<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.emailstyle17
{mso-style-name:emailstyle17;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Per <a href="http://hg.openid.net/connect/issue/601/standard-no-way-of-doing-idp-initiated">
http://hg.openid.net/connect/issue/601/standard-no-way-of-doing-idp-initiated</a>, we decided that IdP initiated login was critical functionality. SAML uses this in many many circumstances, and we decided that feature parity in this regard was critical. Actually,
at IIW, John and crew decided how to do this. He’s also checked it in, it turns out. Look at bitbucket or expect a release with these changes in them shortly. Please review.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Talk to you in the morning…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> openid-connect-interop@googlegroups.com [mailto:openid-connect-interop@googlegroups.com]
<b>On Behalf Of </b>Justin Richer<br>
<b>Sent:</b> Wednesday, January 02, 2013 1:11 PM<br>
<b>To:</b> openid-connect-interop@googlegroups.com<br>
<b>Cc:</b> Mike Jones; openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> Re: December 27, 2012 OpenID Connect Release<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">OK, I'll admit that I had assumed these were the implementer's draft releases, and therefore more final than what I thought. I would argue that the same brokenness argument ought to apply here with the other specs. I'm planning to make
the meeting tomorrow so we can hash some things out there.<br>
<br>
Incidentally, I thought that we had all decided at IIW that IdP initiated login was a bad idea?<br>
<br>
-- Justin<br>
<br>
On 01/02/2013 03:26 PM, Mike Jones wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Fair questions, Justin. First, this is not the Implementer's Draft release. A few more changes still need to be made to get there, including the ones you're mentioning about discovery and registration and also
IdP initiated login. This was an interim release to keep Connect on sync with JWT. Because of the JWT changes, Connect would have been broken without this release.<br>
<br>
The same isn't true of the discovery and registration changes. There, I think the working group's conservative approach, while still encouraging experimentation with the new specs, remains a good stance for the upcoming implementer's drafts. We cam discuss
that more on tomorrow's call if you like (7am Pacific).<br>
<br>
Happy New Year!<br>
-- Mike<o:p></o:p></p>
</div>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:
</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Justin Richer</span><br>
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Sent: </span>
</b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">1/2/2013 9:31 AM</span><br>
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">To: </span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><a href="mailto:openid-connect-interop@googlegroups.com">openid-connect-interop@googlegroups.com</a></span><br>
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Cc: </span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Mike Jones;
<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a></span><br>
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Subject: </span>
</b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Re: December 27, 2012 OpenID Connect Release</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">It surprises me that the very fundamental user_id -> sub breaking change was introduced in this revision, but the group wanted to hold back on both registration and discovery until after this publication so as to limit the number of deep
compatibility breaks. I guess what I don't understand is the willingness to break things in one area but hesitance in others, especially since the user_id -> sub change came up only very recently. Don't get me wrong, I'm very much in favor of *all* of these
changes, but I don't understand the logic in how we're deciding what gets broken and when.<br>
<br>
Also, as I recall the discussion, both of these documents were supposed to have a note at the top of them pointing them to the appropriate upstream draft (oauth2-dyn-reg and webfinger, respectively) as an impending change. I can only guess that these notes
got lost during the holiday shuffle and the barrage of JOSE-related changes, but if there's any good way to get these pointers in place, I believe we should do so.<br>
<br>
-- Justin<br>
<br>
On 12/28/2012 08:09 PM, Mike Jones wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">New versions of the OpenID Connect specifications have been released resolving numerous open issues raised by the working group. The most significant change is changing the name of the “<span style="font-family:"Courier New","serif"">user_id</span>”
claim to “<span style="font-family:"Courier New","serif"">sub</span>” (subject) so that ID Tokens conform to the
<a href="http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04">OAuth JWT Bearer Profile specification</a>, and so they can be used as OAuth assertions. (Also, see the related
<a href="http://self-issued.info/?p=916">coordinated change to the OAuth JWT specifications</a>.) A related enhancement was extending our use of the “<span style="font-family:"Courier New","serif"">aud</span>” (audience) claim to allow ID Tokens to have multiple
audiences. Also, a related addition was defining the “<span style="font-family:"Courier New","serif"">azp</span>” (authorized party) claim to allow implementers to experiment with this proposed functionality. (This is a slightly more general form of the
“cid” claim that Google and Nat Sakimura had proposed.)<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Other updates were:<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>The “<span style="font-family:"Courier New","serif"">offline_access</span>” scope value was defined to request that a refresh token be returned when using the code flow that can be used to obtain an access token granting access to the user’s UserInfo
endpoint even when the user is not present.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>A new “<span style="font-family:"Courier New","serif"">tos_url</span>” registration parameter was added so that the terms of service can be specified separately from the usage policy.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Clarified that “<span style="font-family:"Courier New","serif"">jwk_url</span>” and “<span style="font-family:"Courier New","serif"">jwk_encryption_url</span>” refer to documents containing JWK Sets - not single JWK keys.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Implementers need to apply these name changes to their code:<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><span style="font-family:"Courier New","serif"">user_id</span> -> <span style="font-family:"Courier New","serif"">
sub</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><span style="font-family:"Courier New","serif"">prn</span> -> <span style="font-family:"Courier New","serif"">
sub</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><span style="font-family:"Courier New","serif"">user_id_types_supported</span> ->
<span style="font-family:"Courier New","serif"">subject_types_supported</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><span style="font-family:"Courier New","serif"">user_id_type</span> -> <span style="font-family:"Courier New","serif"">
subject_type</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><span style="font-family:"Courier New","serif"">acrs_supported</span> -> <span style="font-family:"Courier New","serif"">
acr_values_supported</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><span style="font-family:"Courier New","serif"">alg</span> -> <span style="font-family:"Courier New","serif"">
kty</span> (in JWKs)<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">See the Document History section of each specification for more details about the changes made.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here:
<a href="http://self-issued.info/?p=913">JOSE Release Notes</a>, <a href="http://self-issued.info/?p=916">
OAuth Release Notes</a>.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The new specification versions are:<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><a href="http://openid.net/specs/openid-connect-basic-1_0-22.html">http://openid.net/specs/openid-connect-basic-1_0-22.html</a><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><a href="http://openid.net/specs/openid-connect-implicit-1_0-05.html">http://openid.net/specs/openid-connect-implicit-1_0-05.html</a><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><a href="http://openid.net/specs/openid-connect-messages-1_0-14.html">http://openid.net/specs/openid-connect-messages-1_0-14.html</a><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><a href="http://openid.net/specs/openid-connect-standard-1_0-15.html">http://openid.net/specs/openid-connect-standard-1_0-15.html</a><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><a href="http://openid.net/specs/openid-connect-discovery-1_0-11.html">http://openid.net/specs/openid-connect-discovery-1_0-11.html</a><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><a href="http://openid.net/specs/openid-connect-registration-1_0-13.html">http://openid.net/specs/openid-connect-registration-1_0-13.html</a><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span><a href="http://openid.net/specs/openid-connect-session-1_0-10.html">http://openid.net/specs/openid-connect-session-1_0-10.html</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> -- Mike<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</div>
</body>
</html>