[Openid-specs-ab] Mins OpenID AB/Connect 2024-02-26 3pm PT

Tue Feb 27 05:42:32 UTC 2024

*Mins Open ID AB/Connect 2024-02-26 3pm PT*

*Attendees:*

*Nat Sakimura*

*Tom Jones*

*George Fletcher*

*Aaron Parecki *

*Michael Jones*

*Brian Campbell*

*DWaite *

*Dima** Postnikov*

*Andrii Deinega*

*Bjorn Hjelm*

*External Orgs:*

Short chat on the need for some means for a verifier (or any initiator) to
create a connection to an appropriate app on the device. Needed, but not
clear where it belongs. Originated in DCP. Tom to create issue & send draft
to George

OpenID Workshop before IIW
https://openid.net/registration-oidf-workshop-monday-april-15-2024/

OpenID DCP will have an event on Friday after IIW, probably at Google. Look
for announcements.

OAuth Security Workshop registration is open at
https://oauth.secworkshop.events/osw2024Call for speakers is open from now
until March 4, 2024

W3C Privacy – Mozilla has a specific module to use session storage. Google
has a similar proposal in blink.dev to allow files to be accessed cross
origin in WICG – addressing use of stolen creds to access and use existing
table of tokens.  The obvious solution seems to be to bind the token to the
device. FAPI has one solution to this. https://sec.okta.com/harfiles =
breach - after stealing one token able to access other tokens – need device
bound cookies (or whatever data structure might be used in future.)

W3C FedCM looking at universal naming See Vladimir Dzhuvinov paper OpenID
Federation policies for Pairwise Pseudonymous Identifiers (PPID)
https://connect2id.com/blog/openid-federation-ppid-policy

 from
https://www.linkedin.com/posts/vladimirdzhuvinov_openid-federation-policies-for-pairwise-pseudonymous-activity-7167841011216453632-6tpD?utm_source=share&utm_medium=member_desktop
This is a generalization of what federation already allows.

IETF 119 https://www.ietf.org/how/meetings/119/

*Issues and PRs:*

PR 702 https://bitbucket.org/openid/connect/pull-requests/702 addresses
issue 2101
https://bitbucket.org/openid/connect/issues/2101/native-app-sso-no-prescriptive-restriction

 2115 – supporting POST at authN end point – it was agreed by all to
recommend that conformance test look for support of POST, but only issue a
warning if it is not supported by the end point – Tom addressed issue at
FHIR by noting that: “the point has been made elsewhere that the common
Authorization Code Flow implementations will not have an issue. If the
Authorization server handles the authz grant, the token issuance and the
user resource all from the same origin as they all need to share data.
However, it is not required in the spec that these endpoints are all in the
same origin, as that was not an issue when the spec was written.  If they
all share a common origin, there should be no problem.”

2117 There are cases when one may want to do the discovery for Entities
other than Leaf Entities. Mike changed status to open Tom noted that these
were only significant on a transaction basis. Any node could generate a
chain from the root to it. IE the concept of leaf was in the eyes of the
requester.

https://bitbucket.org/openid/connect/issues/2118/federation-introduce-sector_identifier-to
by Axel Nennker was resolved as written. Do we want to open it elsewhere?

2120  Mike to generate language about one subordinate versus entire tree of
all subordinates

2119 Fix metadata policy example in figure 17 – take stuff out of examples
assigned to Giuseppe De Marco – Nat opened issue assigned to mike

Ran out of time before all issues were addressed.

Notes by Tom Jones
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20240226/287d5f06/attachment-0001.html>