[Openid-specs-ab] Spec Call Notes 12-Apr-21
Mike Jones
Michael.Jones at microsoft.com
Tue Apr 13 02:27:38 UTC 2021
Spec Call Notes 12-Apr-21
Mike Jones
Tony Nadalin
John Bradley
Kristina Yasuda
Adam Lemmon
Tom Jones
Tim Cappalli
Jeremie Miller
Vittorio Bertocci
Dmitri Zagidulin
Edmund Jay
David Waite (DW)
Logout Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Logout
1184: Unclear what to do if id_token_hint user does not match currently logged in user at OP
Agreed that since logout is idempotent, that repeating a logout is a success
1216: query over rp initiated logout certification test outcomes for tests that use invalid information
Edmund said there's not much point in showing an error, since there's not much the user can do
1183: Handling errors during OpenID Connect RP-Initiated Logout
Edmund will add a comment to this one as well
1185: Mention of POST requests and SameSite cookie attributes (RP Initiated Logout)
Vittorio said that browsers will flag cross-origin posts served by JavaScript from another origin
We could use cookies marked as "none", rather than lax
Or we could do a GET with a 302 to itself - an approach that DW said that Ping is using
Vittorio agreed to send Mike a description to add to the issue
Discussing sending VC objects as claims
Mike, Kristina, and Oliver wrote https://openid.bitbucket.io/connect/jwt-claims-for-vc-objects-1_0.html to foster discussion
DW said that the security considerations for JSON-LD are more complicated than pure JSON
It brings back of the complexities we jettisoned with XML DSIG
He asked about ignoring not-understood claims
He said that we could use _claim_sources for VPs
Tony said that we already have "vp" and "vc" claims
The processing rules of those are defined by the W3C VC spec - and they're JSON-LD
OpenID Connect defines processing rules for some claims, such as "iss", "aud", etc.
Jeremie said that you can't take a general JWT and also make it a VC or VP
Kristina said that the "vp" and "vc" claims are to embed VC-specific context in their JWT representations
DW reported that the entire JWT using "vp" or "vc" is the VP or VC - not just that in the contained claim
He also brought up "alg":"none" issues introduced by the W3C spec
He said that embedding those claims in an ID Token would change the security properties of an ID Token
Dmitri Zagidulin said that there are implementations that stuff entire VPs and VCs into JWTs
But they use different claim names, so they're compliant
DW reported that we could have _claim_sources=(source type), rather than declaring new IANA JWT claims
He said that we need to think about both the presentation and holder cases
DW said that he'll be submitting something on this topic soon
Dmitri said that some people are embedding objects
And they are requesting "vp" and "vc" as custom claims
Tim showed an example of how Microsoft is doing that that also uses Presentation Exchange
In that case, it truly is layered
Kristina also spoke to the layering
Findings of Fact:
The W3C imposes processing rules on JWT claims for its JWT representations
It is possible to completely embed W3C VC-defined objects as claim values
DW would like to explore using _claim_sources as Verifiable Presentations
John pointed out that we already have JWT _claim_sources
Tom said that the _claim_names are a dictionary
DW pointed out that a JSON dictionary could have conflicts with JSON-LD claim renaming rules
SIOP Issues
We ran out of time to get to this
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
We ran out of time to get to this
Next Calls
The next SIOP special call is Tuesday, April 13th at 3pm Pacific Time
The next regular Connect call is on Monday, April 19th, 2021 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210413/cfbad3b3/attachment.html>
More information about the Openid-specs-ab
mailing list