[Openid-specs-ab] Spec Call Notes 28-Mar-22
Mike Jones
Michael.Jones at microsoft.com
Tue Mar 29 19:57:34 UTC 2022
Spec Call Notes 28-Mar-22
Mike Jones
Kristina Yasuda
Karthik Sivasamy
Tobias Looker
David Waite
Vittorio Bertocci
Edmund Jay
OAuth/IETF Debrief
DPoP entered WGLC today
Please respond to the thread "[OAUTH-WG] WGLC for DPoP Document"
Tobias asked whether the server side nonce remains optional
Mike said that he didn't think that it was discussed
Kristina remarked that the server nonce for the VCI spec has different characteristics than the DPoP server nonce
Daniel Fett led a session about OAuth libraries
Vittorio said that we might want to be more prescriptive about having metadata
Mike recounted the history of the OpenID Foundation having failed to maintain libraries over time
Vittorio and Mike agreed that objective quality bars could be useful, but not Foundation-developed libraries
Step-up Authentication
Brian and Vittorio described an OAuth step-up authentication draft using OpenID Connect parameters
https://datatracker.ietf.org/doc/draft-bertocci-oauth-step-up-authn-challenge/
Vittorio said that errors are expected when the requested ACRs can't be met
He described the use of the unmet_authentication_requirements error code
There was a discussion at the IETFF on public clients versus confidential clients and OAuth 2.1 credentialed clients
One camp says that anything with a credential is credentialed client, no matter when obtained
Another dimension is whether the client is a singleton or has multiple instances
This could eventually have an impact on existing implementations
For instance, it could affect developer portals
Security BCP
The security BCP is planned to go to WGLC after some review comments have been acted upon
Review it now!
OAuth 2.1
There are a number of issues that will need to be resolved before it goes to WGLC
The minutes are at https://notes.ietf.org/notes-ietf-113-oauth
W3C FedID Community Group
Vittorio reported that we want to have an actionable identity path forward while enhancing user privacy
FedCM is the only work item at present
Google wants the ability to retain account selection
It is a completely different identity solution from OpenID Connect and SAML, with the browser at the center
It's not sufficient for us to replace our current functionality, especially logout
Vittorio asked whether the time may be approaching for the OpenID Foundation and others to make public statements about FedCM
Tobias asked whether Vittorio thinks that existing Browser features that we need will be going away soon
In the worst case, we may lose link decoration, redirection, and third-party cookies
Vittorio talked about logout not being preserved
Mike said that the OpenID Foundation has written open letters in the past
For instance, the open letter about SignOn with Apple
https://openid.net/2019/06/27/open-letter-from-the-openid-foundation-to-apple-regarding-sign-in-with-apple/
That was effective because it was very specific and actionable
Any future letter should hopefully be similarly actionable
Any letter needs to be informed by both the business and the engineering realities
Tobias asked why WebFinger and AccountChooser weren't widely adopted
Mike said that if they were adopted, user choice of identity providers would be commonplace
Nat opined (offline) that asking people to type in an identifier during login was probably a non-starter
Vittorio said that business solutions will be achieved, no matter what the specs said
Vittorio said that having specs doesn't mean that all features of the spec will be implemented
Mike agreed that unless a feature meets an immediate felt business need, it likely won't be adopted
Vittorio said that user agency is overrated
DW said that the more user choice there is, the more you have to handle if the person switches providers
He said that as OpenID 2.0 was ramping down, people often found that their OPs no longer existed - disrupting access to RPs
Kristina agreed that RP behaviors have a huge effect and we need take that into account
Mike said that, for instance, similar issues are likely to arise in the wallet space
He expressed that we're having this discussion to try to have our shared experience and sense of history inform our current and future work
Mike reported that Kristina invited those discussing OpenID Connect elsewhere to participate in the Connect working group
Kristina pointed out that people who use crypto wallets appear to want more user choice than in other spheres
Signin with Etherium is part of this space
Tobias sees a huge overlap between SIOP and this space
Kristina plans to do a PR updating the definition of SIOP to uplevel it
Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
We ran out of time to discuss PRs
Open Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open
We ran out of time to discuss issues
Next Call
The next call will be the SIOP special topic call on Thursday, March 31, 2022 at 7am Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220329/9c75d1a3/attachment.html>
More information about the Openid-specs-ab
mailing list