[Openid-specs-ab] Mtg Notes: Re: Proposed agenda for 12-Jun-25 Connect WG call
chris phillips
cjphillips at gmail.com
Thu Jun 12 19:58:35 UTC 2025
Notes from today's meeting...
Attendees: Andy Barlow, Mike Jones, George Fletcher, Frederik Jacobsen,
Brian Campbell, Chris Phillips, Aaron Parecki, Lukasz Jaromin, Andreii
Deinega
10:05 call to order
10:07 Identiverse debrief from other attendees
-
Heavy on AI, and non human identity
-
Delegation of identity to ‘other’ agent (ai) as me
-
Dialogue on SPIFFE / WIMSIE to do more with tokens was an interesting
topic that surfaced. (GF)
-
Conversations around AI MCP and trust domains and added in delegation
and delegation chaining and when should it have the delegation be treated
in the same way. (GF)
-
Multiple delegated questions come up, (Brian): some sentiment in the
field seen/felt that more is needed but not always necessary. Observed that
not everyone is taking advantage of existing ability/features and unsure
why people wanted to extend things to OpenID.
10:20:
-
Dialogue about things within an enterprise trust domain don’t need much
more than what exists in the existing specs. There’s a lot of difference of
opinion on how to handle things across trust domains emerging that would be
well served to capture the use cases
Note to all: IETF Madrid submission cutoff for drafts is Monday July 7th.
People should plan to submit earlier, if possible.
MikeJ: Updates are planned for
https://github.com/oauth-wg/draft-ietf-oauth-rfc7523bis to further align
with Brian’s presentation at IETF 122 before the IETF submission cut-off.
More notes inline below..
---------- Forwarded message ---------
From: Michael Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net>
Date: Wed, Jun 11, 2025 at 9:24 PM
Subject: [Openid-specs-ab] Proposed agenda for 12-Jun-25 Connect WG call
To: openid-specs-ab at lists.openid.net <openid-specs-ab at lists.openid.net>
Cc: Michael Jones <michael_b_jones at hotmail.com>
I propose this agenda for tomorrow’s OpenID Connect working group call to
be held at
https://zoom.us/j/97622169761?pwd=ek5kZUg3QnI1cCt6bTE3QzA3ZVlOQT09.
1.
Introductions
2.
Antitrust Policy <https://www.openid.net/antitrust> and IPR Agreement
<https://openid.net/wg/connect/> reminders
3.
Events
1.
Identiverse
2.
IETF 123 in Madrid, July 19-25, 2025
-
https://www.ietf.org/meeting/123/
4.
Links to Active Specifications
<https://openid.net/wg/connect/specifications/> and Repositories
1.
OpenID Connect Core incorporating errata 3
<https://openid.net/specs/openid-connect-core-1_0-36.html> (repository
<https://bitbucket.org/openid/connect/>)
2.
OpenID Connect Native SSO for Mobile Apps
<https://openid.net/specs/openid-connect-native-sso-1_0.html> (
repository <https://bitbucket.org/openid/connect>)
3.
OpenID Federation
<https://openid.net/specs/openid-federation-1_0.html> (repository
<https://github.com/openid/federation>)
4.
OpenID Federation Extended Subordinate Listing
<https://openid.net/specs/openid-federation-extended-listing-1_0.html>
(repository <https://github.com/openid/federation-extended-listing>)
5.
OpenID Federation Wallet Architectures
<https://openid.net/specs/openid-federation-wallet-1_0.html> (
repository <https://github.com/openid/federation-wallet>
6.
OpenID Connect Relying Party Metadata Choices
<https://openid.net/specs/openid-connect-rp-metadata-choices-1_0.html>
(repository <https://github.com/openid/rp-metadata-choices>)
7.
OpenID Provider Commands
<https://openid.net/specs/openid-provider-commands-1_0.html> (
repository <https://github.com/openid/openid-provider-commands>)
5.
OpenID Connect Relying Party Metadata Choices
<https://openid.net/specs/openid-connect-rp-metadata-choices-1_0.html>
1.
In 45-day review for Implementer’s Draft status
2.
https://openid.net/public-review-period-for-proposed-implementers-draft-openid-connect-relying-party-metadata-choices/
10:25: This is in 45 day review status
6.
EAP ACR Values
<https://openid.net/specs/openid-connect-eap-acr-values-1_0.html>
1.
Defines “phr” and “phrh” ACR values and “pop” AMR value
2.
Please vote now at https://openid.net/foundation/members/polls/358
7.
OpenID Connect Claims Aggregation
<https://openid.net/specs/openid-connect-claims-aggregation-1_0.html>
1.
https://openid.net/specs/openid-connect-claims-aggregation-1_0-03.html
published
2.
Reviews wanted
10:28: call out on reviews for this is invited
8.
OpenID Connect Enterprise Extensions
1.
Call for adoption succeeded
2.
Authors were asked to publish working group specification
3.
Repository created at
https://github.com/openid/connect-enterprise-extensions
9.
Other possible new specifications
1.
OpenID Connect Ephemeral Subject Identifier contributed – Nat Sakimura
-
[Openid-specs-ab] Call for Adoption of the OpenID Connect
Ephemeral Subject Identifier Specification
-
Runs until Thursday, June 19th
-
Please respond on-list
-
Nat wrote about motivations to the list
2.
OpenID Connect with Deferred Token Response – Frederik Krogsdal
Jacobsen
-
https://fkj.github.io/slides/iiw-oic-dtr-apr-2025.pdf
-
No reviews received thus far
10:30 - call out to this inspired by OpenID4VCI spec, Frederik collecting
more use cases.
Dialogue on what is long delayed login – what is it?
F: as the user you don’t want an account but only to produce identity once.
Brian: use case from Banco Ital Brazil? Ans: yes
Discussion about how things are happening now in other areas - appears to
be use of OpenIDConnect and then things on top of that (behaviours and
patterns that may be useful to emulate)
10.
OpenID Connect Native SSO for Mobile Apps
<https://openid.net/specs/openid-connect-native-sso-1_0.html>
1.
Updates?
10:35: GF: draft 7, would it be useful to put it to implementers draft?
Have tried to summarize ID tokens and how they are used today. High level,
do we want to grant another token for the user and store it in the shared
keychain space and read the id tokens and present an account chooser to
show the user to present account chooser.
If we’re not using the id token for that, we still need something and note
to list was soliciting work on this front and move away from id token usage
to something else and capture subject id etc.
Observation around FedCM and native apps - there’s a lot of stuff around
FedCM but it is browser only and not OS level.
Observations about FedCM: APs comments on the flows being very much like an
OpenIDConnect flow to get an authorization or code flow token.
Dialogue on the nuances on the FedCM behaviour and how the account chooser
shows.
Dialogue on how FedCM works with OpenIDConnect, AP has a draft.
https://github.com/aaronpk/oauth-fedcm-profile
GF:Interest/outcome is to answer the question is there (for native SSO for
mobile) a better way to assist the user with sign in.
Mike: Q to the working group Are people in favor of a working group last
call of 2 weeks prior to implementers draft.
Mike: going to start working group last call for Implementer’s Draft status.
11.
OpenID Provider Commands
<https://openid.net/specs/openid-provider-commands-1_0.html>
1.
Updates?
10:50: Dialogue on the topics and the interest for the RP desiring to
announce what claims are needed. (Andrii) A subject identifier consistency
challenge exists.
AP: observation - subject identifiers are always a pair of subject and OP -
it’s the pair to be unique, concerned there may be a misunderstanding on
the federated identifier and should be treated as an external input and is
more an identifier issue
Dialogue on the notion of how global identifiers and their interplay on
what is intended in this (example: employeeid attested from different OPs
being the same). Guidance is to do it as a different claim and not subject
id.
12.
OpenID Federation <https://openid.net/specs/openid-federation-1_0.html>
1.
https://openid.net/specs/openid-federation-1_0-43.html published
-
Incorporates feedback from interop event at SUNET
2.
We’re down to 17 open issues
-
9 of these propose extension specifications, post-final work, or
reviewing the text
13.
AOB
11:55 MikeJ: any other business?
Chris: I’d like to share some OIDC Federation with MCP
(ModelContextProtocol) work I’ve been doing and invite feedback and
comments/sentiments.
A walk through video is online here:
https://youtu.be/Fkz092nQJwY?si=wyjZpQhiydlDvQYs
The dialogue today on Identiverse topics around AI needs/wants, and what
exists already in the standards highlight (to me) why I’ve been working on
it and welcome feedback on and off list.
___________________________________________________________________________________________
chris at chrisphillips.ca | https://www.linkedin.com/in/chris-phillips-cidpro/
On Wed, Jun 11, 2025 at 9:24 PM Michael Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> I propose this agenda for tomorrow’s OpenID Connect working group call to
> be held at
> https://zoom.us/j/97622169761?pwd=ek5kZUg3QnI1cCt6bTE3QzA3ZVlOQT09.
>
>
>
> 1. Introductions
> 2. Antitrust Policy <https://www.openid.net/antitrust> and IPR
> Agreement <https://openid.net/wg/connect/> reminders
> 3. Events
> 1. Identiverse
> 2. IETF 123 in Madrid, July 19-25, 2025
> - https://www.ietf.org/meeting/123/
> 4. Links to Active Specifications
> <https://openid.net/wg/connect/specifications/> and Repositories
> 1. OpenID Connect Core incorporating errata 3
> <https://openid.net/specs/openid-connect-core-1_0-36.html> (
> repository <https://bitbucket.org/openid/connect/>)
> 2. OpenID Connect Native SSO for Mobile Apps
> <https://openid.net/specs/openid-connect-native-sso-1_0.html> (
> repository <https://bitbucket.org/openid/connect>)
> 3. OpenID Federation
> <https://openid.net/specs/openid-federation-1_0.html> (repository
> <https://github.com/openid/federation>)
> 4. OpenID Federation Extended Subordinate Listing
> <https://openid.net/specs/openid-federation-extended-listing-1_0.html>
> (repository <https://github.com/openid/federation-extended-listing>)
> 5. OpenID Federation Wallet Architectures
> <https://openid.net/specs/openid-federation-wallet-1_0.html> (
> repository <https://github.com/openid/federation-wallet>)
> 6. OpenID Connect Relying Party Metadata Choices
> <https://openid.net/specs/openid-connect-rp-metadata-choices-1_0.html>
> (repository <https://github.com/openid/rp-metadata-choices>)
> 7. OpenID Provider Commands
> <https://openid.net/specs/openid-provider-commands-1_0.html> (
> repository <https://github.com/openid/openid-provider-commands>)
> 5. OpenID Connect Relying Party Metadata Choices
> <https://openid.net/specs/openid-connect-rp-metadata-choices-1_0.html>
> 1. In 45-day review for Implementer’s Draft status
> 2.
> https://openid.net/public-review-period-for-proposed-implementers-draft-openid-connect-relying-party-metadata-choices/
> 6. EAP ACR Values
> <https://openid.net/specs/openid-connect-eap-acr-values-1_0.html>
> 1. Defines “phr” and “phrh” ACR values and “pop” AMR value
> 2. *Please vote now* at
> https://openid.net/foundation/members/polls/358
> 7. OpenID Connect Claims Aggregation
> <https://openid.net/specs/openid-connect-claims-aggregation-1_0.html>
> 1.
> https://openid.net/specs/openid-connect-claims-aggregation-1_0-03.html
> published
> 2. Reviews wanted
> 8. OpenID Connect Enterprise Extensions
> 1. Call for adoption succeeded
> 2. Authors were asked to publish working group specification
> 3. Repository created at
> https://github.com/openid/connect-enterprise-extensions
> 9. Other possible new specifications
> 1. OpenID Connect Ephemeral Subject Identifier contributed – Nat
> Sakimura
> - [Openid-specs-ab] Call for Adoption of the OpenID Connect
> Ephemeral Subject Identifier Specification
> - Runs until Thursday, June 19th
> - Please respond on-list
> - Nat wrote about motivations to the list
> 2. OpenID Connect with Deferred Token Response – Frederik Krogsdal
> Jacobsen
> - https://fkj.github.io/slides/iiw-oic-dtr-apr-2025.pdf
> - No reviews received thus far
> 10. OpenID Connect Native SSO for Mobile Apps
> <https://openid.net/specs/openid-connect-native-sso-1_0.html>
> 1. Updates?
> 11. OpenID Provider Commands
> <https://openid.net/specs/openid-provider-commands-1_0.html>
> 1. Updates?
> 12. OpenID Federation
> <https://openid.net/specs/openid-federation-1_0.html>
> 1. https://openid.net/specs/openid-federation-1_0-43.html published
> - Incorporates feedback from interop event at SUNET
> 2. We’re down to 17 open issues
> - 9 of these propose extension specifications, post-final work,
> or reviewing the text
> 13. AOB
>
>
>
> -- Mike
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250612/9db85827/attachment-0001.htm>
More information about the Openid-specs-ab
mailing list