[Openid-specs-ab] Spec call notes 6-Mar-17
Mike Jones
Michael.Jones at microsoft.com
Tue Mar 7 00:08:06 UTC 2017
Spec call notes 6-Mar-17
Mike Jones
Brian Campbell
Edmund Jay
Rich Levinson
Nat Sakimura
John Bradley
Agenda
Discussions about Session State
IETF Security Events (secevent) Discussions
Threat Document about the Misuse of OAuth
Open Issues
Next Call
RISC Logout Discussions
Discussions about Session State
Rich referred us to Section 3 of Session Management, which defines session_state
http://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions
One aspect of Rich's question is whether different RP instances share a session_state value
We talked about the distinction between local RP session state management (which has no protocol messages)
and global session state management, which involves messages between OPs and RPs
Rich was confused by the first sentence of Section 3, which talks about how sessions start
The session actually starts with actions by the RP, the OP, and then the RP
A fresh login can occur either because the user was logged out at the OP or because the RP uses prompt=login
Edmund pointed out that the max_age parameter can also be used to trigger a fresh-enough login
Rich will write up any places he finds the spec to be ambiguous for the list
IETF Security Events (secevent) Discussions
There are currently discussions on the id-event at ietf.org mailing list that are pertinent to Back-Channel Logout
Subscribe at https://www.ietf.org/mailman/listinfo/id-event
Some of these are about the format of the Security Event Token (SET)
Outcomes of some of these discussions could cause breaking changes relative to Back-Channel Logout
For instance, one person is advocating requiring duplicating information in the JWT into the event object
This would be a breaking change
Some of these outcomes could also unnecessarily make SETs more complicated than they need to be
Because we have a dependency on the SET spec, Connect WG members are encouraged to also participate in the SET discussions
Threat Document about the Misuse of OAuth
The article that prompted this discussion is https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Signing-Into-Billion-Mobile-Apps-Effortlessly-With-OAuth20.pdf
William doesn't have the bandwidth to lead this. He's willing to review a document if one is written.
Nat asked if there are notes about our thoughts on this
Mike responded that this came up on about 4 Connect calls - he thinks in December and January
The call notes contain a summary of our discussions
Nat agreed to look at the call notes to see if there's enough there for someone to start writing this up
Open Issues
There are no new open issues
Next Call
The next call is Thursday, March 16th at 7am Pacific Time
RISC Logout Discussions
John reports that Adam Dawes was describing an account reset action as part of Google's RISC use cases
Possibly because an account was compromised
There's a need to get attackers completely out of the account in this case
For instance, invalidating all access, refresh, and ID tokens
Mike observes that account reset is likely to do some of the same actions as logout but also more
For instance, account reset needs to always invalidate logins at native apps that were logged in
John believes that this may be a boundary case that Connect wants to also track
We should think about whether this is an extension of logout or something distinct
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170307/2f35fe01/attachment.html>
More information about the Openid-specs-ab
mailing list