<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Mike,<br>
<br>
<div class="moz-cite-prefix">Am 09.02.2015 um 20:57 schrieb Mike
Jones:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B1680429673943A2219374@TK5EX14MBXC290.redmond.corp.microsoft.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Roland and I
have talked about refresh token tests, but there’s a few
problems with them. First, there’s no way that must be
supported by OPs to request refresh tokens. Support for
offline_access is optional and there’s no syntax for
requesting online access to a refresh token. So if refresh
token tests were added for the functionality in
<a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens">http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens</a>,
at most, they could verify that conditions are met *<b>if</b>*
a refresh token was present.</span></p>
</div>
</blockquote>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B1680429673943A2219374@TK5EX14MBXC290.redmond.corp.microsoft.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Likewise,
there’s no requirement that an ID Token be issued from a
refresh request. Therefore the requirements in section 12.1
<a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse">http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse</a>
can only be verified *<b>if</b>* an ID Token was issued.</span></p>
</div>
</blockquote>
<br>
You are right. But your arguments hold true for several other
features as well, which are at least cited in the current profiles
document (e.g. claims parameter or request object).<br>
<br>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B1680429673943A2219374@TK5EX14MBXC290.redmond.corp.microsoft.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">None of these
behaviors are specified in the Basic implementer’s guide in
<a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-basic-1_0.html">http://openid.net/specs/openid-connect-basic-1_0.html</a>,
and so are beyond what we want to ask implementations
conforming to the Basic conformance profile to do.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I agree that in
the fullness of time we should add these tests for
implementations that do support refresh tokens and ID Tokens
issued from refresh requests. But given that we don’t even
have the RP tests up yet, I think that for the first phase
of the certification work, we’re better off focusing on
testing essential functionality first.</span></p>
</div>
</blockquote>
<br>
Good point. The question is what "essential functionality" is :-) In
my personal opinion, refresh tokens in Connect make a big difference
from SAML/OpenID 2.0 in supporting a great user experience for apps.
They allow an app to re-login to a IDP without the need to spawn a
browser with every start of the app (stay logged in). So we (DT) use
it all over the place. Excluding them from interop tests means to
risk interop issues. <br>
<br>
That's why I think refresh tokens are essential. I would like to
hear other WG member's opinion on this topic. <br>
<br>
kind regards,<br>
Torsten.<br>
<br>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B1680429673943A2219374@TK5EX14MBXC290.redmond.corp.microsoft.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">
-- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Torsten Lodderstedt [<a class="moz-txt-link-freetext" href="mailto:torsten@lodderstedt.net">mailto:torsten@lodderstedt.net</a>]
<br>
<b>Sent:</b> Sunday, February 08, 2015 9:43 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Updated
conformance profiles spreadsheet<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hi Mike,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm missing test cases verifying the
standard compliance of an OP's refresh token handling as
specified in section 12 of the core spec. I would suggest
to add such tests, esp. with respect to the correct
handling of the openid scope values and the id token
contents (iss, sub, iat, auth_time, ...).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">best regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Torsten.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Am 06.02.2015 um 02:21 schrieb Mike Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">The attached conformance profiles
spreadsheet matches the currently deployed testing
software.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">
-- Mike<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><OpenID Connect
Conformance Features (version 5.2).xlsx><o:p></o:p></span></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>