[Openid-specs-risc] RISC Meeting notes for 8/22
mscurtescu at google.com
Tue Aug 23 20:56:50 UTC 2016
Attendees: Marius Scurtescu, Adam Dawes, Phil Hunt, John Bradley, Adam
Migus, Henrik Biering, Dale Olds, Brad Hill, William Denniss
Security Event Spec
- Renamed from Identity Event Token -> Security Event Token
- Structure: JSON envelope + payload
- Tokens should only be a single event. Event can have additional extension
- Another thought that when events have same origin (change password for
SCIM and RISC) you could package them together. But in fact it is unlikely
that you would have the same audience for these two events.
- Maybe add an event ID so that you could tie the two together. -> General
interest in doing this, doesn't seem like a bad idea.
Is the sub in the event attribute or top level jwt?
- Connect wants it at top level for single logout to make simpler for
- how do we differentiate ID tokens from RISC events? Can remove nonce but
we can't do that for every other new jwt type.
- Option: Introduce an JWT type explicitly. Libraries will have to update
- Option: make the audience a URL that is unique.
- New event claim and event types
- jwt types: probably should have had them. But this will slow things down.
- Not redefining sub for OIDC but each spec will define sub in its own way
- Still can have nested claims if there is additional information
- Issuer at top level is always issuer of the event
- jti is identifier for the event. If the event was to revoke an ID token,
it would have both independent jti as well as jti of the original session.
-> Phil will have conversation with Mike to make sure Connect logout is
-> William to help Phil with ID Event spec.
-> Phil and Marius will meet to move distribution forward
Please follow up with corrections and/or additions.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-risc