[Openid-specs-ab] 2024-02-08 Connect working group call notes

Joseph Heenan joseph at authlete.com
Thu Feb 8 15:47:30 UTC 2024 

Attendees:

Joseph Heenan
Michael Jones
George Fletcher
Bjorn Hjelm
Brian Campbell
David Waite
Filip Skokan
Pamela Dingle


Only 3.5 weeks left to make submissions for IETF

Native SSO

https://bitbucket.org/openid/connect/issues/2101/native-app-sso-no-prescriptive-restriction - George to raise a PR


https://lists.openid.net/pipermail/openid-specs-ab/2024-February/010226.html - George will respond on the list

Federation

https://bitbucket.org/openid/connect/pull-requests/695 - Conflicts resolved, Mike plans to merge.

Mike & others spoke with Stefan Santesson about the federation issues he had raised, which seemed to come down to potentially not trusting RPs to do key management. A productive discussion was had and Mike plans to close many of the issues.



POST at authorization endpoint

Joseph noted there was further discussion on https://gitlab.com/openid/conformance-suite/-/issues/1293 that should be happening within the Connect working group instead.

Mike asked Joseph to open an issue in the connect tracker, which Joseph did: https://bitbucket.org/openid/connect/issues/2115/post-to-authorization-endpoint

Brian noted that Ping does accept POST on the Authorization Endpoint.

There was general discussion about adding conformance tests vs discouraging this is the spec, and noted that FHIR spec requires the authorization server support this as per Aaron’s original message, that if we were encourage people to implement POST it’d be better to push them towards PAR.

An errata can’t make a normative change to the current requirement in OpenID Connect to support POST at Authorization Endpoint.

Mike said a 1.1 for this would be overkill. Pam asked if there’s anything else that would go into 1.1. Filip suggesting returning access tokens from the Authorization Endpoint could also be removed. Mike said he wouldn’t want to start 1.1 while the ISO PAS submission was ongoing, which may take 9 months.

George suggested adding a conformance test that only issues a warning if it fails, and also creating a new conformance profile that requires it be supported as per FHIR.

Joseph asked if FHIR intend to use our certification tests. No one knew. Mike J suggested it would be worth discussing again on a call where Aaron was present. 


Moving to github

Pam asked if everything is moving to GitHub. MikeJ said it’s been handled on a case by case basis, and e.g. the Federation authors would like to move to GitHub once they have some existing issues & PRs closed (as the PRs/issues do not transfer over well).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20240208/10e716ff/attachment-0001.html>

More information about the Openid-specs-ab mailing list