[Openid-specs-ab] Spec call notes 13-Jun-11

Mon Jun 13 23:08:30 UTC 2011

Adding another comment upon request by Nat. Inline.

On Mon, Jun 13, 2011 at 15:45, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Spec call notes 13-Jun-11
>
>
>
> Nat Sakimura
>
> John Bradley
>
> Edmund Jay
>
> Mike Jones
>
>
>
> Edmund met with Breno
>
> Breno and Facebook want to use new OAuth response types - comma separated
>
>                 code,token,session
>
>     Session is what we used to call the ID Token
>
>     Facebook also proposed a response type "none"
>
>
>
>     John believes that current OAuth draft only allows you to ask for one
> token type
>
>                 Breno thinks it's being changed
>
>                 We need to monitor this in the draft

Decision was made on IETF meeting to make response_type extensible.
This WG could define the extension to include the possibility of
listing multiple response types.

Separately, Google needs to support 'response_type=none' for a set of
use cases that overlaps with FB's usage of the same. There are cases
where (for higher security) the token is transported through other
mechanisms and it is only sufficient to record the user approval. This
enables a set of use cases with value beyond openid connect.

>
>
>
> Breno and Edmund discussed how to restructure the session management to make
> it more readable
>
>                 Edmund is working on that
>
>
>
> They talked about additional request parameters related to the user
> experience.  Breno proposed
>
>                 display={none,mobile,popup}
>
>
>
> They discussed a parameter expressing the approval required
>
> This would be a space-separated list of the following choices:
>
>                 prompt=login consent selectaccount
>
>
>
> They discussed a nonce parameter
>
>                 John wasn't sure what they were trying to accomplish with
> this
>
>                 Edmund said that it would be passed back as part of the
> session token
>
>                 Apparently Facebook is interested in this
>
>                 Edmund will follow up with Breno on this and get a
> description of it
>
>
>
> They discussed the token introspection endpoint
>
>                 It can either be called with an access token or session
> token
>
>
>
> Edmund expects to get these things written up this week
>
>
>
> John has been working on writing up how to get back multiple endpoints for
> the OpenID provider
>
>                 He will try to circulate something tomorrow
>
>
>
> Mike committed to update the UserInfo endpoint schema - will try to
> circulate something tomorrow or Wednesday
>
>
>
> Scott Cantor and John had discussed that a problem with SAML has been not
> nailing down the EntityID format for the issuer
>
>                 We should try to avoid this
>
>                 Is it a URL for one of our endpoints, or something more
> abstract?
>
>                 We probably need to be specific about what the identifier
> for the IdP is
>
>                 The initial endpoint where you do discovery for the
> identifiers is likely a good choice
>
>                 John will take a stab at this as part of his write-up
>
>
>
> John, Nat, and Mike are planning to go to the OpenID summit in Colorado
>
> They are also plan to go to IETF meeting in Quebec City that is soon after
> it
>
>
>
> Don is meeting with Alan Tom and Eric this week about the Connect launch
> plan
>
>                 John plans to try to call in for that
>
>
>
> We plan to have specs complete enough for early implementers by the end of
> this month
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>

-- 
--Breno