[Openid-specs-ab] Spec Call Notes 10-Oct-19

Joseph Heenan joseph at authlete.com
Mon Oct 14 20:23:00 UTC 2019 

Hi George,

It may well be included/referenced as a pattern that can be used for OAuth/OpenID Connect in the implementation advice document the FAPI WG are working on.

There was discussion on the call last week around including something about app2app in a new draft of BCP 212 OAuth 2.0 for Native Apps, but I'm not too sure of how that actually happens and if I can help with that.

There wasn't a huge appetite on the call for standardising the first party app <-> idp protocol. I still need to read up on webauthn and try to figure out if that is usable in this context.

Thanks

Joseph


> On 14 Oct 2019, at 20:51, George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> I missed this meeting due to the missing calendar entry. What are the next steps with app2app flow? Are we going to product a spec or "best practice" for this method?
> 
> Thanks,
> George
> 
> On 10/10/19 11:39 AM, Mike Jones via Openid-specs-ab wrote:
>> Spec Call Notes 10-Oct-19
>> ?
>> Mike Jones
>> Joseph Heenan
>> Rich Levinson
>> Brian Campbell
>> Nat Sakimura
>> John Bradley
>> Torsten Lodderstedt
>> ?
>> Calendar
>> ????????????? This call isn't in the OpenID Foundation calendar anymore
>> ????????????? Nat fixed this during the call
>> ?
>> App2App
>> ????????????? Joseph described his App2App application
>> ????????????? See https://josephheenan.blogspot.com/2019/08/implementing-app-to-app-authorisation.html <https://josephheenan.blogspot.com/2019/08/implementing-app-to-app-authorisation.html>
>> ????????????? It doesn't change the protocol at all
>> ????????????? The app claims the authorization endpoint
>> ????????????? It improves completion rates, using biometrics instead of things users remember
>> ????????????? This is different from George's NativeSSO spec, which shares a keychain within a company's apps
>> ?????????????????????????? This works across applications from different companies
>> ????????????? Brian said that it would be inappropriate to specify an app to back end protocol
>> ?????????????????????????? We shouldn't impose restrictions on how login occurs
>> ?????????????????????????? But advice on how to accomplish the pattern would be useful
>> ????????????? John said that there could be security issues
>> ????????????? John said that you could do this with WebAuthn
>> ?????????????????????????? There's a fair amount of overlap
>> ?????????????????????????? You can do it in native applications too
>> ?????????????????????????? For instance, there's an Android API
>> ?
>> OAuth JAR
>> ????????????? John will do an update and then contact the area director
>> ?
>> OpenID Connect for Identity Proofing
>> ????????????? We're in the middle of the 45-day review period
>> ????????????? https://openid.net/2019/09/19/public-review-period-for-openid-connect-for-identity-assurance-specification-started/ <https://openid.net/2019/09/19/public-review-period-for-openid-connect-for-identity-assurance-specification-started/>
>> ????????????? Torsten plans to add a Japanese verification method in a new revision
>> ?
>> ????????????? Torsten believes that we could get broader participation by having an Identity Verification working group
>> ????????????? He also might want to make the specification more modular
>> ?
>> Federation
>> ????????????? The Federation spec was discussed at IIW among Connect and R&E people
>> ????????????? Roland Hedberg explained a change to the use of .well-known to make it more parallel to Discovery
>> ????????????? Mike has promised Roland a review of the changes
>> ????????????? After we publish the next draft, it's probably time for a second Implementer's Draft
>> ?
>> Sign In with Apple
>> ????????????? Don posted the follow-up letter thanking Apple for correcting their implementation
>> ????????????? https://openid.net/2019/09/30/apple-successfully-implements-openid-connect-with-sign-in-with-apple/ <https://openid.net/2019/09/30/apple-successfully-implements-openid-connect-with-sign-in-with-apple/>
>> ?
>> Open Issues
>> ????????????? https://bitbucket.org/openid/connect/issues?status=new&status=open <https://bitbucket.org/openid/connect/issues?status=new&status=open>
>> ????????????? #1116 Returning end user claims in id token
>> ?????????????????????????? Closing since the question was answered in the comments
>> ????????????? #1115 how should the OP behave when a claim is requested but not understood
>> ?????????????????????????? Assigned to Mike
>> ????????????? #1114 Several doubts about value in individual claim requests (5.5.1)
>> ?????????????????????????? Assigned to Mike
>> ????????????? #1113 IANA discrepancy with error code "account_selection_required"
>> ?????????????????????????? Mike will make sure that it is registered in the Errata draft updates
>> ????????????? #1112 Register openid to the well-known URI scheme IANA registry
>> ?????????????????????????? Nat to edit the issue to remove the well-known URI reference and add RFC 7595
>> ?????????????????????????? We will do this, since there is increasing interested in the self-issued OP functionality from the self-sovereign identity crowd
>> ?????????????????????????? Nat or Mike should probably be the person to make the registration request
>> ????????????? #1110 [Identity Assurance] Giving null and/or empty strings special meanings might bring about difficulties in implementations
>> ?????????????????????????? This is substantive.? We should address it after the Implementer's Draft is approved.
>> ?????????????????????????? Also see #1109, which is on the same topic
>> ?
>> SURFnet OpenID Connect Proxy Certification Issues
>> ????????????? We ran out of time to continue discussing this
>> ?
>> Next Call
>> ????????????? The next call is Monday, October 14 at 4pm Pacific Time
>> 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20191014/c326483b/attachment.html>

More information about the Openid-specs-ab mailing list