[Openid-specs-ab] AB/C WG Pacific Meeting Notes (2025-08-04)
Nat Sakimura
nat at sakimura.org
Tue Aug 5 06:25:11 UTC 2025
OpenID Connect Working Group Meeting Notes
Date: 2025-08-04 23:00 UTC
Location: Zoom
Attendees
-
Michael Jones (Co-Chair) - Self-Issued Consulting
-
Nat Sakimura (Co-Chair, Note taker) - NAT.Consulting
-
Andrii Deinega
-
Naveen CM (Channappanapura Mahadevaswamy)
-
Dima Postnikov
-
Bjorn Hjelm
-
Tom Jones
Administrative ItemsIPR and Code of Conduct Reminder
-
Michael reminded attendees of IPR requirements and the new code of
conduct
-
Code of Conduct
<https://openid.net/wp-content/uploads/2025/06/OIDF_Groups-Activities-Events-Code-of-Conduct-Policy_Final_2025-06-12.pdf>,
Antitrust Policy <https://www.openid.net/antitrust>, and IPR Agreement
<https://openid.net/wg/connect/>
-
The Board kept the code of conduct "mercifully short" with the core
principle being "treat each other with respect"
IETF UpdatesRFC 7523 bis
-
Working on finishing RFC 7523 bis that updates the audience value
-
Parallel work happening in multiple OpenID specs including FAPI 2
-
Michael needs to do an update to the specification
OpenID Connect Specification UpdatesActive Pull Requests
Two new pull requests by Filip were reviewed:
PR #750 - Discovery Metadata Registry Reference
-
https://bitbucket.org/openid/connect/pull-requests/750
-
Issue: Updates note about additional metadata in discovery to point to
the registry
-
Background: When discovery was originally created, the registry didn't
exist
-
Change: Instead of saying "additional OpenID provider metadata
parameters are defined by session management," it now says "additional
metadata parameters, such as the one registered in the IANA authorization
server metadata registry may be used"
-
Status: Approved by Michael Jones as reasonable for errata update
-
Note: Andrii Deinega provided comments suggesting additional language
about non-contradiction
PR #751 - ID Token Claims Handling
-
https://bitbucket.org/openid/connect/pull-requests/751
-
Issue: Adds guidance for ID token claims similar to existing UserInfo
claims guidance
-
Change: Adds language (as "should" not "must" since it's non-normative)
that omitted claims and claims with no value should be omitted from the JWT
claim set and not represented by JSON null or empty string
-
Discussion: Michael suggested removing "unless otherwise specified"
phrase as unnecessary
-
Status: Updates made to remove the unnecessary phrase
Issues ReviewedIssue #2174 - Grammatical Fix
-
Reporter: Phil Bussinger
-
Issue: Missing word "to" in text about exp attribute
-
Action: Andrii Deinega volunteered to create PR to fix this simple
grammatical error
-
Process Note: Andrii was added as contributor to the repository during
the meeting
Issue #1125 - Hash Algorithm for EdDSA ID Tokens
-
https://bitbucket.org/openid/connect/issues/1125
-
Reporter: Filip (updated recently with post-quantum ML-DSA)
-
Background: When Connect was written, it was "clever" to use the hash
function from the signing algorithm for computing at_hash and c_hash
-
Problem: Newer algorithms use hash functions that aren't readily
available or use multiple hash functions for different roles
-
Solution Discussed: Create an implementer's guide or living document
that can be updated as new algorithms are registered, rather than requiring
errata updates each time. Nat suggested that the core (OIDC Core 3.2.2.10),
etc., text also needs to be changed, in addition.
-
Action: Michael asked Filip to volunteer to create this specification
FedCM Binding DiscussionIssue #2179 - FedCM Binding of OpenID Connect
-
Background: Created by Nat Sakimura in May, with description by Aaron
and support from George Fletcher
-
Problem: FedCM is under-specified regarding authentication tokens,
creating potential interoperability issues
-
Working Group Consensus: This is a good idea that should be pursued
-
Collaboration Needed: Would require volunteers and collaboration with
FedCM team (Sam Goto, etc.)
-
Reference: Andrii mentioned Aaron's work at
https://github.com/aaronpk/oauth-fedcm-profile
AI and Authentication DiscussionTom Jones' Concerns about MCP and OAuth
-
Issue Raised: Dick Hardt's assertion that OAuth is not a good fit for
MCP (Model Context Protocol)
-
Core Problems Identified:
-
OAuth is built for web, not all clients are web-based
-
Dynamic Client Registration issues
-
Bearer token security risks on client devices
-
No confirmation flows for sensitive operations
-
Coarse-grained scopes don't match real-world needs
-
Complex implementation requirements
IETF Web Bot Auth BoF
-
Context: New IETF working group for web agent authentication (crawlers)
is being formed as the result of IETF 123.
-
Scope Limitations: Explicitly excluded from scope:
-
Identifying and authorizing AI agents acting for people
-
Authorizing one AI agent to have another AI agent act on behalf of a
person
-
All forms of delegation from humans
-
Rationale: Working group believed they could solve the basic crawler
problem by keeping human delegation out of scope
-
Industry Impact: IETF websites now use Cloudflare protection due to
excessive crawling
Privacy and Identity Concerns in AI
-
Problem: Some AI agents carry PII (personally identifiable information)
with them
-
Example: Agents carrying "Tom Jones, Seattle, Washington" plus
potentially email, birthday, etc.
-
Use Case: Knowledge-based authentication using personal information
-
Risk Assessment: Significant privacy implications in this "Wild West"
environment
OAuth Working Group AI Discussions
-
Presentations: Jonathan Rosenberg and others presented on AI agent
authentication
-
Outcome: Information sharing rather than specific action items
-
Community Input: Seeking help from identity experts
Working Group AnnouncementsNative SSO Specification Advancement
-
Milestone: OpenID for Native SSO for Mobile Apps approved for second
implementers draft status
-
Process: Mike Lez started 45-day Foundation-wide review
-
Link:
https://openid.net/public-review-period-for-proposed-second-implementers-draft-of-openid-connect-native-sso-for-mobile-apps/
Specification Development UpdatesEphemeral Subject Identifier
-
Author: Nat Sakimura
-
Status: Nat committed to creating 0.1 draft with rationale after August
18th
-
Delay Reason: Heavy involvement in Japanese law changes affecting:
-
Site access blocking requirements
-
Financial institution authentication requirements
-
Regulatory comment periods and coordination
Claims Aggregation
-
Author: Nat Sakimura (with Edmund)
-
Status: No new reviews received since latest draft publication
New Specification ProposalTransaction Identifier Claim
-
Proposer: Dima Postnikov
-
Background: trx Claim was removed from eKYC specification as too generic
for identity assurance
-
Use Case: Commercial ecosystems need to trace transactions after
performance, especially for identity sharing
-
Existing Work: References SEC events transaction identifier
-
Proposal: Create a separate OpenID Connect specification to define usage
in ID tokens
-
Process: Michael offered to help create GitHub repository for the
specification
-
Precedent: Referenced unmet authentication requirements spec that
defined only an error code
Technical DiscussionID Token Only Requests
-
Question Raised: How to get only ID token from token endpoint without
access or refresh tokens
-
Current Options:
-
Response type "none" (defined in multiple response types spec) -
originally for Google Play Store use case, does not return any token.
-
Response type "id_token" (front channel only)
-
Recommendation: Define a new response type for token endpoint
ID-token-only requests
-
Context: The Issue came up in FAPI working group
Action Items
1.
Andrii Deinega: Create PR for grammatical fix (Issue #2174) ✅ Completed
during meeting - PR #752
2.
Filip Skokan: Consider volunteering to create implementer's guide for
hash algorithms (pending response)
3.
Nat Sakimura: Create ephemeral subject identifier 0.1 draft with
rationale (after August 18th)
4.
Dima Postnikov: Work with Michael to create GitHub repository for
transaction identifier claim specification
5.
Working Group: Seek volunteers for FedCM binding specification work
Repository AdministrationBitbucket Access Issues
-
Problem: Difficulty finding usernames and assigning issues in Bitbucket
-
Resolution: Andrii Deinega was successfully added as a contributor
during the meeting
Future ConsiderationsResponse Type Extensions
-
Discussion around the need for a new response type to support
ID-token-only requests from the token endpoint
AI Identity Standards
-
Growing recognition that many unsolved problems in AI space are identity
problems
-
Need for identity experts to participate in AI-related standardization
efforts
-
Tension between traditional OAuth patterns and AI agent requirements
Links Referenced During Meeting
-
Connect PRs: https://bitbucket.org/openid/connect/pull-requests/
-
PR #750: https://bitbucket.org/openid/connect/pull-requests/750
-
PR #751: https://bitbucket.org/openid/connect/pull-requests/751
-
Issue #2174:
https://bitbucket.org/openid/connect/issues/2174/grammatical-fix-to-note-for-exp-attribute
-
Issue #1125:
https://bitbucket.org/openid/connect/issues/1125/_hash-algorithm-for-eddsa-id-tokens
-
FedCM Issue:
https://bitbucket.org/openid/connect/issues/2179/fedcm-binding-of-oidc
-
Aaron's FedCM Profile: https://github.com/aaronpk/oauth-fedcm-profile
-
Transaction Claim Proposal:
https://bitbucket.org/openid/ekyc-ida/src/master/openid-connect-txn-claim.md
-
Native SSO Review:
https://openid.net/public-review-period-for-proposed-second-implementers-draft-of-openid-connect-native-sso-for-mobile-apps/
-
Unmet Auth Requirements:
https://openid.net/specs/openid-connect-unmet-authentication-requirements-1_0.html
-
Multiple Response Types:
https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
Next Steps
The working group will continue monitoring the open issues and pull
requests. Members were encouraged to participate in the 45-day review
period for the Native SSO specification. Future calls will track progress
on the action items and continue discussions around AI identity challenges.
------------------------------
Meeting adjourned at approximately 01:03 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250805/74b2a4d3/attachment-0001.htm>
More information about the Openid-specs-ab
mailing list