[Openid-specs-ab] Spec call notes 10-Nov-11

Mike Jones Michael.Jones at microsoft.com
Fri Nov 11 00:06:15 UTC 2011


Spec call notes 10-Nov-11

Mike Jones
Edmund Jay
Nat Sakimura
Tony Nadalin

Agenda:
               Editing status
               Open Issues
               Potential Design Changes

Editing Status:
               2 more changes with only local impact
               A few global changes remaining (mostly keyword spelling)
               Mike still needs to go through Yaron's comments to file issues
                              We can discuss these issues on Monday

Open Issues:
               #283: Basic - 4. What are "User Info Endpoint Servers" ?
                              Delete space in "User Info" - Mike

               #232 Client sends a request to the Authorization Server (Editorial)
                              Nat will add explanation that not always a redirect

               #222: Registration 4.1. js_origin_uri needs documentation (Normative)
                              Waiting on Breno - will probably stay open at Implementer's Draft time

               #281: Obtaining claims without requiring additional round trips
                              Mike needs to follow up with Yaron about how he wants this to happen

Potential Design Changes:
               Specify that the id_token token type is JWT in Basic
                              Consensus to do so
                              Be clear that Basic implementations MAY do crypto themselves
                                             Reference Standard for how to do this
                              Mike will make that change

               Should the audience of the Access and ID tokens should be the resources, not the client?
                              Because it is the endpoints making resource access decisions, not the client
                              Mike will file an issue, send to mailing list
                              We should bring to John's and Breno's (or Naveen's) attention

                              Currently the audience of the id_token is the client
                              Currently there is no audience specified for the access token

                              This may make sense for the id_token, since the client can retrieve the claims
                              The Check ID endpoint needs to preserve the audience when it sends back the claims

                              Doesn't make sense for the Access Token
                                             (unless #281 is adopted, but this might no longer be an Access Token then)

               We need to add an audience to the access token of the resource server
                              Mike will file issue
                              Mike will say that will be done unless security arguments on why it's not necessary are convincing
                              Use SHOULD or STRONGLY RECOMMENDED language
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20111111/da338bb4/attachment.html>


More information about the Openid-specs-ab mailing list