<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 13-Jun-11<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Edmund met with Breno<o:p></o:p></p>
<p class="MsoNormal">Breno and Facebook want to use new OAuth response types - comma separated<o:p></o:p></p>
<p class="MsoNormal"> code,token,session<o:p></o:p></p>
<p class="MsoNormal"> Session is what we used to call the ID Token<o:p></o:p></p>
<p class="MsoNormal"> Facebook also proposed a response type "none"<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> John believes that current OAuth draft only allows you to ask for one token type<o:p></o:p></p>
<p class="MsoNormal"> Breno thinks it's being changed<o:p></o:p></p>
<p class="MsoNormal"> We need to monitor this in the draft<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Breno and Edmund discussed how to restructure the session management to make it more readable<o:p></o:p></p>
<p class="MsoNormal"> Edmund is working on that<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">They talked about additional request parameters related to the user experience. Breno proposed<o:p></o:p></p>
<p class="MsoNormal"> display={none,mobile,popup}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">They discussed a parameter expressing the approval required<o:p></o:p></p>
<p class="MsoNormal">This would be a space-separated list of the following choices:<o:p></o:p></p>
<p class="MsoNormal"> prompt=login consent selectaccount<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">They discussed a nonce parameter<o:p></o:p></p>
<p class="MsoNormal"> John wasn't sure what they were trying to accomplish with this<o:p></o:p></p>
<p class="MsoNormal"> Edmund said that it would be passed back as part of the session token<o:p></o:p></p>
<p class="MsoNormal"> Apparently Facebook is interested in this<o:p></o:p></p>
<p class="MsoNormal"> Edmund will follow up with Breno on this and get a description of it<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">They discussed the token introspection endpoint<o:p></o:p></p>
<p class="MsoNormal"> It can either be called with an access token or session token<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Edmund expects to get these things written up this week<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">John has been working on writing up how to get back multiple endpoints for the OpenID provider<o:p></o:p></p>
<p class="MsoNormal"> He will try to circulate something tomorrow<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike committed to update the UserInfo endpoint schema - will try to circulate something tomorrow or Wednesday<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Scott Cantor and John had discussed that a problem with SAML has been not nailing down the EntityID format for the issuer<o:p></o:p></p>
<p class="MsoNormal"> We should try to avoid this<o:p></o:p></p>
<p class="MsoNormal"> Is it a URL for one of our endpoints, or something more abstract?<o:p></o:p></p>
<p class="MsoNormal"> We probably need to be specific about what the identifier for the IdP is<o:p></o:p></p>
<p class="MsoNormal"> The initial endpoint where you do discovery for the identifiers is likely a good choice<o:p></o:p></p>
<p class="MsoNormal"> John will take a stab at this as part of his write-up<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">John, Nat, and Mike are planning to go to the OpenID summit in Colorado<o:p></o:p></p>
<p class="MsoNormal">They are also plan to go to IETF meeting in Quebec City that is soon after it<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Don is meeting with Alan Tom and Eric this week about the Connect launch plan<o:p></o:p></p>
<p class="MsoNormal"> John plans to try to call in for that<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We plan to have specs complete enough for early implementers by the end of this month<o:p></o:p></p>
</div>
</body>
</html>