[Openid-specs-ab] Spec call notes 26-Mar-15

Mike Jones Michael.Jones at microsoft.com
Thu Mar 26 14:54:57 UTC 2015 

Spec call notes 26-Mar-15

John Bradley
Brian Campbell
Nat Sakimura
Mike Jones
Edmund Jay
Justin Richer
Roland Hedberg

Agenda
               Open Issues
               UserInfo access passing access token in the body
               Google not wanting to support max_age and auth_time
               JOSE/JWT/OAuth Assertions specs status

Open Issues
               #123: redirect_URI tests still reporting wrong results.
                              John will close as resolved
               No other issues were immediately pertinent to certification
               Mike has placed two issues not needed for v1 certification on hold

UserInfo access passing access token in the body
               It's a MAY in 6750
               This there to enable JavaScript clients and others which may not be able add an Authorization header
               Let's make this a WARNING rather than an ERROR now
               In v2, we should probably add this to the Dynamic profile as required
               Roland will make this a warning and send a note to the list when it's done

Google not wanting to support max_age and auth_time
               Possibly reply asking if they can return an auth_time that actually reflects when the user authorized/was in possession of the device
               User presence signal that doesn't require a password
                              Such as a native application on a mobile device
               A screen unlock is a valid user presence indicator
               But device authentication time is a different semantic, which could be added, but it's different
               Reauthentication may make more sense in the context of a particular action by the user
                              Real-time consent for an action, as a step-up action, rather than just re-login
                              Then the user has context for the action
               Mike will send a response asking for more discussion

JOSE/JWT/OAuth Assertions specs status
               These have exited RFC Editor "EDIT" status
               They are now in "RFC-EDITOR" status: Undergoing final internal review before AUTH48
               This means the authors will soon be asked to verify that the edited specs are correct
               This is called AUTH48 because authors are supposed to respond within 48 hours
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150326/e6db107a/attachment.html>

More information about the Openid-specs-ab mailing list