[Openid-specs-ab] Spec call notes 17-Dec-12

Mike Jones Michael.Jones at microsoft.com
Tue Dec 18 00:17:55 UTC 2012 

Spec call notes 17-Dec-12

Mike Jones
Brian Campbell
John Bradley
Nat Sakimura
Edmund Jay
Tony Nadalin
Justin Richer
Pamela Dingle

Agenda:
                Native Client Test Application
                Open Issues
                Inconsistency between user_id and prn
                Allowing Multiple Audiences in JWTs
                WebFinger

Native Client Test Application:
                Pam did a demo of the native client test application
                It currently has IdPs hard-coded rather than doing discovery (which will come later)
                Pam and Edmund will try to get this to work with Edmund's OP as a second OP then release it
                Pam and Justin will also try to get it working with Mitre's OP

Open Issues:
                We reviewed the 2 new open issues
                #688 Registration 2.1: Accept header in example should be Content-Type
                #687 Messages - Add 'prn' claim to id_token to support JWT Assertion

Inconsistency between user_id and prn
                Per issue #687 (Messages - Add 'prn' claim to id_token to support JWT Assertion),
                                currently ID Tokens can't be OAuth JWT Assertions because they identify the
                                subject with the "user_id" claim rather than the "prn" claim
                There was agreement that this inconsistency is harmful and that it needs to be fixed
                                The same claim name should be used in both cases
                Potential claim names discussed were prn, sub, sbj, id, and who
                                "prn" could be used without requiring changes to the JWT and JWT Assertions specs
                                For that reason, "prn" was the working group's preferred claim name choice
                Mike will describe this decision to the working group and interop list and solicit feedback

Allowing Multiple Audiences in JWTs:
                We had a discussion of allowing multiple audiences in tokens
                                SAML allows multiple values (and adds and/or semantics as well)
                Brian's proposal is to allow multiple audiences in the "aud" claim via array values
                In OAuth, an access token might be usable at multiple resource servers
                Brian will file an issue and send a note to the OAuth list

WebFinger:
                WebFinger will be HTTPS only, per http://www.ietf.org/mail-archive/web/webfinger/current/msg00303.html
                                This was the last technical issue standing in the way of Connect using WebFinger
                We will put a note in the implementer's drafts that SWD will probably be replaced with WebFinger
                We will do the same with the OAuth Registration draft
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121218/f91f7d7c/attachment.html>

More information about the Openid-specs-ab mailing list