[Openid-specs-ab] Spec call notes 24-Nov-14

Nat Sakimura sakimura at gmail.com
Mon Nov 24 23:58:47 UTC 2014


=================================================
OpenID AB/C WG Meeting Notes (2014-11-24)
=================================================

Date: 2014-11-24T23:00:00Z
Attending: John Bradley, Nat Sakimura, Edmund Jay, Mike Jones

I. Questions raised in the list
===================================

1. id_token_hint re-encryption
-------------------------------
Roland asked where to find the algs and keys for re-encrypting the id_token.
The correct ones are request_object_encryption_alg_values_supported and
request_object_encryption_enc_values_supported.

The attending members agreed that we should publish a WG note on it.


2. id_token_hint and audience
------------------------------
Roland also asked whether the party who is using the id_token as
id_token_hint needs to be in 'aud' claim.
The answer is 'YES'.

The party sending 'id_token_hint must' be included in the audience (aud) of
'id_token'.

The attending members agreed that we should publish a WG note on it.

3. impersonation use case
-------------------------------
Vladimir asked whether OP can issue a token to a person who is acting as
another user impersonating the user.
>From the protocol level, there is nothing preventing it. It is up to the
OP's policy.
If we need a chain of delegation, we need something like that is being
discussed at OAuth WG at IETF.

II. Other questions
===========================

GET based logout
------------------
Mike indicated that he intends to write a draft on GET based front channel
logout spec.
(e.g., <img src=""> or hidden iframe).

It was pointed out that it is only iffy since users tend to close the
window before everything completes loading.

The WG also talked briefly on the status of session management that we need
to check the progress.

Migration implementation
--------------------------
Mike wanted to know the progress of implementation of the migration spec.
Need to check them with potential deployers.


III. Self-certification Update
================================
Mike reported some progress on the self-certification.

Roland and the team is almost done with writing the test to test the OP
features.
Symantec promised to have the machine by the end of the month.
Once that's done and the tests are deployed on it, we will ask the parties
to test drive them.

Team will move to RP test then.


---
Nat Sakimura
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20141125/82e2ed2c/attachment.html>


More information about the Openid-specs-ab mailing list