[Openid-specs-ab] SIOP Special Topic Call Notes 18-Aug-22
Mike Jones
Michael.Jones at microsoft.com
Thu Aug 18 18:02:45 UTC 2022
SIOP Special Topic Call Notes 18-Aug-22
Kristina Yasuda
Mike Jones
Joseph Heenan
Mark Haine
Oliver Terbu
David Chadwick
Jeremie Miller
Thomas Bellebaum
David Waite
George Fletcher
Bjorn Hjelm
David Waite (DW)
There's a whole bunch of new PRs for people to review
Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR #271: added base64utl definition from rfc7517 (Issue #1403)
Merged
PR #280: When the requested scope value is invalid, unknown, or malformed, the AS (Issue #1572)
We discussed whether to ignore not-understood scopes
Kristina said that returning an error is standard OAuth practice
PR #278: Where to include a presentation submission (Issue #1518)
Planned to merge
PR #285: Adding batch credential endpoint: fixes #1544
Kristina asked how errors are handled
Oliver said that we could return errors in the response array but we don't currently
Mike commented that we should define the error handling before merging this
George thinks we should keep it simple by having all-or-nothing error handling
David Chadwick said that there might be different errors for different credential requests
George asked whether the extra complexity of fine-grained error handling is worth it for our use cases
Kristina said that she is hearing a lot of support for all-or-none error handling
Mark Haine said that the eKYC-IDA Selective Abort and Omit feature might be applicable
https://openid.bitbucket.io/ekyc/openid-connect-advanced-syntax-for-claims.html
He will add a link to the PR
PR #261: added implementation considerations on credential refresh
Jeremie thinks this is ready to go
David Chadwick added some comments
Kristina suggested merging it after addressing the comments
Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1572: [has-PR] Should AS entirely ignore the scopes in OpenID4VCI and 4VP that it does not understand
PR #280 addresses this issue
#1603: How to request specific claims to be included in a Self-Issued ID Token when SIOP v2 is used with OpenID4VP?
George said that processing "claims" is simpler than "presentation_definition"
George is worried about the interoperability of using scopes
Jeremie asked what the use case is for claims in the ID Token rather than a VC
George stated that many deployments will be hybrid for the foreseeable future
David Waite said that he sees the use case as being different
David Chadwick said that verifiers are capable of processing VPs
Kristina said that she does have a requirement for this functionality
We discussed returning self-signed VCs
Possibly embedded in another VC
George said that verifiers will be very specific about what they need
Mike said that this feels very much like the eKYC-IDA fine-grained requests
Mike spoke in favor of using "claims" for consistency
Mark said that use of "claims" is picking up
He said that the Advanced Syntax for Claims spec also enables claims transformation
Kristina said that requesting self-signed VCs seems to be a straightforward path
#1602: Signed request - what is the audience?
DW said that guessing about the audience will create problems
Including "aud" is a SHOULD in signed requests - both in Connect and OAuth JAR
Next Call
The next call will be Monday, August 22, 2022 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220818/dac2676b/attachment.html>
More information about the Openid-specs-ab
mailing list