[Openid-specs-ab] Proposed changes to OPC - _pending states & notifications

[Dick Hardt]

Hey

After some experience implementing OPC, Karl and I had a discussion and are
proposing two changes:

1. Temporal states when an async command has been sent. For example, if the
command `activate_async` command is sent, and then an `audit` command is
sent for the same account before the activation is complete, the RP would
return an `activate_pending` state.

2. Change how RP state changes and async responses are sent from the RP to
the OP.
- remove callback_tokens and callback_endpoint
- add jwks_uri to RP metadata response. This should be the same jwks_uri
that is returned by the RP in other places -- IE these are the client
credentials, and the only type of client credentials supported in OPC.
- define a Notification Token that the RP signs with its keys and sends to
the OP's notitication_endpoint.

Feedback / issues welcome!

*html view*
https://openid.github.io/openid-provider-commands/03-notifications-pending.html

*PR with changes:*
https://github.com/openid/openid-provider-commands/pull/31


*Backstory*
A design goal I have for OPC is that it can be adopted by the long tail of
applications such as a WordPress or Drupal site. Minimizing or
eliminating secret management simplifies deployment in the long tail. This
was what motivated the OP to provide callback_tokens. While implementing,
storing these tokens was problematic.

An insight I had was that in single instance servers, a private key does
not need to be managed. The key pair can be generated on start-up and the
public key served by the jwks_uri that is on that server, eliminating
passing a private key to the server, and enabling key rotation by
restarting the server. The jwks_uri for an RP needs to be stable so that
the OP knows where to fetch it when it receives a message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20251001/d134f2bc/attachment.htm>