[Openid-specs-ab] Spec Call Notes 13-Aug-20

Mike Jones Michael.Jones at microsoft.com
Thu Aug 13 15:20:09 UTC 2020 

Spec Call Notes 13-Aug-20

Tim Cappalli
Brian Campbell
Mike Jones
Tom Jones
Filip Skokan
Joseph Heenan
George Fletcher
Bjorn Hjelm

OAuth JAR
              Being discussed on the IESG Telechat right now
              There were no objections from the IESG - just comments
              (Nat and John are on the Telechat right now)
              They achieved approval with AD follow-up
                           Nat needs to respond to the comments
              Brian wanted security considerations prohibiting use of the "sub" with a Client ID value
                           Since that would allow repurposing the JWT for client authentication
              Some of the ADs asked for an explanation of why explicit typing was not included
                           We could optionally allow explicit "typ" typing with the defined MIME type, but not require it
              Nat requested that people create a PR addressing the AD comments
                           https://bitbucket.org/Nat/oauth-jwsreq/src/master/draft-ietf-oauth-jwsreq.xml
                           Mike volunteered

Adopting RP-Initiated Logout Spec
              No objections were raised, so the spec is now adopted

Aggregated Claims Draft
              No objections were raised, so the spec is now adopted

"alg":"none" and Certification
              Joseph asked about the Certification suite requiring the use of alg:none in some cases
              Certification passes "request" values using alg:none
              Certification passes "request_uri" values using alg:none
              The certification suite doesn't ever require unsigned ID Tokens, which are allowed for response_type=code
              Filip suggests using whatever algorithm is available
                           The metadata can indicate support for none or not
              request_object_signing_alg_values_supported
                           The spec says "Servers SHOULD support none and RS256."
                           Mike asserted that it's an interop issue if none is not supported
              George made an analogy to supporting open dynamic client registration
                           As a security decision, AOL wouldn't want to deploy it that way, even though certification requires it
              Mike asserted that there's not a security issue with using unsigned Request Objects
                           Joseph countered that the issue is having support for none in the underlying JOSE library at all
              Joseph asked about passing raw JSON rather than an unsigned JWT
                           Mike said that that isn't supported by the spec
              Joseph asked about using PAR instead
                           Mike said that it's not a standard yet and there's not support for it in Connect today
              Filip suggested making the unsigned Request Object tests optional
                           Bjorn agreed with Filip's comments
              Brian said that alg:none has given JOSE an unduly bad name
                           He thought that certifying should not require support of alg:none
              Nat thinks that certifying without supporting alg:none should be OK
              Mike suggested having two sets of Request Object tests - one for none and one for RS256
                           Mike would still like to test none, when available
                           Joseph said that the unsigned one can go to a skipped state if none isn't listed in the metadata
              We agreed to hand this off to the certification team to work out the details of the implementation change

logout_hint Proposal
              Issue #1182 - Add logout_hint parameter to RP-Initiated Logout request
              https://bitbucket.org/openid/connect/issues/1182/add-logout_hint-parameter-to-rp-initiated
              George said that the login_hint should never bypass the person entering credentials
                           He said that the ID Token is more secure
              Brian said that the use of the ID Token in backwards flows is problematic
                           He said that their implementation doesn't have a place to store the ID Token
              Mike said that the logout_hint would only be used to select among logged-in sessions
                           The user would still be asked whether they want to log out or not
              George reminded us that we have a sid parameter on Back-Channel but not Front-Channel
                           He said that if we add parameters, we should make sure to cover all the use cases
              We ran out of time to finish the discussion
                           Mike suggested that people add comments to the issue

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              (We ran out of time so no additional open issues were discussed)

Next Call
              The next working group call is Monday, August 17 at 4pm Pacific Time
                           This is the call primarily devoted to SIOP issues
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200813/cf85698e/attachment.html>

More information about the Openid-specs-ab mailing list