[Openid-specs-ab] Spec call notes 23-May-11

Mike Jones Michael.Jones at microsoft.com
Tue May 24 00:24:39 UTC 2011

Paul Tarjan
Breno de Medeiros
Marius Scurtescu
Andrew Wansley
John Bradley
Mike Jones
David Recordon

We started the call late because the OAuth working group meeting had just finished.  All the open OAuth issues were discussed and either resolved or action items were assigned to resolve them.  All but John met in person at Facebook.  Facebook plans to publish this an OAuth extension.

Paul wants to ship these soon:
               display=always, which always forces a user dialog,
               display=none, in which there is no user dialog, and user state is sent to the redirect URI in the fragment
               user state can be one of {authorized, unauthorized, unknown}

Breno will write up a response_type=none OAuth extension, which just redirects to the redirect URI without credentials.

Marius wondered if the result should be an error, not a special result

Facebook has two endpoints:  userinfo endpoint and access token inspection endpoint

Paul wants the token validation endpoint to also be able to accept an access token, returning the access token as a result.  Facebook doesn't currently send an id_token.  Breno believes this optimization is necessary.  Interop could be achieved by calling the calling the endpoint to get the token that way.

Breno discussed having a static endpoint containing public keys to enable dynamic client registration.

For anti-spam purposes, Paul doesn't want dynamic apps to be able be easily created and be spam sources.  Breno and John discussed that support for dynamic clients can be optional in the spec.  We all agreed that the method for dynamic registration is necessary for an OpenID spec.  This work is being deferred until later in the process when the problem is better understood.

David questioned the adoption of Portable Contacts schemas because it's not like what Facebook and Live are doing.  Breno asked for a concrete counter-proposal.  Mike emphasized that the primary decision was not to create a new schema.  Breno said that a schema identifier could be passed to the userinfo endpoint to select between data representations.  Paul likes format=OpenID when querying userinfo endpoint.

Facebook is using their signed request format documented at http://developers.facebook.com/docs/authentication/signed_request/ rather than JWTs at present.  They're worried about the switching cost at present.

                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110524/458af863/attachment.html>

More information about the Openid-specs-ab mailing list