[Openid-specs-ab] Spec call notes 26-Sep-13
Mike Jones
Michael.Jones at microsoft.com
Fri Sep 27 01:39:45 UTC 2013
Spec call notes 26-Sep-13
Mike Jones
John Bradley
Justin Richer
Roland Hedberg
George Fletcher
Edmund Jay
Nat Sakimura
Agenda:
Pre-IIW Meeting
Pre-IETF 88 Meeting
Open Issues
Interop
Implementation of JavaScript apps
Document Restructuring
Pre-IIW Meeting:
Registrations are open at http://openid-wg-oct-2013.eventbrite.com/
We currently have 19registrations
The agenda includes Account Chooser, OpenID Connect, and Native Applications
Pre-IETF 88 Meeting:
Karen O'Donoghue has a room for OAuth interop the Sunday before IETF 88
John is still working on determining when our time block will be
The MIT OAuth interop was cancelled
Interop planning discussions will be happening
John doesn't think that there will be registration
Mike mentioned the OAuth survey that he took, which identified several profiles other than UMA and OpenID Connect
Open Issues:
Two new issues:
#875 - Registration: Parameter for specifying the preferred JWS alg for JWT-based client auth?
Justin supplied language
We agreed to do this
John will add language about the semantics when this parameter is not used
#876 - Google "iss" value missing https://
We discussed two alternatives:
Warning people that Google is non-compliant, but not changing the spec
Allowing the https:// to be omitted, which slightly complicates clients
We agreed that more discussion on this topic is needed
There are now 16 open issues in the tracker
#864 - Native Client code leakage
John and Breno talked about this
Breno wants to just make the proof of possession secret a string
He doesn't like the hash or HMAC way of doing it
Breno suggested another call to the token endpoint
That would avoid either side having to do crypto
Nat will make some revisions to his proposal
#863 - Stateless dynamic registration
John and Breno talked about this
Breno understands how he could do stateless dynamic registration
He will think about it for a few days and get back to John
Breno also said that their session management implementation may have differences
It's all wrapped up in the Google Identity Toolkit
Breno will investigate
#872 - Opbs is unclear
Nat still needs to follow up with Breno for a clarification
Interop:
We still don't know of any Session Management interop that's occurred
John suggested that we might want to have Google add AAD support to GITKIT
Including session management
Edmund expects to have his session management code ready for testing today
Roland may be able to look at it in the next few days
Roland has been working on updating his RP code
In a way that would allow JavaScript login pages to be used
Implementation of JavaScript apps:
Mike asked how people are doing signature validation in JavaScript only RPs
John said that the client has a direct https connection to the Authorization Endpoint
If you trust the https, then you're probably OK without checking the signature
Justin said that if you pass the token on to another party, you'd still need to check the signature
Mike said that apparently Facebook and Google have introspection endpoints for this case
John commented that they may not actually be adding much value
Document Restructuring:
Mike finished the request and request_uri merger from Messages and Standard
The result is released as http://openid.net/specs/openid-connect-core-1_0-12.html
The next step is reordering the content along the lines of Nat's draft
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130927/eecdc2c5/attachment.html>
More information about the Openid-specs-ab
mailing list