[Openid-specs-ab] Meeting notes: August 14th, 2025

Frederik Krogsdal Jacobsen frederik.krogsdal at criipto.com
Thu Aug 14 15:12:36 UTC 2025 

Date: 14/08/2025

Attendees: Ethan Heilman, Mike Jones, Frederik Krogsdal Jacobsen, Dick
Hardt, Andy Barlow, George Fletcher, Lukasz Jaromin, Aaron Parecki, Chris
Phillips, Filip Skokan, Andrii Deinega

Ethan is a cryptographer at Cloudflare. He had a now acquired company which
provided a technology to put public keys into ID tokens (OpenPubKey, see
https://eprint.iacr.org/2023/296). This can be used for software supply
chain security, SSH connections, proxy connections and other applications.
This is related to the spec proposal we will discuss later in the meeting.

Events:

   - IIW dates have changed. See https://internetidentityworkshop.com/.
   - Does anyone know if DICE will happen this year? It was postponed to
   November, but no date has been set so far. See https://diceurope.org/.
   Frederik will ask in the OIDF Slack.

Connect PRs:

   - FedCM binding of OIDC:
   https://bitbucket.org/openid/connect/issues/2179/fedcm-binding-of-oidc
      - Some people have volunteered to work on this.
      - Mozilla announced in the W3C call yesterday that they are no longer
      actively working on FedCM support. Apple has not publicly done
any work on
      FedCM. This leaves Chrome as the only active implementation.
   - Clarification on additional metadata:
   https://bitbucket.org/openid/connect/pull-requests/750
      - This will be merged.
   - id token claims should not be null:
   https://bitbucket.org/openid/connect/pull-requests/751
      - Remaining issues were resolved at the meeting and this will be
      merged.
   - All open PRs have been resolved.

Discussion of OpenID Connect Enterprise Extensions:

   - The claim aud_sub represents the identifier that the RP uses for an
   account.
   - In OpenID Provider Commands, the aud_sub can be sent from the RP to
   the OP to “transfer” an account from the RP to the OP using the manage
   command (and the other way around).
   - Use case: user initially created a “standalone” account without SSO,
   and later this needs to be transferred into the SSO system.
   - In OpenID Provider Commands, the RP can use the managed_by claim to
   tell the OP who manages an account.
   - Question: does managed_by mean identity lifecycle management or
   session management or both? This should be aligned with IPSIE terms.
   - The RP can state aud_sub_required in its metadata to state that they
   require support for aud_sub.
   - Question: is this similar for SCIM? Yes, one way to think about
   Provider Commands is SCIM for OIDC.
   - Question: how do you establish trust that the IdP is authoritative for
   the user account? This is part of the OpenID Provider Commands setup. The
   trust should be specific to a tenant within the OP.
   - Question: how is the scope of authorization for account transfers
   handled? This is out of scope for the spec and must be handled between the
   RP and the user. Guidance around this should be put into the security
   and/or privacy considerations in the spec.
   - No decisions were made for now.
   - Dick will make some changes to the draft to make it easier to get an
   overview.

Discussion of new proposed spec OpenID Connect Key Binding:

   - Mechanism to bind a key to an ID token.
   - Builds on DPoP by adding a new scope dpop and including the dpop_jkt
   in the auth request. Then in the token request, add DPoP header with code
   as the nonce for DPoP. Token response then contains cnf claim with the
   public key from the DPoP header.
   - The new element is putting the dpop public key in the ID token.
   - Use case: for SSH, look at claims in the ID token to determine access.
   Binding the token to a key prevents session replay.
   - Variations on this idea are already in use for many use cases.
   - Comment: there is ongoing work on an extension to WebAuthn to allow
   signing of arbitrary data, and this may be relevant. See
   https://github.com/w3c/webauthn/pull/2078
   - Comment: you could put c_hash into the token to bind the key instead
   of using DPoP nonce.
   - Comment: should ID tokens be used for “just anything”? Or should we be
   careful about what we use them for? Ethan’s point of view: the cat is
   already out of the box.
   - We will make more time for further discussion of this topic next week
   since the meeting is running over time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250814/a8a69928/attachment-0001.htm>

More information about the Openid-specs-ab mailing list