy to put together a new straw-man proposal so we can take it back to the SCIM and OIDC communities.
>>>>  
>>>> I have an open time slot between 3 and 5PM today (or tonight) for those that are interested. 
>>>> ps. There is a crypto forum between 3 and 5 as well.
>>>>  
>>>> Phil
>>>>  
>>>> @independentid
>>>> www.independentid.com
>>>> phil.hunt at oracle.com
> 
> 
> 
> 
> -- 
> Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
> 
> _______________________________________________
> Openid-specs-risc mailing list
> Openid-specs-risc at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-risc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20151103/23884348/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_5380.jpg
Type: image/jpeg
Size: 25671 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20151103/23884348/attachment-0001.jpg>


More information about the Openid-specs-risc mailing list