<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 17-Dec-12<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal">Tony Nadalin<o:p></o:p></p>
<p class="MsoNormal">Justin Richer<o:p></o:p></p>
<p class="MsoNormal">Pamela Dingle<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda:<o:p></o:p></p>
<p class="MsoNormal"> Native Client Test Application<o:p></o:p></p>
<p class="MsoNormal"> Open Issues<o:p></o:p></p>
<p class="MsoNormal"> Inconsistency between user_id and prn<o:p></o:p></p>
<p class="MsoNormal"> Allowing Multiple Audiences in JWTs<o:p></o:p></p>
<p class="MsoNormal"> WebFinger<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Native Client Test Application:<o:p></o:p></p>
<p class="MsoNormal"> Pam did a demo of the native client test application<o:p></o:p></p>
<p class="MsoNormal"> It currently has IdPs hard-coded rather than doing discovery (which will come later)<o:p></o:p></p>
<p class="MsoNormal"> Pam and Edmund will try to get this to work with Edmund's OP as a second OP then release it<o:p></o:p></p>
<p class="MsoNormal"> Pam and Justin will also try to get it working with Mitre's OP<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues:<o:p></o:p></p>
<p class="MsoNormal"> We reviewed the 2 new open issues<o:p></o:p></p>
<p class="MsoNormal"> #688 Registration 2.1: Accept header in example should be Content-Type<o:p></o:p></p>
<p class="MsoNormal"> #687 Messages - Add 'prn' claim to id_token to support JWT Assertion<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Inconsistency between user_id and prn<o:p></o:p></p>
<p class="MsoNormal"> Per issue #687 (Messages - Add 'prn' claim to id_token to support JWT Assertion),<o:p></o:p></p>
<p class="MsoNormal"> currently ID Tokens can't be OAuth JWT Assertions because they identify the<o:p></o:p></p>
<p class="MsoNormal"> subject with the "user_id" claim rather than the "prn" claim<o:p></o:p></p>
<p class="MsoNormal"> There was agreement that this inconsistency is harmful and that it needs to be fixed<o:p></o:p></p>
<p class="MsoNormal"> The same claim name should be used in both cases<o:p></o:p></p>
<p class="MsoNormal"> Potential claim names discussed were prn, sub, sbj, id, and who<o:p></o:p></p>
<p class="MsoNormal"> "prn" could be used without requiring changes to the JWT and JWT Assertions specs<o:p></o:p></p>
<p class="MsoNormal"> For that reason, "prn" was the working group's preferred claim name choice<o:p></o:p></p>
<p class="MsoNormal"> Mike will describe this decision to the working group and interop list and solicit feedback<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Allowing Multiple Audiences in JWTs:<o:p></o:p></p>
<p class="MsoNormal"> We had a discussion of allowing multiple audiences in tokens<o:p></o:p></p>
<p class="MsoNormal"> SAML allows multiple values (and adds and/or semantics as well)<o:p></o:p></p>
<p class="MsoNormal"> Brian's proposal is to allow multiple audiences in the "aud" claim via array values<o:p></o:p></p>
<p class="MsoNormal"> In OAuth, an access token might be usable at multiple resource servers<o:p></o:p></p>
<p class="MsoNormal"> Brian will file an issue and send a note to the OAuth list<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WebFinger:<o:p></o:p></p>
<p class="MsoNormal"> WebFinger will be HTTPS only, per http://www.ietf.org/mail-archive/web/webfinger/current/msg00303.html<o:p></o:p></p>
<p class="MsoNormal"> This was the last technical issue standing in the way of Connect using WebFinger<o:p></o:p></p>
<p class="MsoNormal"> We will put a note in the implementer's drafts that SWD will probably be replaced with WebFinger<o:p></o:p></p>
<p class="MsoNormal"> We will do the same with the OAuth Registration draft<o:p></o:p></p>
</div>
</body>
</html>