[Openid-specs-ab] Meeting notes: Re: Proposed agenda for 29-May-25 Connect WG call
chris phillips
cjphillips at gmail.com
Thu May 29 16:34:51 UTC 2025
Here are today's meeting notes..
Chris.
Attendees: Mike Jones, Chris Phillips, Andy Barlow, Joe DeCock, Brian
Campbell, Filip Skokan, Dick Hardt
10:06: Call to order MJ
-
Andy discussion around presenting at Identiverse about being an identity
practitioner and having to implement and read spec
-
GeorgeF’s presenting as well (missed the abstract apologies GF!)
Notes in line
--------- Forwarded message ---------
From: Michael Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net>
Date: Thu, May 29, 2025 at 8:00 AM
Subject: [Openid-specs-ab] Proposed agenda for 29-May-25 Connect WG call
To: openid-specs-ab at lists.openid.net <openid-specs-ab at lists.openid.net>
Cc: Michael Jones <michael_b_jones at hotmail.com>
I propose this agenda for the upcoming OpenID Connect working group call to
be held at
https://zoom.us/j/97622169761?pwd=ek5kZUg3QnI1cCt6bTE3QzA3ZVlOQT09.
1.
Introductions
2.
Antitrust Policy <https://www.openid.net/antitrust> and IPR Agreement
<https://openid.net/wg/connect/> reminders
3.
Events
1.
IETF 123 in Madrid, July 19-25, 2025
-
https://www.ietf.org/meeting/123/
10:10:MJ - Fully-Specified Algorithms have made it in
10:12: Filip S: latest chromium (137) should have the latest algorithms
shipping (sans flags I think was mentioned)
-
Available in TLS layer, but now are available in the browser in WebCrypto
4.
Links to Active Specifications
<https://openid.net/wg/connect/specifications/> and Repositories
1.
OpenID Connect Core incorporating errata 3
<https://openid.net/specs/openid-connect-core-1_0-36.html> (repository
<https://bitbucket.org/openid/connect/>)
2.
OpenID Connect Native SSO for Mobile Apps
<https://openid.net/specs/openid-connect-native-sso-1_0.html> (
repository <https://bitbucket.org/openid/connect>)
3.
OpenID Federation
<https://openid.net/specs/openid-federation-1_0.html> (repository
<https://github.com/openid/federation>)
4.
OpenID Federation Extended Subordinate Listing
<https://openid.net/specs/openid-federation-extended-listing-1_0.html>
(repository <https://github.com/openid/federation-extended-listing>)
5.
OpenID Federation Wallet Architectures
<https://openid.net/specs/openid-federation-wallet-1_0.html> (
repository <https://github.com/openid/federation-wallet>)
6.
OpenID Connect Relying Party Metadata Choices
<https://openid.net/specs/openid-connect-rp-metadata-choices-1_0.html>
(repository <https://github.com/openid/rp-metadata-choices>)
7.
OpenID Provider Commands
<https://openid.net/specs/openid-provider-commands-1_0.html> (
repository <https://github.com/openid/openid-provider-commands>)
5.
OpenID Connect Core published as an ITU standard
1.
https://openid.net/a-new-itu-t-standard-ushers-in-a-new-era-for-openid/
10:15 Dialogue on the openid.net post
6.
OpenID Connect Relying Party Metadata Choices
<https://openid.net/specs/openid-connect-rp-metadata-choices-1_0.html>
1.
In 45-day review for Implementer’s Draft status
7.
EAP ACR Values
<https://openid.net/specs/openid-connect-eap-acr-values-1_0.html>
1.
Defines “phr” and “phrh” ACR values and “pop” AMR value
2.
In 60-day review for Final status
3.
Vote to start on Monday
10:17 WG almost done, wrapping up soon.
Touch base only items 8 - 10
8.
Fully-Specified Algorithms for JOSE and COSE
1.
https://datatracker.ietf.org/doc/draft-ietf-jose-fully-specified-algorithms/
2.
In the RFC Editor Queue
3.
Algorithm registrations in place in IANA registries
-
https://www.iana.org/assignments/jose/jose.xhtml
-
https://www.iana.org/assignments/cose/cose.xhtml
9.
OpenID Connect Claims Aggregation
<https://openid.net/specs/openid-connect-claims-aggregation-1_0.html>
1.
Needs History entries to be added
2.
And perform spec content checks per
https://github.com/openid/publication/blob/main/README.md
3.
Then time to publish -03 to openid.net/specs/
10.
OpenID Connect Enterprise Extensions Contribution
1.
Intended to be supportive of IPSIE, OP Commands work
2.
Call for adoption runs until Thursday, June 5th
11.
Other possible new drafts
1.
OpenID Connect Ephemeral Subject Identifier contributed – Nat Sakimura
-
https://lists.openid.net/pipermail/openid-specs-ab/2025-April/010728.html
-
Any objections to starting a call for adoption?
10:20 Query on any objections for this to proceed – none mentioned, MJ to
proceed on it.
2.
OpenID Connect with Deferred Token Response – Frederik Krogsdal Jacobsen
-
https://fkj.github.io/slides/iiw-oic-dtr-apr-2025.pdf
-
Reviews wanted
10:20 Dialogue deferred token response, but not a lot of feedback, call for
review and comments on list.
12.
OpenID Provider Commands
<https://openid.net/specs/openid-provider-commands-1_0.html>
1.
Updates?
10:23: DickH discussion on the following
-
https://openid.net/specs/openid-provider-commands-1_0.html
-
Dialogue on the open issue of using sub for an identifier for one of the
commands.
-
Dick GeorgeF re:
https://github.com/openid/openid-provider-commands/issues/17
-
If we need other values than the sub (email etc) then are we breaking
the model?
-
GeorgeF: proposing to use the set identifier.
-
Dick: not just signing, but what kind of claims are the OP commands
-
GF:If it’s going to have its own type string, it may be adding
complexity covering the needed aspects from the sub (paraphrased
by scribe,
see issue)
-
GF can we reduce the cognitive complexity for the JWT and use a
slightly different library for it and use a slightly different claim.
-
Dick: when the claims about the user for the OP action command would
be the same and would be a different id token for the command
-
Observation from GF: if the subj id value is identical and in the
sub claim, then thats fine (paraphrased)
-
Dick: it’s always the same sub, which may clarify GF’s concerns.
-
Dick: it may be more on the constraints
-
Observations/consensus: more clarity may be needed in the original posting
and seeking more info from Andrii to understand concrete use cases.
What will happen to OP commands if enterprise extensions are accepted
→ needs review for accuracy DH: The normative text will be replaced in the
enterprise claims
GF it may need some concrete examples to illustrate its use and mapping
around tenants and the context.
Exemplar offered: MSFT tenants
DH: google is a better example
-
Includes a tenant identifier
-
1 issuer, multiple tenants
-
Use the HD claim for the tenant
-
While the sub is unique globally across google you want to know which
org the user belongs to which translates to the tenant
-
The RP knows which organization the user belongs to and can process the
request based off the organization
-
E.g. enterprise can say anyone can sign into the app
-
Due to membership in the organization
10:36:Filip S: dialogue on how this may be upside down compared to google
(at least in Auth0’s and Filip’s experience).
Observations: GF suggests we need more discussion and mapping what was
meant by tenant.
JoeD: observations from local team what is a domain hint or tenant is not
quite clear, welcomes more detail
DH: great example
DH: why have sub AND email when email is not permanent, the tenant id is
like the sub that is permanent and abstracts away from the domain hint.
JoeD: ingesting the answer: can see the flexibility when having just the
domain, and no sub.
DH: all account commands have a sub id.. A deeper explanation was offered
as an explainer.
Group dialogue on how to have more context along with diagrams to offer
more depth and understanding and highlight the differences or needed
libraries for where things are consumed and worked on.
DH:
GF: its the responsibility of the claim consumers that they match otherwise
they are different.
DH: good call out on this aspect.
Context in enterprise extensions are not in the OP commands (? did i get
that right?) so there’s a gap or improvement.
Action Dick 10:54: capture Joe’s what’s the difference from the HD claim
and the tenant claim
-
Domain hint and tenant parameters intent/function
13.
OpenID Connect Native SSO for Mobile Apps
<https://openid.net/specs/openid-connect-native-sso-1_0.html>
1.
Updates?
10:55: GF updated on removing the id token dependency and to email the list
about it.:
-
Authlete has implemented the current version and is out in the wild..
Implications?
-
Connect2Id also implemented as is and supportive of refactoring (per MJ)
-
GF email to the list
14.
OpenID Federation <https://openid.net/specs/openid-federation-1_0.html>
1.
We’re down to 16 open issues, 7 of which require actions to finish
the spec
-
(The other 9 propose extension specifications, post-final work, or
reviewing the text)
-
There are PRs for 2 of the issues
10:57: MJ - interop event in person helped accelerate issues being resolved.
15.
AOB
Chris..
___________________________________________________________________________________________
chris at chrisphillips.ca | https://www.linkedin.com/in/chris-phillips-cidpro/
On Thu, May 29, 2025 at 8:00 AM Michael Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> I propose this agenda for the upcoming OpenID Connect working group call
> to be held at
> https://zoom.us/j/97622169761?pwd=ek5kZUg3QnI1cCt6bTE3QzA3ZVlOQT09.
>
>
>
> 1. Introductions
> 2. Antitrust Policy <https://www.openid.net/antitrust> and IPR
> Agreement <https://openid.net/wg/connect/> reminders
> 3. Events
> 1. IETF 123 in Madrid, July 19-25, 2025
> - https://www.ietf.org/meeting/123/
> 4. Links to Active Specifications
> <https://openid.net/wg/connect/specifications/> and Repositories
> 1. OpenID Connect Core incorporating errata 3
> <https://openid.net/specs/openid-connect-core-1_0-36.html> (
> repository <https://bitbucket.org/openid/connect/>)
> 2. OpenID Connect Native SSO for Mobile Apps
> <https://openid.net/specs/openid-connect-native-sso-1_0.html> (
> repository <https://bitbucket.org/openid/connect>)
> 3. OpenID Federation
> <https://openid.net/specs/openid-federation-1_0.html> (repository
> <https://github.com/openid/federation>)
> 4. OpenID Federation Extended Subordinate Listing
> <https://openid.net/specs/openid-federation-extended-listing-1_0.html>
> (repository <https://github.com/openid/federation-extended-listing>)
> 5. OpenID Federation Wallet Architectures
> <https://openid.net/specs/openid-federation-wallet-1_0.html> (
> repository <https://github.com/openid/federation-wallet>)
> 6. OpenID Connect Relying Party Metadata Choices
> <https://openid.net/specs/openid-connect-rp-metadata-choices-1_0.html>
> (repository <https://github.com/openid/rp-metadata-choices>)
> 7. OpenID Provider Commands
> <https://openid.net/specs/openid-provider-commands-1_0.html> (
> repository <https://github.com/openid/openid-provider-commands>)
> 5. OpenID Connect Core published as an ITU standard
> 1.
> https://openid.net/a-new-itu-t-standard-ushers-in-a-new-era-for-openid/
> 6. OpenID Connect Relying Party Metadata Choices
> <https://openid.net/specs/openid-connect-rp-metadata-choices-1_0.html>
> 1. In 45-day review for Implementer’s Draft status
> 7. EAP ACR Values
> <https://openid.net/specs/openid-connect-eap-acr-values-1_0.html>
> 1. Defines “phr” and “phrh” ACR values and “pop” AMR value
> 2. In 60-day review for Final status
> 3. Vote to start on Monday
> 8. Fully-Specified Algorithms for JOSE and COSE
> 1.
> https://datatracker.ietf.org/doc/draft-ietf-jose-fully-specified-algorithms/
> 2. In the RFC Editor Queue
> 3. Algorithm registrations in place in IANA registries
> - https://www.iana.org/assignments/jose/jose.xhtml
> - https://www.iana.org/assignments/cose/cose.xhtml
> 9. OpenID Connect Claims Aggregation
> <https://openid.net/specs/openid-connect-claims-aggregation-1_0.html>
> 1. Needs History entries to be added
> 2. And perform spec content checks per
> https://github.com/openid/publication/blob/main/README.md
> 3. Then time to publish -03 to openid.net/specs/
> 10. OpenID Connect Enterprise Extensions Contribution
> 1. Intended to be supportive of IPSIE, OP Commands work
> 2. Call for adoption runs until Thursday, June 5th
> 11. Other possible new drafts
> 1. OpenID Connect Ephemeral Subject Identifier contributed – Nat
> Sakimura
> -
> https://lists.openid.net/pipermail/openid-specs-ab/2025-April/010728.html
> - Any objections to starting a call for adoption?
> 2. OpenID Connect with Deferred Token Response – Frederik Krogsdal
> Jacobsen
> - https://fkj.github.io/slides/iiw-oic-dtr-apr-2025.pdf
> - Reviews wanted
> 12. OpenID Provider Commands
> <https://openid.net/specs/openid-provider-commands-1_0.html>
> 1. Updates?
> 13. OpenID Connect Native SSO for Mobile Apps
> <https://openid.net/specs/openid-connect-native-sso-1_0.html>
> 1. Updates?
> 14. OpenID Federation
> <https://openid.net/specs/openid-federation-1_0.html>
> 1. We’re down to 16 open issues, 7 of which require actions to
> finish the spec
> - (The other 9 propose extension specifications, post-final
> work, or reviewing the text)
> - There are PRs for 2 of the issues
> 15. AOB
>
>
>
> -- Mike
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250529/4e08762e/attachment-0001.htm>
More information about the Openid-specs-ab
mailing list