[Openid-specs-ab] Meeting notes - 13th feb 2025

[Andy Barlow]

Hi all, included the notes from todays meeting, hope the format is ok,
first time poster and all that ;)
Thanks
Andy Barlow

AB Call Notes - 13th Feb 2025

Attendees:

   -

   Michael Jones
   -

   George Fletcher
   -

   Dick Hardt
   -

   Aaron Parecki
   -

   Brian Campbell
   -

   Eduardo Perottoni
   -

   Andy Barlow
   -

   Bjorn Hjelm

Key Topics Discussed:

   -

   Agenda & Events
   -

      OpenID interop event not included in the agenda; discussions on
      finalising dates.
      -

      Upcoming events:
      -

         Iceland (OSW).
         -

         Registration is open for IETF Bangkok, IIW, and OpenID Workshop
         (April).
         -

   OpenID Provider (OP) Commands Spec Discussion
   -

      Feedback from Brian Campbell (no technical feedback to act on).
      -

      Points raised by Aaron and George:
      -

         Should we extend existing specs or create new ones when parts of
         the behaviour are defined in different specifications?
         -

         Existing mechanisms are often complex and sometimes not widely
         adopted, this is an attempt at simplification and removal of
deployment
         friction.
         -

         Importance of avoiding unnecessary burden on implementers.
         -

      Dick emphasised:
      -

         The goal is to reduce deployment friction, the vision was based on
         how to simplify federation.
         -

         The world has shifted since early federation discussions.
         -

      Michael:
      -

         Will request reviews from the mailing list ahead of the next
         meeting.
         -

         Shared Signals WG should be invited to be involved due to
         potential overlap.
         -

         Consideration for a call for adoption or revisions at next week’s
         meeting.
         -

   Native SSO Spec Discussion
   -

      Draft 7 was published, which contained most issues raised.
      -

      Good feedback to decouple id_token. AI: Create a PR to implement that
      feedback.
      -

      However, the landscape has changed since the draft began and George
      wants to know whether the spec should be opened up to tackle the changing
      environment or finalise.
      -

      George: One recurring point is that people are trying to go from
      their native app to the web browser (or other native apps)
without the need
      to re-authenticate.
      -

      Aaron: This is a thing people are currently trying to do, so the WG
      should agree on guidance to share, as the behaviour will happen with or
      without a spec.
      -

      Open questions:
      -

         Should the draft be finalised or revised further?
         -

         What about SSO use cases for Native -> WebView, browser, etc.?
         -

         Need for further implementor reviews to inform next steps.
         -

      George seeking feedback on:
      -

         A possible solution involving DPoP binding for native-app ->
         native-app SSO.
         -

         Expanding Draft to cover other use cases not considered when the
         draft started (native-to-web, cross-vendor native SSO).

Action Items:

   -

   Mike will request reviews for OP Commands and Native SSO specs from the
   mailing list.
   -

   Decide at next week's meeting whether to proceed with OP Commands
   adoption or revisions.
   -

   Continue the discussion on expanding Native SSO spec.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250213/fa5c05eb/attachment-0001.htm>