[Openid-specs-ab] Spec Call Notes 23-Apr-20

Mike Jones Michael.Jones at microsoft.com
Thu Apr 23 15:16:42 UTC 2020 

Spec Call Notes 23-Apr-20

Brian Campbell
Tim Cappalli
Mike Jones
John Bradley
Nat Sakimura
George Fletcher

Migration from Mercurial to Git
              We've migrated our repository
                           New Git repository: https://bitbucket.org/openid/connect/
                           Old Mercurial repository: https://bitbucket.org/openid/connect.mercurial/
              There was a permission issue when we tried to assign an issue to Roland
                           Mike will investigate

OAuth JAR
              A new version was published allowing client_id to be passed as a request parameter
              There's a clarification of the request_uri parameter requested by the PAR people
              John and Nat are working on that change with Torsten
              John said that the request_uri always references a JWT
                           But that if it's not dereferenced, this could be implicit
              The current language "points to the Request Object" is probably what people are tripping over
              John said we should make it clear that people could push to something and return a URN rather than a location
                           We could show this in an example
              Brian cited several examples in the JAR spec that would make people think that the request_uri always refers to a JWT
              George talked about the situation where the AS is both generating the request_uri and consuming it
                           In that case, other representations than JWTs can be used
              John suggested that we say that it must point to a Request Object when it's a locator
                           and just refers to a representation of a request when it's an identifier
              John said that if what's being referred to is not a Request Object, then some of the validation rules may not be right
                           We might be creating security holes
              John: Logical representation of the contents of a Request Object
              Brian volunteered to create a PR for JAR to address the perceptions
                           Then Nat and John and Mike and others can review it
                           Nat's repository is at https://bitbucket.org/Nat/oauth-jwsreq/src/master/draft-ietf-oauth-jwsreq.xml

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              #1164 insecure front-channel use of private_key_jwt client authentication
                           Tried to assign to Roland, following substantial discussion on the list
                           Mike will investigate the repository permission issue and then do this
              #1149 Front-channel logout that doesn't rely on cookies
                           Placed on hold for now, per discussion on 9-Apr-20 call
              #1057 OIDCC appears to override single-use nature of auth code in RFC6749
                           Marked as won't fix, given that this was an intentional choice
                           The Certification tests OP-OAuth-2nd and OP-OAuth-2nd-30s cover these behaviors

Next Call
              The next working group call is Monday, April 27 at 4pm Pacific Time

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200423/c71dbdd8/attachment.html>

More information about the Openid-specs-ab mailing list