[Openid-specs-ab] A/B Connect WG - Pacific Call - Week Commencing 9th June 2025

Michael Fraser michael.fraser at raidiam.com
Tue Jun 10 00:56:43 UTC 2025 

A/B Connect WG - Pacific Call - Week Commencing 9th June 2025

Attendance:
- Nat Sakimura
- Mike Jones
- Aaron Parecki
- Andrii Deinega
- Dick Hardt
- Edmund Jay
- Tom Jones
- Naveen CM
- Michael Fraser

Noted the OpenID Foundation Antitrust Statement

Discussion around takings from Identiverse
- Nat listed the 4 main topics from the conference
                - Noted a focus was on AI / Workload identity along with Continuous Identity
- Aaron brought attention to the ongoing discussions on OAuth and AI Agent Identity
                - https://subramanya.ai/2025/04/28/oidc-a-proposal/
                - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/announcing-microsoft-entra-agent-id-secure-and-manage-your-ai-agents/3827392
- Aaron was queried at the event on if OpenID Connect will require an update after the release of OAuth 2.1
                - Possibility of an update to align the two, no current work being undertaken for this
                - Mike noted that care was taken during OAuth 2.1's  design to not be explicitly breaking to OpenID Connect
                - Discussion that OpenID Connect should move to drop mention of response_type "token"

IETF Next Month in Madrid
- Aaron has a few items in motion for the event
                - OAuth for browser-based apps aimed to be in publication queue by event
                                - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps
                - OAuth 2.1 dependant on completion of browser-based apps
                                - https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/
                - Discussions planned for oauth for first-party apps, client_id metadata, and client id scheme
                                - https://datatracker.ietf.org/doc/draft-ietf-oauth-first-party-apps/
                                - https://datatracker.ietf.org/doc/draft-parecki-oauth-client-id-metadata-document/
                                - https://datatracker.ietf.org/doc/draft-parecki-oauth-client-id-scheme/

Mike noted that RP Metadata Choices is in the 45 day review period and if the working group has comments, now is the time
                - https://openid.net/specs/openid-connect-rp-metadata-choices-1_0.html

EAP ACR Values Voting is open
                - https://openid.net/specs/openid-connect-eap-acr-values-1_0.html
                - https://openid.net/foundation/members/polls/358

OpenID Connect Claims Aggregation
                - Reviews are requested
                - https://openid.net/specs/openid-connect-claims-aggregation-1_0.html

OpenID Enterprise Extensions
                - Existing Draft to be published to its new repository by Dick

Ephemeral Subject Identifier
                - https://lists.openid.net/pipermail/openid-specs-ab/2025-April/010728.html
                - Call for adopotion sent out last week
                - An expanded rational was requested on the atlantic call and Nat has provided this to the working group
                                - https://lists.openid.net/pipermail/openid-specs-ab/2025-June/010827.html
                                - https://lists.openid.net/pipermail/openid-specs-ab/2025-June/010828.html
                - Andrii queried if an RP or a client can specify what subject identifier type it wishes to recieve during an authentication flow
                                - Nat mentioned he'd given thought to this but it isn't present in the current work. Noted it is very much worth discussing after adoption

Deferred Token Response
                - Author not present and no reviews yet recieved
                - https://fkj.github.io/slides/iiw-oic-dtr-apr-2025.pdf

OpenID Provider Commands
                - https://openid.net/specs/openid-provider-commands-1_0.html
                - No new updates
                - Discussion on 'sub' vs 'subject_identifier'
                                - Andrii mentioned he'd like to be able to instruct RPs which form of user identifier he wishes an account to be created with
                                - Example provided where Azure ID is strongly opinionated on the `sub` value and where a custom identifier is required, an additional claim is required to map this
                                - Aaron mentioned that this gap of specifying the information needed to onboard a user needs to be consistent between both id tokens and op commands, not just in one

OpenID Federation
                - https://openid.net/specs/openid-federation-1_0.html
                - draft 43 published
                                - addresses a lot of the open issues
                                - at the time of writing 8 open issues requiring action before final
                                - other 9 open issues are considered for extensions
                                - Mike currently working on defining an explicit step-by-step process to validate an Entity Statement

End of proposed agenda, floor open to additional topics

No more topics, call adjourned




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250610/694a2924/attachment-0001.htm>

More information about the Openid-specs-ab mailing list