<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 7-Nov-11<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda:<o:p></o:p></p>
<p class="MsoNormal"> Proposal to be able to get claims without an additional round trip (issue #281)<o:p></o:p></p>
<p class="MsoNormal"> Yaron Goland's comments<o:p></o:p></p>
<p class="MsoNormal"> Open Issues<o:p></o:p></p>
<p class="MsoNormal"> Editing<o:p></o:p></p>
<p class="MsoNormal"> Misc<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Proposal to be able to get claims without an additional round trip (issue #281)<o:p></o:p></p>
<p class="MsoNormal"> John suggested to use implicit flow, have the response contain the values<o:p></o:p></p>
<p class="MsoNormal"> The code flow adds one round trip<o:p></o:p></p>
<p class="MsoNormal"> First talk to authorization endpoint, get back the code<o:p></o:p></p>
<p class="MsoNormal"> Then send code to token endpoint, get back results<o:p></o:p></p>
<p class="MsoNormal"> Whereas with the implicit flow<o:p></o:p></p>
<p class="MsoNormal"> Only talk to authorization endpoint, get back the results<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Problem with implicit flow is that it makes the URL too big<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Must use code flow if claims are large (say 100K)<o:p></o:p></p>
<p class="MsoNormal"> We are using implicit flow in Basic<o:p></o:p></p>
<p class="MsoNormal"> Everything must fit in URL fragments<o:p></o:p></p>
<p class="MsoNormal"> Typical size limit of 2048 bytes<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Token endpoint different from userinfo, check_id endpoints (see OAuth section 3.2)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Nat commented that one way of achieving this is write a different OAuth flow<o:p></o:p></p>
<p class="MsoNormal"> Possibly called "userinfo"<o:p></o:p></p>
<p class="MsoNormal"> Or we could obtain it via the implicit flow (which has size limitations)<o:p></o:p></p>
<p class="MsoNormal"> Nat commented that in the assertion flow, you get back the data in the HTTP response<o:p></o:p></p>
<p class="MsoNormal"> The resource owner password credential flow does this as well<o:p></o:p></p>
<p class="MsoNormal"> The JWT Assertion flow has the right properties<o:p></o:p></p>
<p class="MsoNormal"> We would need to profile this for OpenID Connect purposes<o:p></o:p></p>
<p class="MsoNormal"> Requesting UserInfo claims<o:p></o:p></p>
<p class="MsoNormal"> Nat also needed a binding for the assertion profile for his use cases<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Mike will look at the JWT Assertion spec and figure out whether there is a mechanism for requesting a response type<o:p></o:p></p>
<p class="MsoNormal"> Mike will ask Yaron how he was thinking of this working<o:p></o:p></p>
<p class="MsoNormal"> Mike will discuss whether we need to do this before going to Implementer's Drafts<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> One concern is market fragmentation<o:p></o:p></p>
<p class="MsoNormal"> We could end up describing this request for functionality in the specs as something that may be added after these drafts<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> We will continue to discuss this on the list and will talk about it some more on the Thursday call<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Yaron Goland's comments:<o:p></o:p></p>
<p class="MsoNormal"> Mike will incorporate editorial improvements during his edits<o:p></o:p></p>
<p class="MsoNormal"> Mike will file issues for potential normative changes<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues:<o:p></o:p></p>
<p class="MsoNormal"> 282 - Allow other genders<o:p></o:p></p>
<p class="MsoNormal"> Yes - Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> 280 - Validation of TLS endpoints<o:p></o:p></p>
<p class="MsoNormal"> Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> 279 - Can you use the form encoding parameter method?<o:p></o:p></p>
<p class="MsoNormal"> We will change the specs to allow the Authorization Header & POST with form-encoding, but not query string<o:p></o:p></p>
<p class="MsoNormal"> Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Editing:<o:p></o:p></p>
<p class="MsoNormal"> John is done editing<o:p></o:p></p>
<p class="MsoNormal"> Edmund is done editing<o:p></o:p></p>
<p class="MsoNormal"> Mike is ready to start closing his issues<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Misc:<o:p></o:p></p>
<p class="MsoNormal"> Nat will ask Pam for the updated spec diagram<o:p></o:p></p>
<p class="MsoNormal"> George knows of other comments; he will ask the person to join the WG<o:p></o:p></p>
<p class="MsoNormal"> We will have both calls next week - they will be at 7am in Taipei<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>