[Openid-specs-ab] Spec call notes 19-Jan-17
Mike Jones
Michael.Jones at microsoft.com
Thu Jan 19 16:36:16 UTC 2017
Spec call notes 19-Jan-17
John Bradley
Mike Jones
Roland Hedberg
Phil Hunt
George Fletcher
Brian Campbell
Rich Levinson
Nat Sakimura
Agenda
Certification Update
Backchannel Logout
Logout Implementer's Draft Votes
AppAuth Fork
Federation Spec
Open Issues
Next Call
Certification Update
There are 4 RP certifications
Nov Matake is also testing now
Roland has deployed the new OP test tool on a virtual machine
Ping is testing
Edmund Jay has completed testing for NRI. The signatures are still needed.
Backchannel Logout
Mike published an updated Backchannel Logout spec
It is in sync with the current SecEvents spec
It now allows either "sub" or "sid" or both
It also removes some cut-and-paste text about the backchannel_logout_uri
We can say that unless a "sid" is present, that the intent is to logout all sessions at that RP
We can say that logout may involve clearing or revoking additional state associated with the session, such as security tokens
Phil suggested that we do this in the security considerations
George described different kinds of logouts that could be performed
We should say that the messages originate from the OP and the OP may have done other cleanups as part of the logout
RP-initiated logout is triggered by a different message, which applies to all logout messages
Logout Implementer's Draft Votes
Mike proposes that we start a one-week review process for implementer's draft votes for the logout specs
We should include Session Management in the bundle
AppAuth Fork
Mike Schwartz described an AppAuth fork he had made
John said that there are Google-specific things in the example app - not in the mainline code
Nat thinks that it's just Google-specific URLs - not Google-specific APIs
John said that there is also the use of a Google configuration shortcut in the example app
Others could submit pull requests to enable configuration with other OPs
Nat thinks we may need to dig a little deeper
Mike Schwartz pointed out that the AppAuth code is not validating the ID Token signature
George thought that we should merge that in
John said that AppAuth is code flow only, so this isn't a security risk per-se
John said that we should do this in the client
John said that Adam Dawes was worried about lazy developers who might pass a validated ID Token to a server that then would not validate it
John thought that we should still check it in the client and also check it other places it is passed
Mike Jones said that this is about communication within the app and that we might want to document best practices for that pattern
If Mike Schwartz made a pull request for the signature validation across platforms, we would appreciate that
John said that there is interest in an AppAuth version for the Windows Universal Platform
Federation Spec
Roland reported that a number of parties are starting pilots using the current federation draft
There's one in Europe, one in the US, and one in Australia/New Zealand
The Kantara Otto working group is also using the draft
The metadata statements have lifetimes on them - usually related to the signature lifetimes
There isn't currently a way to revoke them
There isn't a globally unique identifier for an entity, which some want for accounting purposes
John said that we have issuer for OPs - this is only a problem for RPs
Having this would let you do revocation based on a blacklist of entity IDs
Roland is also writing tests for the draft
Open Issues
There are no new open issues
Next Call
The next call is Monday, January 23rd at 3pm Pacific
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170119/50f14a88/attachment.html>
More information about the Openid-specs-ab
mailing list