[Openid-specs-ab] Spec call notes 15-Feb-18

Thu Feb 15 21:55:50 UTC 2018

Spec call notes 15-Feb-18

Mike Jones
Rich Levinson
Roland Hedberg
Pamela Dingle
George Fletcher

Agenda:
              Federation Implementation Work
              New Python and other RP libraries
              OAuth AS Metadata Draft
              Open Issues
              All Other Business

Federation Implementation Work
              Roland reported on implementation work for OpenID Connect Federation
              Some pilots are starting
              Need RP libraries supporting the federation draft
                           Roland is doing Python support
                           Updates to AppAuth for Android and iOS libraries are in progress
              Need OPs
                           Two Finnish developers are working on extensions to Shibboleth
                           Adding OpenID Connect protocol support
                           Also adding Federation draft support
                           Started with Implicit flow; now working on Code flow
                           Running the certification tests concurrently with development
              Proxy
                           It is possible to proxy between combinations of SAML and OpenID Connect
                           Developed by a group of people in the Identity Python consortium
                                         For instance, NIH, which creates virtual organizations, is using it
                           Used in higher education community
                           Can place in front of a SAML IdP to get a Federation-aware OP
              Signing Services
                           Need services to sign metadata
                           Roland and an Italian developer are doing this work
                           Need to have ways to handle lost and compromised keys
                                         Can either have revocation service or short trust lifetime
                           Working on key rollover at all levels
              Handful of Pilots will get started
                           Want to have dynamic registration in a trusted manner
                                         Not anonymous dynamic registration
                           ITTF - High Energy Physicists - is an early adopter
                                         Big science projects are many of the first adopters
                           SWAMID (Swedish federation) will start a pilot in the fall

New Python and other RP libraries
              Roland reported on new RP libraries being developed
              Google observed that people have difficulty deploying correct RPs
                           People are often not doing security as they should
                           For instance, not verifying ID Tokens
              Google is sponsoring new libraries that will be certified
                           Python, Java, JavaScript
              They will support not just required tests but also other functionality
                           For instance, support for request and request_uri
                           Support for more than just RSA crypto
              People should not avoid libraries because they are lacking functionality
              By default, libraries will be as secure as possible
                           For instance, not using "alg":"none"
              Roland is the chief designer and implementer of the Python library
                           Other programmers are implementing the Java and JavaScript libraries
              The plan to finish by the Google I/O conference in middle of May
              They are open source and not the property of Google
              The OpenID Foundation and the Connect WG are targeted as hosts for the code
              We want to have communities of invested experts who maintain the libraries
                           George: We want to have communities that actively review PRs and do new releases
                           For instance, there is a team of four committers on the old Python library

OAuth AS Metadata Draft
              Mike still needs to produce an updated draft for the Area Directors

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              No new open issues
              Owners are assigned to all current issues

All Other Business
              George asked whether people sometimes implement logins without setting cookies
              For instance, to allow non-conflicting simultaneous logins with different accounts
              Those on the call didn't have experience with doing this
              Pam said that if George writes it up she could ask Ping's field deployers about it
              George and Rich described situations in which social login results in surprising behaviors
                           Staying logged into the social IdP even after logging out of the RP
              George said you certainly don't want to set persistent cookies on public computers
              George asked whether people have integrated Vectors of Trust with OpenID Connect
                           No one had done this
              Pam said that they're working more on continuous authentication, rather than VoT
                           She'd be interested in seeing integration between those
              George asked about getting updated ID Tokens after the initial authentication
                           Pam suggested possibly using Client-Initiated Backchannel Authentication (CIBA)
              Pam recommends that Connect experts read the MODRNA CIBA spec
                           http://openid.net/specs/openid-connect-modrna-client-initiated-backchannel-authentication-1_0.html
                           Especially because it is returning an ID Token
                           Open Banking people want to use it to solve headless flows
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180215/84841b73/attachment.html>