[Openid-specs-ab] WG Meeting Notes 30th October 2025

Andy Barlow 0xandybarlow at gmail.com
Fri Oct 31 00:16:00 UTC 2025 

Hey all, please find meeting notes below.
Apologies if I missed anything you wanted recorded, I have tried to keep it
high level but with the context needed for action items to keep things
moving forward.
Thanks,
Andy

*OpenID AB Working Group - Meeting Notes - 30th October 2025*

*Attendees:*

   - Chris
   - Michael Jones
   - Frederik Krogsdal Jacobsen
   - George Fletcher
   - David Waite
   - Filip Skokan
   - Brian Campbell
   - Lukasz Jaromin

*Admin Note:* George Fletcher took over as chair mid-call as Michael Jones
had to drop for another call due to European timezone changes.


*Events and Community Updates*

   - IIW41 (Last Week)
      - Good feedback from attendees: seen as a valuable "incubator" for
      connection and insight.
      - Proximity to AI contributors was invaluable.
      - Top topics were AI, VC/VP, and Privacy.
      - Frederik and George noted Justin Richer’s client ID session was
      thought-provoking.
      - Two community gaps were identified: (1) We are still lacking
      in delegation authorization, and (2) consent models need a
rewrite for new
      trust domain boundaries.
   - IETF 124 (Next Week)
      - Takes place November 1-7 in Montreal.
      - Several working group members will be attending, both in-person and
      remotely.

*Specification Discussions*

   - *OpenID Connect Native SSO for Mobile Apps*
      - The Second Implementer’s Draft (ID2) is approved and published:
         - httpsa://openid.net/specs/openid-connect-native-sso-1_0-ID2.html
      - Next Steps: George will post one more note to the list asking for
      any final objections or significant modifications before suggesting it
      begins the process to Final. He noted it's already in use, and he has no
      problem obsoleting it later if something better comes along.
      - Brian Campbell raised strong concerns and proposed the draft be
      discontinued. He believes the problem is already solvable, and this
      solution is a detriment to the wider community.
   - *OpenID Federation*
      - This item was skipped as Michael Jones had to leave, but Mike noted
      that there has been good feedback and iteration on the open issues,
      specifically mentioning the PR related to entity statement claims.
   - *Key Binding Spec*
      - Frederik Jacobsen kicked off the discussion, asking for more
      defined use cases and details.
      - *ID Token Usage:* A key topic was clarifying that the id_token is
      for internal/controlled Relying Party (RP) use only.
      - *"What is an RP?" Session:* Frederik summarized his IIW session on
      this.
         - No firm conclusion was reached due to the many different
         interpretations of the "RP" concept.
         - However, there seemed to be a strong consensus that the pattern
         of using an id_token at other RPs is not good practice.
         - The spec should be updated to enumerate *why* this pattern is
         discouraged.
      - *IDP Use Case Discussion:*
         - A use case for large, centralized IDPs was raised.
         - George Fletcher questioned if this is any better than
         the Identity Assertion JWT Authorization Grant spec, noting
the "same RP"
         model forces a lot of infrastructure to be considered the 'same'.
         - Brian Campbell noted that the Identity Assertion JWT
         Authorization Grant is designed for cross-domain use.
         - George's summary question: *"Is it ok to squint and say my IDP
         is one large RP or not?"* The spec needs to clarify this.
      - *Action:* Any issues are encouraged to be submitted on the github
      repo for tracking and helping the authors address any concerns.
   - *Repository & Issue Management*
      - There was some confusion about the Key Binding spec's repo status.
      - It's believed the repo was recreated, and issues from the old repo
      were not migrated.
      - Frederik noted he has moved his open issues on the old, archived
      repository to the new one.

*General Best Practices and Ecosystem discussion*

   - Chris raised a question about how developers ("mere mortals") are
   supposed to discover best practices for implementing the various OpenID
   specs.
   - An idea was floated that the OpenID Foundation might benefit from
   something similar to the IETF's Best Current Practices (BCPs) documents.
   - The Ecosystem WG is working on reference architectures, but this has a
   narrower scope (profiling standards for specific use cases).

*Action Items*

   1. *George Fletcher:* To publish a note to the mailing list asking for
   final objections/feedback on the Native SSO spec before it moves along the
   process.
   2. *Frederik Jacobsen:* To file an issue on the Key Binding spec repo,
   capturing the feedback and consensus from his IIW session
   regarding id_token use.
   3. The group should clarify if it needs to move missing issues from the
   old Key Binding repo to the new one.
   4. Next Call: The call ended, with the plan to resume the agenda on
   Monday.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20251031/ab53a213/attachment-0001.htm>

More information about the Openid-specs-ab mailing list