[Openid-specs-ab] Spec call notes 3-Sep-15
Mike Jones
Michael.Jones at microsoft.com
Thu Sep 3 15:02:33 UTC 2015
Spec call notes 3-Sep-15
Mike Jones
Nat Sakimura
Brian Campbell
John Bradley
Nov Matake
Agenda
Logout
New Issues
Workshop before IIW
Tokyo workshop after IETF 94 Yokohama
Certification
Logout
Nat reported some parties may use SAML because OpenID Connect doesn't have a ratified logout spec
He also said that some enterprise people are inventing home-grown logout spec
Shipping is a feature as well
We still need interop testing on the HTTP-based logout
The back channel logout spec doesn't yet exist
Nat said that some people apparently are using extensions to SCIM for back channel logout
He will try to find references to what those people are doing
Mike expressed that requiring SCIM to do logout seems like unnecessary complexity
For the back channel logout, the OP would send a message to the RP containing the session ID
There could be an ID Token authenticating the sender
Some will want to log out a particular session - others will want to log out all sessions
Back channel logout could be broadly construed - for instance terminating refresh tokens
Nat raised the point about sometimes-connect clients
Nat said that some parties are interested in receiving logout acknowledgements
John said that having some concrete use cases might help
Brian stated that expectations for logout appear to differ dramatically
In theory, PingFederate supports back-channel logout for SAML
But ~90% of integrations don't include the necessary RP support for this
Mobile apps make things even harder
What is the desired behavior for a mobile app?
We can probably say something meaningful for interactive sessions
Mobile applications require the back-channel logout
Things that could be logged out/revoked include:
interactive sessions
immediate access and refresh tokens
cascaded token revocations
native app logins
There could be some kind of an ack back to the server for destroyed objects
Callbacks? This could be a scalability issue.
Callbacks probably should be its own spec, if we ever do it
Brian - implementing SAML logout is really hard and all the options only make it harder!
New Issues
#980 - Where else do we need to specify the use of CORS support?
Brian: Discovery, JWKs endpoint
John: Authorization endpoint - Mike: You're redirecting there so you don't need CORS
John: You may or may not want registration to be open
The origin can do direct calls to the dynamic client registration endpoint
If you want different client IDs for each JavaScript client instance, CORS would have to be supported
Nat: Everything discovery related - including .well-known endpoints
It would be deployment policy about whether registration supports CORS
Mike will add a comment to the bug and will point people to the bug on e-mail
Workshop before IIW
http://www.eventbrite.com/e/openid-foundation-workshop-before-fall-2015-iiw-meeting-tickets-17960843366
Mike told Don to remove Nat from the agenda
Mike will ask Don what "HMG Cabinet Office Chairs" means for HEART, and if it's correct
Tokyo workshop after IETF 94 Yokohama
http://www.eventbrite.com/e/openid-summit-tokyo-2015-tickets-18111127871
Registration is not yet open for that, but there will be an English registration page
Nat translated the Japanese event page to English at http://j.mp/cfp_oid15
Session proposals are due by the end of the month but should be sent earlier
John will cover RISC with help from Adam
Certification
Roland is back from vacation and actively fixing stuff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150903/bff8a122/attachment.html>
More information about the Openid-specs-ab
mailing list