[Openid-specs-ab] [E] Next steps for the Native SSO for Mobile Apps specification

[Naveen CM]

We’ve already implemented this and have been running it successfully for
several years. I vote for Option 1, though we’re open to Option 2 if it
offers significant advantages over the current draft.

On Thu, Oct 30, 2025 at 10:47 AM george--- via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi,
>
> We briefly discussed the Native SSO for Mobile Apps specification today as
> part of the OpenID Connect working group call. The vote for 2nd
> implementors draft completed successfully so this email is about where we
> go from here.
>
> One objection was raised, during the working group call, to moving the
> spec forward (more details in the minutes of today’s meeting) and if I
> understand the objection correctly, it applies to the entire concept of the
> spec not just a specific implementation aspect of it. In other words, the
> objector doesn’t believe that the OpenID Foundation should publish any
> document in this area. I appreciate the forthrightness and clarity of the
> objection.
>
> On the other hand, multiple IDP SaaS vendors and relying parties have
> found the specification useful and have implemented it.
>
> So, I’d appreciate feedback on next steps. I see a couple of options.
> 1. Take the current 2nd implementors draft to final
> 2. Work on significant updates to the current draft changing the way it
> leverages id_tokens and potentially adding sender-constrained aspects to
> the protocol. This would be a breaking change to the current spec.
> 3. Discard the specification completely
>
> Personally, albeit I’m biased, and given that multiple parties have
> implemented the specification, I believe it has value for our industry.
> Being passed as a specification does not require any IDP or vendor to
> implement the spec but it does provide at least one way to provide this
> functionality. There may be other and better ways of doing so but none have
> been brought forward and I believe that helping developers do something
> sound is important (rather than the foundation being silent).
>
> Therefore, my proposal is to tackle option 2 if there is sufficient
> interest from the community to do the work. Otherwise, my proposal will
> lean toward option 1.
>
> Thanks,
>
> George Fletcher
> Identity Standards Architect
> Practical Identity LLC
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
>
> https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!Op6eflyXZCqGR5I!E4B1U8Qee1Med6Eufb01hu6tsCjJuevl0J2eqv0-npOQYOWsdjutdplOZMd-D010uVzJOFOBLumn9FHDq8Ayh69zk7qjeFo$
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20251030/d4cf8ea2/attachment.htm>