[Openid-specs-ab] Spec call notes 19-Sep-11

Mon Sep 26 23:12:55 UTC 2011

Spec call notes 19-Sep-11

Pamela Dingle
Mike Jones
Nat Sakimura
John Bradley
Edmund Jay
Breno de Medeiros

Agenda:
                Update on spec edits to close issues
                Open issues
                Breno's "OAuth2 Multiple Response Type Encoding Practices" spec
                Breno's session management rewrite work
                Request object format(s)

Update on spec edits to close issues:
                John edited basic
                                To close issues
                                Plus additional changes reviewed on last week's call
                Edmund synced standard and messages with these changes
                Edmund trying to reorganize specs so both flows can use request object and request file
                                Previously only appeared to work for code flow
                                Expect to be done by end of day
                                Then Mike will review

                Edmund will identify issues needing working group input before Thursday's call

Open issues:
                Messages has 3 open issues
                Standard has 14
                Basic has 3
                Discovery 4
                Registration 1
                Session 5 (but undergoing extensive rewrite)

                Also some items posted by George may end up as issues as well
                                John will go through this and file issues identified

                Discussion about schema for UserInfo endpoint
                                Decision on last call to require schema=openid query parameter
                                Mike is OK with this, provided we don't define any other schema= values

Breno's "OAuth2 Multiple Response Type Encoding Practices" spec:
                Intended for OAuth response types registrations
                Open issue whether "none" needs to be mentioned in Connect specs or not
                John will review and post results to list

                Breno wants us to be agnostic about response types
                                Deferring to the OAuth 2.0 specs
                                John pointed out that we need to require id_token in the token flow
                                Mike pointed out that achieving interoperability requires using common response types

Breno's session management rewrite work:
                Breno wants to get his new logout write-up done this week
                                May write sample code
                                Will also vet with browser experts

                Essentially 3 parts of session management: logout, PAPE, immediate mode
                                Thinks that display=none (immediate) should go to standard and basic
                                Breno thinks that much of session management should be best practices
                                                PAPE, logout might converge quicker than some parts
                PAPE functionality doesn't require token renewal, etc.

                Possible changes to basic and standard specs corresponding to these rewrites
                                Add the checkid_immediate functionality
                                Define how to pass an id_token
                                Define some error messages that correspond to passing an id_token
                John will do a proposed write-up of what these changes would look like

Request object format(s):
                Edmund asked whether the request object is always a JWT or whether it's sometimes bare JSON
                We decided that interoperability is likely improved by only having one format
                We'll go to implementer's draft with one way and maybe add the other only if developers demand it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110926/0f398727/attachment.html>