[Openid-specs-ab] Spec Call Notes 2-Jul-20
Mike Jones
Michael.Jones at microsoft.com
Thu Jul 2 15:31:15 UTC 2020
Spec Call Notes 2-Jul-20
Nat Sakimura
Mike Jones
Tom Jones
Tim Cappalli
Bjorn Hjelm
Joseph Heenan
John Bradley
OAuth JAR
Nat submitted -25 adding require_signed_request_object
He asked the AD Ben Kaduk to send it back to the IESG
Events
The SIOP Virtual Meetup was last week
105 attendees
The event recording was sent out to attendees
We want to have a second SIOP Virtual Meetup in a pacific-friendly timeslot
We're thinking two hours starting with the OpenID Connect call timeslot
4pm Pacific Time, July 20 / July 21 Asia/Pacific
FDX-OIDF Workshop
11am Eastern Time, July 21
Related to FAPI
Possible topics include security and certification
OSW 2020
July 21-24
https://barcamptools.eu/oauth-security-workshop-2020/events
Data minimization in the context of a UserInfo request
Request from eKYC-IDA working group
See http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20200622/007835.html
and https://bitbucket.org/openid/ekyc-ida/issues/1185/
The ask is for a signal to only return the requested claims (and not all authorized claims)
Nat points out that SIOP has the same data minimization situation
We could define a claims parameter like _only_requested_claims
Or we could define a new request parameter like only_requested_claims
Nat instead advocates having a query parameter at the resource to restrict the set of claims returned
He said that we could reuse the claims request syntax
John said that this could make sense in a signed response
In this model, the authorization server would authorize a full set of claims
and the set actually returned could be down-scoped at the resource server
John points out that for self-issued, all the claims are already coming back in the signed ID Token
Nat said that the use case he's thinking of third party claims providers
He said that these could be normal UserInfo style resources
Mike pointed out that for response_type=id_token there is no UserInfo Endpoint
So the information would have to be sent directly to the Authorization Server
Nat is interested in querying claims providers to provide specific information for the response
Edmund's draft enables queries like this
Edmund's draft uses a different endpoint than the UserInfo Endpoint
This would be an additional specification
Tom has other use cases for healthcare information
John thinks that trying to reuse the UserInfo Endpoint could add more confusion than having a separate endpoint
This is really a backchannel data exchange and not a request from the client
We should involve Torsten and Mark Haine in the discussion
Federation Specification
New draft uses either signed request objects (JAR) or pushed authorization requests (PAR) for client authentication of automatic registration requests
https://openid.net/2020/07/01/openid-connect-federation-draft-incorporating-feedback-from-first-interop-event/
Certification
We want people to run the old and the new test suites and get free certifications
This will give us actionable feedback on the new test suite
See https://openid.net/certification/migration/
Nat suggested that we send an e-mail to those who had certified in the past
Mike Jones will follow up with Don and Mike Leszcz
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
(We ran out of time before covering open issues)
Next Call
The next working group call is Monday, July 6th at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200702/bd4fe133/attachment.html>
More information about the Openid-specs-ab
mailing list