[Openid-specs-risc] RISC events supported by Google

Phil Hunt phil.hunt at oracle.com
Tue Apr 11 18:40:50 UTC 2017


I’d suggest we make an attempt to go through the list Adam presented to the F2F.

It is useful to examine the overlap with backchannel logout and scim as well.

There is a tight relationship between “security” (which RISC seems to represent), “provisioning” (SCIM), and access/session management (OIDC and OAuth).

For example, some of the events you propose overlap with Backchannel logout and session mgmt. 

IMO Logout / Session / Token revoke events should not require consent to share. One could argue they MUST be shared to protect user privacy since user expectation with logout is that PII is cleaned up and sessions/tokens are always cancelled. In a sense some of this is because browser cookie cleanup is so unreliable. 

The mandatory disclosure of these events seem different then the higher-level account theft protections that RISC talks about where consent seems more important as it may be surprising.

Phil

Oracle Corporation, Identity Cloud Services Architect & Standards
@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>












> On Apr 11, 2017, at 11:26 AM, Marius Scurtescu <mscurtescu at google.com> wrote:
> 
> On Tue, Apr 11, 2017 at 11:14 AM, Phil Hunt <phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>> wrote:
> 
> This seems to be a subset of the larger list that Adam has presented during the last few F2F meetings.
> 
> Are we talking about a set of MTI events?  Or just the first events to focus in on.
> 
> First events to focus on. I don't think we can mandate any events, to me it is always up to the issuer.
>  
> 
> I think it would be worth while writing down definitions for all of them so we can understand the differences between events.
> 
> Phil
> 
> Oracle Corporation, Identity Cloud Services Architect & Standards
> @independentid
> www.independentid.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=-jtiVB-B3bVj98s3nPoQQzXu6ZdTK_px57kg21l6yIM&s=VlZ0wlVnNuLelhKy1hSMCEzOa2w0WfLLFUIVEGIjX28&e=>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>> On Apr 11, 2017, at 11:02 AM, Mike Jones <Michael.Jones at microsoft.com <mailto:Michael.Jones at microsoft.com>> wrote:
>> 
>> This is useful, Marius.  What are the arguments for each of these events?
>>  
>> From: Openid-specs-risc [mailto:openid-specs-risc-bounces at lists.openid.net <mailto:openid-specs-risc-bounces at lists.openid.net>] On Behalf Of Marius Scurtescu
>> Sent: Tuesday, April 11, 2017 10:50 AM
>> To: openid-specs-risc at lists.openid.net <mailto:openid-specs-risc at lists.openid.net>
>> Subject: [Openid-specs-risc] RISC events supported by Google
>>  
>> Right now Google supports the following events:
>> - sessions-revoked - it states the Google closed all existing sessions for given subject
>> - tokens-revoked - it states that Google revoked all tokens for given user and recipient (client), no individual token strings provided, applies only to tokens explicitly revoked by the user
>> 
>> In the near future Google is planning to support:
>> - account-deleted - the account was deleted, an RP should find an alternative way to authenticate the user, while they still have an active session (if Google was only IdP and no other recovery email then account is practically lost)
>> - account-locked - account locked because of possibility of hijacking
>> - account-recovered - user recovered previously locked account
>> - account-reverification-requested - account not locked, but all sessions closed and user will be asked to change password on next login
>> 
>> Potentially in the mid future:
>> - account-identifier-changed - email address changes
>> - other token revocation events (revoked by client through API, revoked by Google for various reasons)
>> - log out events
>> 
>> Thoughts?
>>  
>> Which of these events do you think you would use and how?
>>  
>> What other events would you like to receive from Google (and RISC in general)?
>> 
>> Thanks,
>> Marius
>> _______________________________________________
>> Openid-specs-risc mailing list
>> Openid-specs-risc at lists.openid.net <mailto:Openid-specs-risc at lists.openid.net>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Drisc&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=I457x4aQqCx7MBVL6ZjO_SlwfA4PpSO72h__VrpGxBA&s=YQvshO69_ITj0EEukIKbIHcSEKZUY9z-gG7kKzIx8eo&e= <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Drisc&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=I457x4aQqCx7MBVL6ZjO_SlwfA4PpSO72h__VrpGxBA&s=YQvshO69_ITj0EEukIKbIHcSEKZUY9z-gG7kKzIx8eo&e=> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20170411/38d51337/attachment.html>


More information about the Openid-specs-risc mailing list