[Openid-specs-ab] Spec Call Notes 26-Mar-20
Mike Jones
Michael.Jones at microsoft.com
Thu Mar 26 15:17:54 UTC 2020
Spec Call Notes 26-Mar-20
Mike Jones
Filip Skokan
Brian Campbell
Tim Cappalli
George Fletcher
Bjorn Hjelm
John Bradley
Introductions
Tim Cappalli just joined the Microsoft Identity Standards team
Tim introduced himself and the other participants introduced themselves to Tim
Migration from Mercurial to Git
Edmund Jay posted a sample conversion in December at https://bitbucket.org/edmund_jay/connect/
People are encouraged to review the draft conversion
Also review:
https://bitbucket.org/edmund_jay/connect/commits/
https://bitbucket.org/edmund_jay/connect/src/master/
https://bitbucket.org/edmund_jay/connect/issues?status=new&status=open
It changes the Mercurial commit IDs to Git commit IDs
Identities should be the same between Mercurial and Git on Bitbucket
We plan to do the migration for real in early April
Yahoo is turning off OpenID 2.0 support
They support the OpenID 2.0 to OpenID Connect migration spec
AppAuth
The AppAuth libraries are a project of the OpenID Connect working group
George believes there is no current maintainer for AppAuth Android
There is a Verizon Media person Anand willing to do it
Verizon Media has added WebKit support
We could have a whole call on this topic
George will ask Anand to join a future call
William Denniss has been maintaining AppAuth for iOS
John says that the iOS library uses the iOS SF authentication controller, which has WebAuthn support
See https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
William had started a JavaScript library but it is currently unmaintained
Filip: It is getting ~9000 weekly downloads as a package
Filip says that it is not for browsers
Logout Certifications and Spec Review
We got our first logout RP certifications this week
People are asked to review the three logout specs in preparation for taking them to final status
We discussed possibly breaking RP-Initiated Logout out into its own spec (removing it from Session Management)
See issue https://bitbucket.org/openid/connect/issues/1162
Logout and Safari/Brave Third Party Cookie Blocking
Session change notifications don't work with third party cookies disabled
Front-channel logout also has problems
It's the notification channels that are affected
Back-channel logout continues to work
Proposed IsLoggedIn W3C browser feature
See https://github.com/WebKit/explainers/tree/master/IsLoggedIn
People are encouraged to review this
OpenID Connect for Identity Assurance
The public review for the second Implementer's Draft has started
https://openid.net/2020/03/24/second-public-review-period-for-openid-connect-for-identity-assurance-specification-started/
App Impersonation on Android
George suggested we discuss app impersonation on Android
If using a custom scheme on Android, the OS asks you which app you want to invoke
Only asked if multiple apps are registered for the scheme
John: There is no protection for app impersonation
John: The way to stop this is to use a claimed URL
George: Or you can use Dynamic Client Registration
John: There's currently no way to uniquely identify the app
It could be done using WebAuthn, in which the assertion identifies the app
George: User consent is another defense, but it's a strange UX
George would like us to provide guidance somewhere
John suggested a revision of the Native Application Best Practices specification
OAuth JAR
Nat is going to update the spec to allow the client_id as a request parameter again
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
We ran out of time and so didn't look at any open issues on this call
Next Call
The next working group call is Monday, March 30, 2020 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200326/be8c3e87/attachment.html>
More information about the Openid-specs-ab
mailing list