[Openid-specs-ab] Spec Call Notes 27-Aug-20
Mike Jones
Michael.Jones at microsoft.com
Thu Aug 27 18:14:03 UTC 2020
Spec Call Notes 27-Aug-20
Brian Campbell
Tim Cappalli
Mike Jones
Oliver Terbu
Tom Jones
Kristina Yasuda
George Fletcher
Markus Sabadello
Bjorn Hjelm
Joseph Heenan
John Bradley
logout_hint Proposal
Issue #1182 - Add logout_hint parameter to RP-Initiated Logout request
https://bitbucket.org/openid/connect/issues/1182/add-logout_hint-parameter-to-rp-initiated
Mike gave background in the issue
George observed that the login_hint is truly a hint, whereas logout_hint might not be
Mike reminded people that OPs are expected to ask the user if they really want to log out
Mike reminded people that it's legal to request a logout without any user selection parameters
George doesn't see much danger in adding additional user selection parameters if there's user interaction involved
Mike thinks that adding logout_hint and sid parameters would be fine session selection inputs
Post-logout redirection should only happen to RPs that have recently been logged in
and to registered post_logout_redirect_uri values
Mike said that client_id doesn't help for user selection, whereas sid does
John said that we haven't said that sids can't be specific to particular client_ids
Mike said we're already requiring them to be unique within the OP in Backchannel Logout
John said we should say that elsewhere where relevant
Mike will add the sense of the discussion on this call to the issue
Aggregated Claims Draft
The adopted draft hasn't been posted yet
OpenID Virtual Workshop, Monday, October 19th
It will be prior to the virtual IIW
Topics scheduled include working group, federation, and certification updates
The group thought that we should add a SIOP update to the agenda
Certification
We are on track to decommission the Python-based testing suite at end of the month
We've sent notices about this to mailing lists and those who have certified in the past
We notified them that they need to wrap up their testing with it and move to the Java-based suite
We will take the new suite out of pilot mode in September, after the old one is decommissioned
At that point, we will resume charging for Connect certifications
Joseph said that we've gotten a bunch of certification requests using the new suite in the past two weeks
We have certifications for all the certification profiles except for RP Config, RP Dynamic, RP Form Post, and RP Back-Channel Logout
Mike will ping Roland about trying those
Introductions
Markus Sabadello
Danube Tech in Vienna, Austria
Worked on OpenID for a long time, including early OpenID 2.0 implementations
Active in self-sovereign identity
An editor of the DID core spec in W3C
A fan of Oliver's SIOP work
Oliver Terbu
At Consensys in Germany
Active in self-sovereign identity
Active in Decentralized Identity Foundation (DIF)
A chair of DID Auth WG in DIF
Here because this group is working on SIOP again
Has proposed modifications to help use SIOP in a more efficient way
SIOP
Mike summarized some of the discussions from the previous call for the new participants
We could introduce a level of indirection, like we used to have with XRDS
The indirection value could be a stable "sub" identifier for the RP to use
Indirection would enable key rollover
Tobias Looker had proposed using a URI as the "sub" value
This URI could be a DID
It could be a URL for an OpenID Federation Entity Statement
We can differentiate between existing sub values and new ones because URIs have a colon in them
Tom and Tobias are working on a proposal
https://github.com/KantaraInitiative/DistributedAssurance/blob/master/OpenID%20Self%20Issued%20Identifier.md
Section 5.2 talks about Subject Identifiers
Oliver: DIF proposal currently uses a different claim than "sub" for the DID
Oliver: Thinks that Tobias' motivation was primarily token issuance, rather than the ID Token
Oliver plans to write a document and share it with the working group to discuss on a future call
George observed that Tom has a use case that requires a persistent identifier for the user
George thinks that that would be better as a unique claim
Tom said that in healthcare, there won't be a single identifier ever
You have to go through a medical record locator process
Each health identifier exchange uses a different identifier for the person
In healthcare, we have to assume that we'll never have a single identifier for the person
George said that it's up to the deployment what kinds of subject identifiers to use
Tom discussed redirection methods
If we have the level of indirection, we could specify redirection methods other than openid:// in the discovery document
George asked if we want to just break the "sub" value and require it to be a URI
John suggested that we could define a URI value to encode the JWK Thumbprint
Tobias had suggested the same thing in a different call
We should determine how much deployment there is of the existing SIOP specification
Mike believes that there may be deployments in Japan
John believes that Nat knows about this
George pointed out that having prototypes is quite different from having production deployments at scale
Tobias has the OpenID Connect Credential Provider document
Tom asked others in the DID community to look at his document
Tom asked if a next step was for the working group to adopt his document
(We ran out of time and didn't discuss that question)
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
(We ran out of time so no additional open issues were discussed)
Next Call
The next working group call is Monday, August 31 at 4pm Pacific Time
This is the call primarily devoted to SIOP issues
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200827/9501e9f4/attachment.html>
More information about the Openid-specs-ab
mailing list