[Openid-specs-ab] Spec Call Notes 18-Jun-20
Mike Jones
Michael.Jones at microsoft.com
Thu Jun 18 15:54:51 UTC 2020
Correction - Filip Skokan was not present on the call.
-- Mike
From: Mike Jones
Sent: Thursday, June 18, 2020 8:49 AM
To: 'openid-specs-ab at lists.openid.net' <openid-specs-ab at lists.openid.net>
Subject: Spec Call Notes 18-Jun-20
Spec Call Notes 18-Jun-20
Mike Jones
Tim Cappalli
Tom Jones
Brian Campbell
Bjorn Hjelm
Joseph Heenan
App2App Certification
Described at https://openid.net/2019/10/21/guest-blog-implementing-app-to-app-authorisation-in-oauth2-openid-connect/
Certification for App2App pattern with FAPI being launched
Mainly for UK banking apps at present
Joseph described that the app claims the authorization endpoint's URL
OpenID Connect flows then open the local application
For instance, could be used with FaceID
Increases success rate
Relevant in banking use cases where you are authorizing a payment
This is the same pattern as the mobile applications BCP [RFC 8252]
To certify, run your application on Web, iOS, and Android
There are no new specs for this
It just uses existing specs in a mobile context
Joseph wants to know whether people have done this with pure OpenID Connect, rather than FAPI
OpenID Connect implementations tend to use long-lived SSO sessions instead
Joseph will be presenting on this at Identiverse and the OAuth Security Workshop
https://identiverse.com/detailed-agenda/#session=app2app-improving-the-third-party-authorization-user-experience-on-mobile
https://barcamptools.eu/oauth-security-workshop-2020/events/0d0423b6-5924-4e6f-8b3b-63edbbe0ae59#sessions
OAuth JAR
Nat sent the reply to Brock Allen
Per issue #1171, Nat still needs to add require_signed_request_object
Then he will ask area director Ben Kaduk to advance the spec
Event Announcements
Nat is organizing a virtual meeting for Self-Issued Identity Provider implementations
Register at https://www.eventbrite.com/e/siop-virtual-meetup-tickets-109986695166
7:00 AM - 9:00 AM Pacific Time June 25
General admission is already sold out
There are more slots for OIDF members
OIDF members with general admission tickets are encouraged to cancel them and register as OIDF members
OIDF is organizing an OpenID workshop during the virtual OAuth Security Workshop
https://barcamptools.eu/oauth-security-workshop-2020/events
This will be July 21
Joseph will be talking about certification tools
Nat may be talking about FAPI
Contact Don Thibeau for details
Certification
The migration from the Python suite to the Java suite is in progress
See https://openid.net/certification/migration/
We're encouraging new submissions to run both test suites now
Even if you have an existing certification, please run both now to get a free new one!
We're still missing OP logout tests and 3rd Party-Initiated login tests, but the rest are there
Federation Interop
Roland Hedberg ran a Federation interop last week
There were three implementations participating
Roland's, GÉANT, Connect2ID
A report on the Interop will be sent to the working group
Mike will be speaking about the Federation spec at Identiverse
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1176 backchannel logout spec doesn't have requirement that 'sid` in id_token & logout_token match
Mike to investigate and propose language
#1174 Federation: 9.2.2.2.1. The OP Constructing the Response - Clarify which keys need to be preserved to facilitate roll-over
Assigned to Roland
#1175 Create a Separate Spec for Self-Issued Identifiers
There's been discussion in the issue among Tom, Mike, and Tony
Tom is asking about discovery and key rollover
Tom is doing his implementation for IAL2 and AAL2 of NIST 800-63
Mike asked Tom how he associates multiple keys with a subject
Mike asked what normative requirements are needed to enable key rollover
Tom said that this is related to the persistent ID issue #1081
#1081 Need for a persistence user identifier - a PUID
Mike asked whether "sub" isn't a persistent ID, at least when non self-issued
If there was a persistent ID claim, one value of it could be a DID
Tom is talking with Tobias Looker and Kyle Den Hartog about this
People also asked for an ephemeral subject type in issue #1096
Tom plans to write a proposal and link the three issues above together
Tom will present about this at the virtual SIOP workshop
#1167 Required certification behaviour for request and request_uri parameters
Marked resolved, since this is done in the Java certification suite
Next Call
The next working group call is Monday, June 22 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200618/3718af60/attachment.html>
More information about the Openid-specs-ab
mailing list