<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Spec call notes 3-Sep-15<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Nov Matake<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agenda<o:p></o:p></p>
<p class="MsoNormal"> Logout<o:p></o:p></p>
<p class="MsoNormal"> New Issues<o:p></o:p></p>
<p class="MsoNormal"> Workshop before IIW<o:p></o:p></p>
<p class="MsoNormal"> Tokyo workshop after IETF 94 Yokohama<o:p></o:p></p>
<p class="MsoNormal"> Certification<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Logout<o:p></o:p></p>
<p class="MsoNormal"> Nat reported some parties may use SAML because OpenID Connect doesn't have a ratified logout spec<o:p></o:p></p>
<p class="MsoNormal"> He also said that some enterprise people are inventing home-grown logout spec<o:p></o:p></p>
<p class="MsoNormal"> Shipping is a feature as well<o:p></o:p></p>
<p class="MsoNormal"> We still need interop testing on the HTTP-based logout<o:p></o:p></p>
<p class="MsoNormal"> The back channel logout spec doesn't yet exist<o:p></o:p></p>
<p class="MsoNormal"> Nat said that some people apparently are using extensions to SCIM for back channel logout<o:p></o:p></p>
<p class="MsoNormal"> He will try to find references to what those people are doing<o:p></o:p></p>
<p class="MsoNormal"> Mike expressed that requiring SCIM to do logout seems like unnecessary complexity<o:p></o:p></p>
<p class="MsoNormal"> For the back channel logout, the OP would send a message to the RP containing the session ID<o:p></o:p></p>
<p class="MsoNormal"> There could be an ID Token authenticating the sender<o:p></o:p></p>
<p class="MsoNormal"> Some will want to log out a particular session - others will want to log out all sessions<o:p></o:p></p>
<p class="MsoNormal"> Back channel logout could be broadly construed - for instance terminating refresh tokens<o:p></o:p></p>
<p class="MsoNormal"> Nat raised the point about sometimes-connect clients<o:p></o:p></p>
<p class="MsoNormal"> Nat said that some parties are interested in receiving logout acknowledgements<o:p></o:p></p>
<p class="MsoNormal"> John said that having some concrete use cases might help<o:p></o:p></p>
<p class="MsoNormal"> Brian stated that expectations for logout appear to differ dramatically<o:p></o:p></p>
<p class="MsoNormal"> In theory, PingFederate supports back-channel logout for SAML<o:p></o:p></p>
<p class="MsoNormal"> But ~90% of integrations don't include the necessary RP support for this<o:p></o:p></p>
<p class="MsoNormal"> Mobile apps make things even harder<o:p></o:p></p>
<p class="MsoNormal"> What is the desired behavior for a mobile app?<o:p></o:p></p>
<p class="MsoNormal"> We can probably say something meaningful for interactive sessions<o:p></o:p></p>
<p class="MsoNormal"> Mobile applications require the back-channel logout<o:p></o:p></p>
<p class="MsoNormal"> Things that could be logged out/revoked include:<o:p></o:p></p>
<p class="MsoNormal"> interactive sessions<o:p></o:p></p>
<p class="MsoNormal"> immediate access and refresh tokens<o:p></o:p></p>
<p class="MsoNormal"> cascaded token revocations<o:p></o:p></p>
<p class="MsoNormal"> native app logins<o:p></o:p></p>
<p class="MsoNormal"> There could be some kind of an ack back to the server for destroyed objects<o:p></o:p></p>
<p class="MsoNormal"> Callbacks? This could be a scalability issue.<o:p></o:p></p>
<p class="MsoNormal"> Callbacks probably should be its own spec, if we ever do it<o:p></o:p></p>
<p class="MsoNormal"> Brian - implementing SAML logout is really hard and all the options only make it harder!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">New Issues<o:p></o:p></p>
<p class="MsoNormal"> #980 - Where else do we need to specify the use of CORS support?<o:p></o:p></p>
<p class="MsoNormal"> Brian: Discovery, JWKs endpoint<o:p></o:p></p>
<p class="MsoNormal"> John: Authorization endpoint - Mike: You're redirecting there so you don't need CORS<o:p></o:p></p>
<p class="MsoNormal"> John: You may or may not want registration to be open<o:p></o:p></p>
<p class="MsoNormal"> The origin can do direct calls to the dynamic client registration endpoint<o:p></o:p></p>
<p class="MsoNormal"> If you want different client IDs for each JavaScript client instance, CORS would have to be supported<o:p></o:p></p>
<p class="MsoNormal"> Nat: Everything discovery related - including .well-known endpoints<o:p></o:p></p>
<p class="MsoNormal"> It would be deployment policy about whether registration supports CORS<o:p></o:p></p>
<p class="MsoNormal"> Mike will add a comment to the bug and will point people to the bug on e-mail<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Workshop before IIW<o:p></o:p></p>
<p class="MsoNormal"> http://www.eventbrite.com/e/openid-foundation-workshop-before-fall-2015-iiw-meeting-tickets-17960843366<o:p></o:p></p>
<p class="MsoNormal"> Mike told Don to remove Nat from the agenda<o:p></o:p></p>
<p class="MsoNormal"> Mike will ask Don what "HMG Cabinet Office Chairs" means for HEART, and if it's correct<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tokyo workshop after IETF 94 Yokohama<o:p></o:p></p>
<p class="MsoNormal"> http://www.eventbrite.com/e/openid-summit-tokyo-2015-tickets-18111127871<o:p></o:p></p>
<p class="MsoNormal"> Registration is not yet open for that, but there will be an English registration page<o:p></o:p></p>
<p class="MsoNormal"> Nat translated the Japanese event page to English at http://j.mp/cfp_oid15<o:p></o:p></p>
<p class="MsoNormal"> Session proposals are due by the end of the month but should be sent earlier<o:p></o:p></p>
<p class="MsoNormal"> John will cover RISC with help from Adam<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Certification<o:p></o:p></p>
<p class="MsoNormal"> Roland is back from vacation and actively fixing stuff<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>