[Openid-specs-ab] Spec Call Notes 18-Jun-20

Mike Jones Michael.Jones at microsoft.com
Thu Jun 18 15:54:51 UTC 2020


Correction - Filip Skokan was not present on the call.

                                                       -- Mike

From: Mike Jones
Sent: Thursday, June 18, 2020 8:49 AM
To: 'openid-specs-ab at lists.openid.net' <openid-specs-ab at lists.openid.net>
Subject: Spec Call Notes 18-Jun-20

Spec Call Notes 18-Jun-20

Mike Jones
Tim Cappalli
Tom Jones
Brian Campbell
Bjorn Hjelm
Joseph Heenan

App2App Certification
              Described at https://openid.net/2019/10/21/guest-blog-implementing-app-to-app-authorisation-in-oauth2-openid-connect/
              Certification for App2App pattern with FAPI being launched
              Mainly for UK banking apps at present
              Joseph described that the app claims the authorization endpoint's URL
                           OpenID Connect flows then open the local application
              For instance, could be used with FaceID
                           Increases success rate
              Relevant in banking use cases where you are authorizing a payment
              This is the same pattern as the mobile applications BCP [RFC 8252]
              To certify, run your application on Web, iOS, and Android
              There are no new specs for this
                           It just uses existing specs in a mobile context
              Joseph wants to know whether people have done this with pure OpenID Connect, rather than FAPI
                           OpenID Connect implementations tend to use long-lived SSO sessions instead
              Joseph will be presenting on this at Identiverse and the OAuth Security Workshop
                           https://identiverse.com/detailed-agenda/#session=app2app-improving-the-third-party-authorization-user-experience-on-mobile
                           https://barcamptools.eu/oauth-security-workshop-2020/events/0d0423b6-5924-4e6f-8b3b-63edbbe0ae59#sessions

OAuth JAR
              Nat sent the reply to Brock Allen
              Per issue #1171, Nat still needs to add require_signed_request_object
              Then he will ask area director Ben Kaduk to advance the spec

Event Announcements
              Nat is organizing a virtual meeting for Self-Issued Identity Provider implementations
                           Register at https://www.eventbrite.com/e/siop-virtual-meetup-tickets-109986695166
                           7:00 AM - 9:00 AM Pacific Time June 25
                           General admission is already sold out
                           There are more slots for OIDF members
                           OIDF members with general admission tickets are encouraged to cancel them and register as OIDF members
              OIDF is organizing an OpenID workshop during the virtual OAuth Security Workshop
                           https://barcamptools.eu/oauth-security-workshop-2020/events
                           This will be July 21
                           Joseph will be talking about certification tools
                           Nat may be talking about FAPI
                           Contact Don Thibeau for details

Certification
              The migration from the Python suite to the Java suite is in progress
                           See https://openid.net/certification/migration/
              We're encouraging new submissions to run both test suites now
                           Even if you have an existing certification, please run both now to get a free new one!
              We're still missing OP logout tests and 3rd Party-Initiated login tests, but the rest are there

Federation Interop
              Roland Hedberg ran a Federation interop last week
              There were three implementations participating
                           Roland's, GÉANT, Connect2ID
              A report on the Interop will be sent to the working group
              Mike will be speaking about the Federation spec at Identiverse

Open Issues
              https://bitbucket.org/openid/connect/issues?status=new&status=open
              #1176 backchannel logout spec doesn't have requirement that 'sid` in id_token & logout_token match
                           Mike to investigate and propose language
              #1174 Federation: 9.2.2.2.1. The OP Constructing the Response - Clarify which keys need to be preserved to facilitate roll-over
                           Assigned to Roland
              #1175 Create a Separate Spec for Self-Issued Identifiers
                           There's been discussion in the issue among Tom, Mike, and Tony
                           Tom is asking about discovery and key rollover
                           Tom is doing his implementation for IAL2 and AAL2 of NIST 800-63
                           Mike asked Tom how he associates multiple keys with a subject
                           Mike asked what normative requirements are needed to enable key rollover
                           Tom said that this is related to the persistent ID issue #1081
              #1081 Need for a persistence user identifier - a PUID
                           Mike asked whether "sub" isn't a persistent ID, at least when non self-issued
                                         If there was a persistent ID claim, one value of it could be a DID
                                         Tom is talking with Tobias Looker and Kyle Den Hartog about this
                           People also asked for an ephemeral subject type in issue #1096
                           Tom plans to write a proposal and link the three issues above together
                                         Tom will present about this at the virtual SIOP workshop
              #1167 Required certification behaviour for request and request_uri parameters
                           Marked resolved, since this is done in the Java certification suite

Next Call
              The next working group call is Monday, June 22 at 4pm Pacific Time

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200618/3718af60/attachment-0001.html>


More information about the Openid-specs-ab mailing list