[Openid-specs-ab] Spec call partial notes 7-Jul-11
Mike Jones
Michael.Jones at microsoft.com
Thu Jul 7 23:12:55 UTC 2011
Spec call partial notes 7-Jul-11
Edmund Jay
Mike Jones
Nat Sakimura
John Bradley
George Fletcher
Johnny Bufu
Agenda:
Accounts on openid.net, svn.openid.net
Mike's update on spec release
Launch plan
Contacting developers
Johnny Bufu's feedback
Contacting Developers
Johnny Bufu - Mike to contact
Pam lining somebody up at Ping - Mike to contact
Andrew Arnott - John to contact
Chuck Mortimore - Mike to contact
University of Newcastle - John to contact
NII (Japanese InCommon) - Nat to contact
Andreas Solberg (OpenSAMLPHP guy) - John to contact
Breno
Edmund
Formal launch plan
Adding links from specs page
Mike to drive
Pam writing overview one-pager - to be done by Friday
openidconnect.com content update
John to get access from David
Note to OpenID specs and board public list
Ask Allen and Kick to review note before sending it
Probably have Allen send it
Ping Summit
A week from now
We discussed whether Edmund can rig a demo for the summit
Johnny Bufu's feedback:
Base64url is defined but not used anywhere.
Check
UserInfo Endpoint... "returns information about the current user":
The user who presented the access token
RP is defined as "Client and Resource Servers"
Fix
UserInfo Endpoint is defined as "protected resource"
Fix - provided by OP
"ID Token" is referenced but not defined.
See session spec (and fix multiple definitions)
(Can use introspection endpoint rather than id_token)
Verify whether it's written down - possibly in the framework spec
response_type: "Acceptable values are code, token, and none." - Is the list complete?
Intended to be extensible
Session management defines id_token type as well - add to core
We are counting on the ability for OAuth to return multiple values
Mike will shepherd this at the IETF meeting
"Response values for other requested response_type parameters are returned in the Access Token Endpoint (Need Confirmation)."
Delete this sentence
Where is the "openid": {...} (JSON) construct from the example defined?
Delete this example and replace with a correct one
John to supply correct example
OAuth 2.0 doesn't define a parameter named "request" that I could find.
Parameter in the OAuth request
Session Token referenced but not defined
Is id_token
Pointer should be to Core/Section 3.1.2 instead of 4.1.2.
Fix
Does session_selection_required correspond to an error in processing the prompt:select_account from a Authorization Request?
Edmund to recommend how to fix this
"Claims object" not formally defined - reader left to guess/assume it's the same as ""clm" object" described in section 3.1.1 / OpenID Request Object.
Fix
"RESERVED" is capitalized but not defined by RFC2119
Fix
What is a (request/response) schema?
Fix
"See the OpenID Connect Core [OpenID.CC] specification on how to request a different format."
Edmund to recommend fix
3.Check if the current time is within the validity period.
Fix - refers to token
Is "User Info API request" the same as a regular request to the UserInfo Endpoint (these are not referred to as APIs before this occurrence)?
Fix
Claim objects are not formally defined.
George to look at UserInfo comments
Including schema comments
Reference Framework and format parameter from UserInfo spec
[The call continued after the first hour without Mike, who had a hard stop - Nat is taking further notes.]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110707/9f1b0d55/attachment.html>
More information about the Openid-specs-ab
mailing list