<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi all,<br>
<br>
I've got some feedback on the refactored specs.<br>
<br>
modular version: <br>
In my opinion, part 6 shouldn't stay as a separate document because
the topics covered there are required for particular modules. For
example, "OpenID Connect – Part 2: Authentication Implicit" needs
text on signature validation. Right now, it only describes
validation of the at_hash. Understanding signature validation will
also require text on signatures in general, which can be currently
found in part 6/section 4. <br>
I therefore suggest to mix contents of part 6 into the respective
functional documents. If part 1 is getting THE base spec, sections
3, 6, and 7 and parts of 8 should go into this document. Section 11
could be moved to another document, probably covering profiles as
well. <br>
<br>
The monolithic version is really big (62 pages in A4)! If we decide
to go for this version, I would suggest to move sections 7 and 8
into another document.<br>
<br>
regards,<br>
Torsten. <br>
<br>
<div class="moz-cite-prefix">Am 12.09.2013 20:16, schrieb Edmund
Jay:<br>
</div>
<blockquote
cite="mid:1379009819.56430.YahooMailNeo@web184402.mail.bf1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:tahoma,
new york, times, serif;font-size:10pt">
<div>Spec Call notes 12-Sep-2013<br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; ">Attendees</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Nat Sakimura</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Brian Campbell</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> George Fletcher</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Justin Richer</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Roland Hedberg</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> John Bradley</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Edmund Jay</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; ">Agenda</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Spec Refactoring</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Planning for Final Draft</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> New Issues</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Unsolicited
authentication flow using ID Tokens</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; ">Spec Refactoring</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Some members prefer the
monolithic version with all components in one place. Reference
lookups are easier.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Monolithic version may be
too long with too many features, but it may be solved by
having a separate </div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> authentication document
and keeping the monolithic document as the full version.<span
style="background-color: transparent; "> </span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> It has a perception
problem of being overly complex.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> A version with
chapters/partitions may alleviated the perception.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> The spec needs a
roadmap/guide for specific features.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Different profiles for
OpenID Connect can be produced once a definitive normative
spec is finalized. Current specs</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> have a synchronization
problem.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> The sentiment of the
group seems to be in favor of the monolithic spec.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Nat asked whether the
current ordering of the code flow and implicit in the
monolithic version should be switched.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> The group decided to keep
the current order of code flow before implicit flow.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> </div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "> People should
review the refactored specs at
<a class="moz-txt-link-freetext" href="http://nat.sakimura.org/2013/08/27/refactoring-openid-connect-drafts/">http://nat.sakimura.org/2013/08/27/refactoring-openid-connect-drafts/</a></span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "> Nat will add the
refactored version to Bitbucket and add it to the issue
tracker for reported problems.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; ">Planning for the
Final Draft</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "> There is not much
time if the group is planning to finalize the spec by the
end of December.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "> Roland, Justin,
John have volunteered to do detailed review.</span><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "> Even though
JWS/JWE hasn't been finalized, there should not be normative
impact on the specs.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; ">New Issues</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "> #870 - Standard
3.2.1. Refresh Token Response - return of id_token
prohibited, conflicts with Messages 2.2.3</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "> It has been
decided that an ID Token can be returned from the token
endpoint for grant types other than </span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; ">
authorization_code </span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "> This is part
of the synchronization problem between current specs.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "> It's decided
that normative fixes to the current specs will continue in
parallel with the new refactored specs.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; ">Unsolicited
Authentication Flow using ID Token</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Zendesk/Salesforce and
others are starting to use ID Token for IdP initiated SSO for
parties with pre-established</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> relationships. Some
security requirements may be skipped because they may be
mitigated by out of band means.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> The current specs does
not allow this. ID Tokens must include a nonce if the ID Token
is returned in the front</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> channel. Nonce
requirement can be soften by changing it to a SHOULD and
including some extra security considerations.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Current specs are focused
on a request and response protocol. It does not specify
responses in cases where there are no requests.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Justin/George feels that
this is not OAuth anymore. It should start with OAuth as the
base with other protocols built on top of it.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> OpenID Connect should not
change to accommodate foreign(SAML) concepts.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> We should have a separate
document that details how to perform authentication with ID
Tokens but is not part of OpenID Connect.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> John will post to the
list with this decision.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "> Will also need to develop
a response to the question of why others are using this
alternative IdP initiated login instead of OpenID Connect
itself.</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
tahoma, 'new york', times, serif; background-color:
transparent; font-style: normal; "><span
style="background-color: transparent; "><br>
</span></div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>