[Openid-specs-ab] Spec call notes 13-Jun-11

Mike Jones Michael.Jones at microsoft.com
Mon Jun 13 22:45:45 UTC 2011 

Spec call notes 13-Jun-11

Nat Sakimura
John Bradley
Edmund Jay
Mike Jones

Edmund met with Breno
Breno and Facebook want to use new OAuth response types - comma separated
                code,token,session
    Session is what we used to call the ID Token
    Facebook also proposed a response type "none"

    John believes that current OAuth draft only allows you to ask for one token type
                Breno thinks it's being changed
                We need to monitor this in the draft

Breno and Edmund discussed how to restructure the session management to make it more readable
                Edmund is working on that

They talked about additional request parameters related to the user experience.  Breno proposed
                display={none,mobile,popup}

They discussed a parameter expressing the approval required
This would be a space-separated list of the following choices:
                prompt=login consent selectaccount

They discussed a nonce parameter
                John wasn't sure what they were trying to accomplish with this
                Edmund said that it would be passed back as part of the session token
                Apparently Facebook is interested in this
                Edmund will follow up with Breno on this and get a description of it

They discussed the token introspection endpoint
                It can either be called with an access token or session token

Edmund expects to get these things written up this week

John has been working on writing up how to get back multiple endpoints for the OpenID provider
                He will try to circulate something tomorrow

Mike committed to update the UserInfo endpoint schema - will try to circulate something tomorrow or Wednesday

Scott Cantor and John had discussed that a problem with SAML has been not nailing down the EntityID format for the issuer
                We should try to avoid this
                Is it a URL for one of our endpoints, or something more abstract?
                We probably need to be specific about what the identifier for the IdP is
                The initial endpoint where you do discovery for the identifiers is likely a good choice
                John will take a stab at this as part of his write-up

John, Nat, and Mike are planning to go to the OpenID summit in Colorado
They are also plan to go to IETF meeting in Quebec City that is soon after it

Don is meeting with Alan Tom and Eric this week about the Connect launch plan
                John plans to try to call in for that

We plan to have specs complete enough for early implementers by the end of this month
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110613/9514fdc8/attachment.html>

More information about the Openid-specs-ab mailing list