[Openid-specs-ab] Spec call notes 3-Sep-15

Nat Sakimura sakimura at gmail.com
Thu Sep 3 15:25:55 UTC 2015


For the Tokyo workshop CfP, an official translation can be found at:
https://www.eventbrite.com/e/openid-summit-tokyo-2015-tickets-18111127871

There will be an openid.or.jp hosted version of the English site as well
eventually.

2015-09-04 0:02 GMT+09:00 Mike Jones <Michael.Jones at microsoft.com>:

> Spec call notes 3-Sep-15
>
>
>
> Mike Jones
>
> Nat Sakimura
>
> Brian Campbell
>
> John Bradley
>
> Nov Matake
>
>
>
> Agenda
>
>                Logout
>
>                New Issues
>
>                Workshop before IIW
>
>                Tokyo workshop after IETF 94 Yokohama
>
>                Certification
>
>
>
> Logout
>
>                Nat reported some parties may use SAML because OpenID
> Connect doesn't have a ratified logout spec
>
>                He also said that some enterprise people are inventing
> home-grown logout spec
>
>                               Shipping is a feature as well
>
>                We still need interop testing on the HTTP-based logout
>
>                The back channel logout spec doesn't yet exist
>
>                               Nat said that some people apparently are
> using extensions to SCIM for back channel logout
>
>                               He will try to find references to what those
> people are doing
>
>                               Mike expressed that requiring SCIM to do
> logout seems like unnecessary complexity
>
>                For the back channel logout, the OP would send a message to
> the RP containing the session ID
>
>                               There could be an ID Token authenticating
> the sender
>
>                               Some will want to log out a particular
> session - others will want to log out all sessions
>
>                Back channel logout could be broadly construed - for
> instance terminating refresh tokens
>
>                Nat raised the point about sometimes-connect clients
>
>                Nat said that some parties are interested in receiving
> logout acknowledgements
>
>                John said that having some concrete use cases might help
>
>                Brian stated that expectations for logout appear to differ
> dramatically
>
>                In theory, PingFederate supports back-channel logout for
> SAML
>
>                               But ~90% of integrations don't include the
> necessary RP support for this
>
>                Mobile apps make things even harder
>
>                               What is the desired behavior for a mobile
> app?
>
>                We can probably say something meaningful for interactive
> sessions
>
>                               Mobile applications require the back-channel
> logout
>
>                Things that could be logged out/revoked include:
>
>                               interactive sessions
>
>                               immediate access and refresh tokens
>
>                               cascaded token revocations
>
>                               native app logins
>
>                There could be some kind of an ack back to the server for
> destroyed objects
>
>                               Callbacks?  This could be a scalability
> issue.
>
>                               Callbacks probably should be its own spec,
> if we ever do it
>
>                Brian - implementing SAML logout is really hard and all the
> options only make it harder!
>
>
>
> New Issues
>
>                #980 - Where else do we need to specify the use of CORS
> support?
>
>                               Brian: Discovery, JWKs endpoint
>
>                               John: Authorization endpoint - Mike: You're
> redirecting there so you don't need CORS
>
>                               John: You may or may not want registration
> to be open
>
>                                              The origin can do direct
> calls to the dynamic client registration endpoint
>
>                                              If you want different client
> IDs for each JavaScript client instance, CORS would have to be supported
>
>                               Nat: Everything discovery related -
> including .well-known endpoints
>
>                               It would be deployment policy about whether
> registration supports CORS
>
>                               Mike will add a comment to the bug and will
> point people to the bug on e-mail
>
>
>
> Workshop before IIW
>
>
> http://www.eventbrite.com/e/openid-foundation-workshop-before-fall-2015-iiw-meeting-tickets-17960843366
>
>                Mike told Don to remove Nat from the agenda
>
>                Mike will ask Don what "HMG Cabinet Office Chairs" means
> for HEART, and if it's correct
>
>
>
> Tokyo workshop after IETF 94 Yokohama
>
>
> http://www.eventbrite.com/e/openid-summit-tokyo-2015-tickets-18111127871
>
>                Registration is not yet open for that, but there will be an
> English registration page
>
>                Nat translated the Japanese event page to English at
> http://j.mp/cfp_oid15
>
>                Session proposals are due by the end of the month but
> should be sent earlier
>
>                John will cover RISC with help from Adam
>
>
>
> Certification
>
>                Roland is back from vacation and actively fixing stuff
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150904/9e8c205e/attachment.html>


More information about the Openid-specs-ab mailing list