[Openid-specs-ab] Spec call notes 5-Jan-17

Thu Jan 5 16:16:40 UTC 2017

Spec call notes 5-Jan-17

John Bradley
Mike Jones
Brian Campbell
Phil Hunt
George Fletcher

Agenda
              Certification Update
              Open Issues
              Odd Mobile Apps and SSO Practices
              Next Call

Certification Update
              Roland has refactored the RP certification site to present requirements to testers more clearly
                           It now lets you select a response_type and shows required and optional tests on that basis
              There are now three RP certifications
                           Edmund Jay still has yet to submit his
              New OP certifications
                           Vladimir Dzhuvinov of Connect2id
                           Yahoo! Japan
                           Verizon
              We plan to do a Certification press release in the RSA timeframe - February 13

Open Issues
              #1007 Registration: Client jwks / jwks_uri must not contain private key material Core 8.1 Pairwise identifier algorithm and native apps
                           Mike will review as part of the errata work

Odd Mobile Apps and SSO Practices
              Phil ran into a case where developers are swapping ID Tokens for access tokens
              He thought that was odd because it means that authentication is being used for authorization
              The old wisdom about not using OAuth for identity is being ignored by some mobile app developers
              John said that Google documents a practice in which applications don't need to run their own OAuth servers
                            https://developers.google.com/identity/sign-in/web/backend-auth
                           It involves use of a proprietary introspection endpoint
                           Facebook also has similar documentation
              George brought this old blog post that he was pointed to by some developers to our attention
                   https://thewayofcode.wordpress.com/2013/11/25/how-to-secure-your-http-api-endpoints-using-facebook-as-oauth-provider/
              Phil described use cases in which stateless services are desired
                           This is problematic when a device is lost because revocation is needed in that case
              William's forthcoming blog post on these topics is clearly needed

Next Call
              We are cancelling the Monday, January 9th call due to conflicts for several participants
              Our next call will be Thursday, January 19th at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170105/5f0f6a03/attachment.html>