[Openid-specs-ab] SIOP Special Topic Call Notes 7-Jul-22
Mike Jones
Michael.Jones at microsoft.com
Fri Jul 8 16:07:12 UTC 2022
SIOP Special Topic Call Notes 7-Jul-22
Kristina Yasuda
Mike Jones
Brian Campbell
David Chadwick
Joseph Heenan
Dmitri Zagidulin
Andrew Hughes
George Fletcher
Bjorn Hjelm
IETF 114 is soon
Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR #228: Restructuring OpenID4VCI spec to improve readability prior to the Implementer's Draft call
We agreed to merge this after Torsten or Tobias approve
PR #225: adding format identifiers for 23220-4
This will be merged after confirming that it matches the ISO spec
PR #229: corrected the OP Metadata JSON
David talked about the difference between types and schemas
He said that you can't assume what the schema is from the type
David suggested working through an example with multiple types of credentials
PR #227: changed parameter name from registration to client metadata
Kristina discussed semantics for ephemeral clients
We discussed how to handle new metadata for a client that is already registered
We think that an error should be thrown in this case, since it's an attack vector
This would be the case if both a client_id and client_metadata parameters are present
Kristina said that the client_id parameter would be meaningless for ephemeral client
This is signalled by having client_id=redirect_uri
Brian wondered if the lack of a client_id would indicate this
Kristina said that client_id is a mandatory parameter
Kristina said that in SIOPv2, you can use dynamic client registration or out-of-band registration
George said that if a client_id already exists, it's an error to attempt to provide new registration information
Mike also agreed that this should be an error
George said that throwing an error is testable
Mike suggested that we merge this, continuing to throw an error when the extra client_metadata parameter is present
Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
#1538: Clarify valid response_type values
Travis Spencer asked whether we want to define and allow composite response types including vp_token
Mike said that we don't want to enable a combinatorial explosion of new response_type values
#1544: Requesting multiple credentials
David asked whether one can receive multiple credentials in a single credential request
Kristina said that the intent is to receive a single credential per request
There is a single proof
David said that sometimes the text seems to imply that multiple credentials can be returned
Mike made an analogy to OAuth - where we've consistently refused requests to be able to return multiple access tokens with different scopes
George agreed with that analogy
Joseph said that handling error cases would certainly be more complicated if multiple credentials are possible
Mike asked David to create a PR rooting out cases where there seems to be ambiguity
George suggested that we deploy the simple case and then determine whether deployments are asking for the more complicated case
David said that they have implemented multiple returns and partial returns
Next Call
The next call will be on Monday, July 11, 2022 at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220708/51505ff1/attachment.html>
More information about the Openid-specs-ab
mailing list