[Openid-specs-ab] OpenID Connect Federation Design
Mike Schwartz
mike at gluu.org
Mon Aug 6 19:02:31 UTC 2018
Andreas,
Nice work... I like the direction this is going.
Maybe Javascript public clients are just not deserving of trust! Browser
beware!
But it would be nice to have a trust model for mobile applications.
I like your idea about the RP endpoint residing at some Internet
reachable, stable URI. I think that's a good idea, because public
clients are generally backed by API's anyway.
The conversation about "in scope" versus "out of scope" is also
interesting. It should be more clear what's in scope. And judging from
the discussion, there was some disagreement. Maybe something that could
be out of scope (for example federation metadata) is actually solvable.
I think the work done by GTRI on trust marks is really interesting:
https://trustmark.gtri.gatech.edu/concept/
And building in support for this could help to distribute some of the
trust management, which seems to be one of the goals of this effort.
I'll try to make myself available those days for the meeting too,
especially if there is an agenda published, and I might be useful for a
change.
- Mike
More information about the Openid-specs-ab
mailing list