[Openid-specs-ab] Minutes from 2025-09-04

Thu Sep 4 14:54:49 UTC 2025

OpenID Connect A/B

2025-09-04

* Mike Jones
* Aaron Parecki
* Ethan Hellman
* Frederik Krogsdal Jacobsen
* Brian Campbell
* Dick Hardt
* Andii Deinega
* Chris Phillips
* Tom Jones

Notetaker: Aaron Parecki

## Notes

https://bitbucket.org/openid/connect/pull-requests/

### Removing reference to discontinued browser API
* https://bitbucket.org/openid/connect/pull-requests/753
* Mike will mark approved, once we have 3 approvals will merge after a week

https://bitbucket.org/openid/connect/issues?status=new&status=open

### Issue 2184
https://bitbucket.org/openid/connect/issues/2184/openid-connect-and-user-session-quotas-at

* Andrii: An RP can indicate to an OP a max number of sessions on the OP
side.
* Mike: It's not clear why the OP needs to know. The RP could decide to
just not allow the login.
* Andrii: The reason to manage at the OP is to let the user and OP manage
this at the OP side.
* Mike: You're asking the OP to do something for the RP that tightly
couples them. This would impose an accounting burden at an OP that there is
no code for right now.
* Chris: Is this more about logout or more about QOS about certain plans
get certain concurrent access?
* Andrii: This is about where we manage session quotas.
* Aaron: Why is there a quota in the first place?
* Andrii: Because some customers want quotas. The customer wants to have
only one session on the RP side. It is about licensing.
* Mike: It's simple to describe, but not simple to get OPs to do it.
* Andrii: There is already `sid`, so the RP understands how many sessions
are at the OP.
* Frederik: Why isn't this just a configuration thing in the OP dashboard,
why does this need to be per request?
* Andrii: I don't own the OP side, I represent the RP.
* Mike: I'm going to call time on this, request that people make comments
on the issue.

### OpenID Connect for Native SSO for Mobile Apps

* George not on the call to discuss next steps

### Metadata Choices

* Mike: PAR explicitly says to use token endpoint authentication methods
supported, and didn't create its own parameter. There seemed to be
consensus in past calls that this is right, we shouldn't add new metadata
for introspection/revocation.
* Mike: New PR #8 that says that:
https://github.com/openid/rp-metadata-choices/pull/8 Request to review.
This let us merge a longstanding PR in Federation.
* Mike: Aaron to review

### Federation Issue #243
https://github.com/openid/federation/issues/243

* Chris: Since it's a trust issue, if you are not able to validate, you
should fail closed.
* Mike: Can you add that to the issue. Will assign to Mike.
* Frederik: He's saying there are validation rules but can't find what to
do if they don't pass.

### Federation Issue #244
https://github.com/openid/federation/issues/244

* Mike: This seems to be reopening a past issue
* Chris: There is conflation between being able to issue, and revoke. Are
you allowed to issue? If you have the private key and can do, then you are
allowed.
* Mike: Can you leave a comment on the issue.

### Federation Issue #245
https://github.com/openid/federation/issues/245

* Mike: Left a comment on the issue

### Key Binding

* Dick: I wrote a comparison and posted to the list
* Mike: What is the status of the draft you compared it to?
* Dick: It's in OpenID Connect, last published May 2023
* Mike: There is some duplication in functionality as Dick confirmed. This
is a simpler approach, the other doesn't seem to have been deployed. The
chairs need to decide whether to declare the other draft no longer active.
There seems to be enough interest to run a call for adoption. Any
disagreements with sending out a call for adoption?
* Brian: Seems like it might be a good idea to coordinate with the authors
of the original work, to understand the rationale behind design decisions
* Mike: I have to assign myself homework as chair now. The WG has an
interest in having a coherent set of specs that fit well together. I will
ask the authors of the other spec what they think the right path forward is
for their spec. For example this uses VC 1.1 which has been replaced by
2.0. We will reconsider the adoption decision in a week.
* Dick: Why not use the call for adoption to drive the discussion?
* Mike: I will ask the authors about the draft on list, the new proposal
would substantively replace what their draft is doing

Closing call 5 minutes early
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250904/6ac79638/attachment.htm>