[Openid-specs-ab] Connect Working Group Meeting at Google 22-Oct-12
Mike Jones
Michael.Jones at microsoft.com
Tue Oct 23 00:52:46 UTC 2012
Connect Working Group Meeting at Google 22-Oct-12
Attendees:
Tim Bray - Google identity team - developer facing
Naveen Agarwal - Google identity tem
Mike Jones - Microsoft identity standards and policy team
Brian Campbell - Ping Identity
Chuck Mortimore - Salesforce
George Fletcher - AOL
Adam Dawes - Google identity team
Breno de Medeiros - Google identity team
Chunlei Niu - Google identity team
Axel Nennker - Deutsche Telekom
Andreas Leicher - Novalyst IT
Mike Schwartz - Gluu
Scott Kern - Identity at Verizon
John Elkaim- BlueID
Alex Chong - Verizon
Brian Berliner - Symantec, personal
Morteza Ansari
Edmund Jay - Illumila
Tom Brown
Greg Keegstra - Janrain
Lucy Lynch - Internet Society
Amanda Anganes - Mitre
Justin Richer - Mitre
Johnny Bufu - Janrain
Don Thibeau - OpenID Foundation executive director
IPR Reminder
Introductions
Agenda Discussion
Session Management
Session management open issues
#650 Session - Dependency on Third Party Cookies
Agreed that no means to fix this, short of new browser technology
#605 Session Sec 2 - op_logout_url description
Needs clarification in the spec
#634 Session 5 - Re-redirection to RP after the OP logout, or no redirection logout
Agreed that need continue URL, including possibility of continuing if user chooses not to logout
#635 Session - 4.1 Format of hash and salt
Lots of discussion - to be continued at IIW
Breno gave an overview of Session Management
They want all validation to occur within the OP frame
#595: Discovery 2 - No means of discovery without web server for domain
Possibilities:
DNS based solution
Can be hard for administrators to do
Can be hard for clients to use - DNS lookup may not be available
A lot of DNS registrars don't expose SRV records
Agreement that this is not a viable solution
Broker aggregator
Delegate to trusted third party
Somewhat analogous to Account Chooser
Domain prefix
simple-web-discovery.example.com or
simple-web-discovery.well-known.example.com
Agreed that we should publish a SWD draft with this approach
#604: All - Create a MTI section
OpenID request object for claims requests MTI
RSA signing mandatory to implement
Johnny said that this effectively makes discovery MTI
John Bradley said that cert could be communicated out of band
Justin and Tim said that discovery and registration are needed for "cold boot" case
Discussion moved to the distinction between the "open" case and the "cold" case
We agreed that the userinfo endpoint is required for the open cases and optional for the closed case
Breno said that we may want a discovery error saying that static registration is required
People didn't think that requiring signing the userinfo response
OPs can ignore acr if they don't understand it
preferred_locales is MTI, in the sense that it must not throw an exception
#633: Messages - 4.2 JWK and X509 format support
OPs must support X.509
We should work with JOSE to ensure that self-signed certs are supported
#601: Standard - No way of doing IdP initiated login defined
Justin proposed a flow that adds an OP -> RP message that then starts the normal login flow
Breno said that that mitigates session fixation attacks but not XSRF attacks
John proposed to just send a response message (like SAML)
It would have a special state value saying that this is an IdP-initiated login
Breno pointed out that the security details matter
#668: Messages,Multi Response - Cope with bloating id_token_hint in self-issued cases
People still don't like having another OAuth response_type
They thought that multiple id_token response types was worse
Chuck suggested a profile for push messaging to the phone to retrieve claims
People agreed that the current solution is at least a local maximum, and to leave it as-is
#636: JWT - intermediate audience claim
Breno proposed a requested audience parameter
Google's ID tokens contain an audience and a client_id
The requested audience is used to request a different audience than the client_id
This is rooted in the fact that most providers require the client_id for web and mobile clients to be different
Breno suggested we may need rules for when it's safe to accept an ID token issued to a mobile client
John asserted that this is a bad pattern
We will discuss this more at IIW
#539: Messages - 0. Add scope for offline access
We adopted George's proposal
We invite continued review
#656: Discovery - 4.2 Provider Configuration File does not specify what optional parameters the server accepts
We do want optional functionality to be discoverable
#653: Registration - 2.1 policy_url SHOULD be displayed?
Justin added that if you can't trust the source of the privacy URL, it doesn't add any value
We will leave this a SHOULD
Naveen said that the policy URL should be different from the terms of service URL
#628: Discovery 3.2 - need a strict JSON structure
This pertains to the different layers of MTI
In the "open" case, some parameters will be required
Chuck suggested different terminology than "open"
Amanda suggested possibly "dynamic"
Lucy suggested "negotiated"
John suggested "out-of-band"
#667: Registration - Restructuring
This seems OK
Sessions to hold at IIW:
Session management parameters
On-behalf-of / delegation
Hybrid applications (mobile applications with a web back end)
Intermediate audience claim / multi-level application security
IdP initiated login
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121023/4541f6d7/attachment.html>
More information about the Openid-specs-ab
mailing list