[Openid-specs-ab] Spec call notes 1-Sep-16
Mike Jones
Michael.Jones at microsoft.com
Thu Sep 1 16:31:17 UTC 2016
Spec call notes 1-Sep-16
Mike Jones
Prateek Mishra
Phil Hunt
John Bradley
Agenda
Effects of disabling of 3rd party browser cookies
Open Issues
Progressing Front-Channel and Back-Channel Logout
Certification Update
Next Call
Effects of disabling of 3rd party browser cookies
The OP is loading RP iframes
The iframe will load but because the OP is the origin, the RP won't be able clear the session cookie
We don't think there are any workarounds
If there were workarounds, advertisers, etc. could use them for tracking cookies
Mike will ask the Microsoft folks who have implemented this about their experience
This is tracked in issue #1003:
Document possible impacts of disabling third-party cookies on front-channel logout
Mike will take a stab at writing text for the front-channel logout spec
Back-channel logout and the session management approach still work with 3rd party cookies disabled
Open Issues
#1003: Document possible impacts of disabling third-party cookies on front-channel logout
Discussed above
#1002: Clarify meaning of exp claim in ID Token
John suggests that we add "from the OpenID Provider" to the wording.
Phil suggests that we say somewhere that this is unrelated to session lifetime.
... not intended to set limits on or be related to session lifetime.
Mike will take a stab at revised wording.
#1000: Logout Token has wrong mandatory field (sub vs. jti)
"jti" is unique per JWT to prevent replay
The Session ID will be the same across multiple ID Tokens for the session
The topic really is what does an RP need to know to make use of logout
Phil said that some RPs may not be doing personalization and may not care about "sub"
We're already letting RPs that need Session IDs require them
The front-channel logout typically doesn't need a Session ID (but RPs can ask for them)
We're trying to have the two approaches be as parallel as possible
Phil is interested in always having a Session ID
John is interested in not always having a Subject and instead using a Session ID
It should be configurable by the client like Session ID
Progressing Front-Channel and Back-Channel Logout
After one more round of cleanups, we should probably hold implementer's draft votes for these specs
People should be reviewing the drafts now
Certification Update
Mike has reviewed the test lists in Roland's RP testing code
They appear to be ready to go for Basic, Implicit, Config, and Dynamic
Three new tests (which should be easy to implemented) are needed for Hybrid
Mike is working with Roland on creating updated testing instructions
The structure of the tests changed during CIS based on feedback from Hans Zandbelt
Mike will send them out for review probably next week
We appear to be on track for having some launch certifications in time for the Internet Identity Workshop
Next Call
Our next call will be Wednesday, Sep 7 at 4pm Pacific because that Monday is Labor Day in the US
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160901/62f970c2/attachment.html>
More information about the Openid-specs-ab
mailing list