<div dir="ltr"><h1 class="inbox-inbox-title" style="margin:0px 0px 10px;padding:0px;color:rgb(23,43,77);font-size:24px;font-weight:400;line-height:1.25;letter-spacing:-0.01em;font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif">AB/Connect WG Meeting Notes (2018-01-22)</h1><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px">Date & Time: 2018-01-22 23:00 UTC</p><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px">Location: GoToMeeting <a class="inbox-inbox-reference inbox-inbox-external" href="https://www3.gotomeeting.com/join/695548174" style="color:rgb(0,82,204);text-decoration-line:none">https://www3.gotomeeting.com/join/695548174</a></p><div class="inbox-inbox-contents inbox-inbox-topic" id="inbox-inbox-rst-header-agenda" style="margin:0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px"><p class="inbox-inbox-topic-title inbox-inbox-first" style="margin:0px;padding:0px;word-wrap:break-word">Agenda</p><ul class="inbox-inbox-auto-toc inbox-inbox-simple" style="margin:12px 0px 0px;padding:0px 0px 0px 40px"><li style="word-wrap:break-word"><a class="inbox-inbox-reference inbox-inbox-internal" href="https://bitbucket.org/openid/connect/wiki/AB_meeting_notes_2018-01-22#rst-header-roll-call" id="inbox-inbox-rst-header-id1" style="color:rgb(0,82,204);text-decoration-line:none">1.   Roll Call</a></li><li style="margin:0px;word-wrap:break-word"><a class="inbox-inbox-reference inbox-inbox-internal" href="https://bitbucket.org/openid/connect/wiki/AB_meeting_notes_2018-01-22#rst-header-native-sso-for-mobile-apps-george" id="inbox-inbox-rst-header-id2" style="color:rgb(0,82,204);text-decoration-line:none">2.   Native SSO for Mobile Apps (George)</a><ul class="inbox-inbox-auto-toc" style="margin:0px;padding:0px 0px 0px 40px"><li style="word-wrap:break-word"><a class="inbox-inbox-reference inbox-inbox-internal" href="https://bitbucket.org/openid/connect/wiki/AB_meeting_notes_2018-01-22#rst-header-qs-and-as" id="inbox-inbox-rst-header-id3" style="color:rgb(0,82,204);text-decoration-line:none">2.1.   Qs and As</a></li></ul></li><li style="margin:0px;word-wrap:break-word"><a class="inbox-inbox-reference inbox-inbox-internal" href="https://bitbucket.org/openid/connect/wiki/AB_meeting_notes_2018-01-22#rst-header-new-issues" id="inbox-inbox-rst-header-id4" style="color:rgb(0,82,204);text-decoration-line:none">3.   New Issues</a></li><li style="margin:0px;word-wrap:break-word"><a class="inbox-inbox-reference inbox-inbox-internal" href="https://bitbucket.org/openid/connect/wiki/AB_meeting_notes_2018-01-22#rst-header-aob" id="inbox-inbox-rst-header-id5" style="color:rgb(0,82,204);text-decoration-line:none">4.   AOB</a></li></ul></div><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px">The meeting was called to order at 23:07 UTC.</p><div class="inbox-inbox-section" id="inbox-inbox-rst-header-roll-call" style="margin:0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px"><h2 style="margin:20px 0px 0px;padding:0px;font-size:20px;font-weight:400;line-height:1.5;font-style:inherit;letter-spacing:-0.008em"><a class="inbox-inbox-toc-backref" href="https://bitbucket.org/openid/connect/wiki/AB_meeting_notes_2018-01-22#rst-header-id1" style="color:rgb(0,82,204);text-decoration-line:none">1.   Roll Call</a></h2><ul class="inbox-inbox-simple" style="margin:12px 0px 0px;padding:0px 0px 0px 40px"><li style="word-wrap:break-word"><dl class="inbox-inbox-first inbox-inbox-docutils" style="margin:0px;padding:0px"><dt>Attending: Nat, George, Edmund, John, Rich</dt><dd style="margin-top:4px"><ul class="inbox-inbox-first inbox-inbox-last" style="margin:0px;padding:0px 0px 0px 40px"><li style="word-wrap:break-word">Guest:</li></ul></dd></dl></li><li style="margin:0px;word-wrap:break-word">Regrets:</li></ul></div><div class="inbox-inbox-section" id="inbox-inbox-rst-header-native-sso-for-mobile-apps-george" style="margin:0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px"><h2 style="margin:20px 0px 0px;padding:0px;font-size:20px;font-weight:400;line-height:1.5;font-style:inherit;letter-spacing:-0.008em"><a class="inbox-inbox-toc-backref" href="https://bitbucket.org/openid/connect/wiki/AB_meeting_notes_2018-01-22#rst-header-id2" style="color:rgb(0,82,204);text-decoration-line:none">2.   Native SSO for Mobile Apps (George)</a></h2><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word">George explained his draft [1] about Native SSO for Mobile Apps.</p><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word">[1] <a class="inbox-inbox-reference inbox-inbox-external" href="http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180122/303b574a/attachment-0001.pdf" style="color:rgb(0,82,204);text-decoration-line:none">http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180122/303b574a/attachment-0001.pdf</a></p><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word">This is a spec that leverages the token-exchange spec to enable mobile apps signed by the same signing key to share logged in users.</p><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word">Basically, when an app from the developer (with same signing key) gets installed on the device, the app looks for the entry by the developer in the keychain, and if there is not one, it writes a client-generated device id that includes a cryptographically random component. Then, the app does all the usual best practice sign into the IdP and gets ID Token, which gets written into the keychain as well.</p><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word">When mobile app <a href="https://bitbucket.org/openid/connect/issues/2/standard-411-separate-sentences-into" rel="nofollow" title="Standard - 4.1.1 Separate sentences into paragraphs" style="color:rgb(0,82,204);text-decoration-line:none"><s>#2</s></a> starts, the app <a href="https://bitbucket.org/openid/connect/issues/2/standard-411-separate-sentences-into" rel="nofollow" title="Standard - 4.1.1 Separate sentences into paragraphs" style="color:rgb(0,82,204);text-decoration-line:none"><s>#2</s></a> gets the ID Token from the keychain. Then, it sends the ID Token to the token exchange endpoint to get a new access token and refresh token minted for the app <a href="https://bitbucket.org/openid/connect/issues/2/standard-411-separate-sentences-into" rel="nofollow" title="Standard - 4.1.1 Separate sentences into paragraphs" style="color:rgb(0,82,204);text-decoration-line:none"><s>#2</s></a>.</p><div class="inbox-inbox-section" id="inbox-inbox-rst-header-qs-and-as" style="margin:0px;padding:0px"><h3 style="margin:20px 0px 0px;padding:0px;font-size:18px;font-weight:400;line-height:1.38889;font-style:inherit;letter-spacing:-0.006em"><a class="inbox-inbox-toc-backref" href="https://bitbucket.org/openid/connect/wiki/AB_meeting_notes_2018-01-22#rst-header-id3" style="color:rgb(0,82,204);text-decoration-line:none">2.1.   Qs and As</a></h3><ol class="inbox-inbox-upperalpha inbox-inbox-simple" start="17" style="margin:12px 0px 0px;padding:0px 0px 0px 40px;list-style-type:upper-alpha"><li style="word-wrap:break-word">Is there any standardization effort for device IDs?</li></ol><ol class="inbox-inbox-upperalpha inbox-inbox-simple" style="margin:12px 0px 0px;padding:0px 0px 0px 40px;list-style-type:upper-alpha"><li style="word-wrap:break-word">No. It should be kept open. Only the requirement here is to have a random component in it so that it is not guessable.</li></ol><ol class="inbox-inbox-upperalpha inbox-inbox-simple" start="17" style="margin:12px 0px 0px;padding:0px 0px 0px 40px;list-style-type:upper-alpha"><li style="word-wrap:break-word">Does it not return the <cite>iss</cite>? It seems to be a best practice to return all the involved endpoints explicitly.</li></ol><ol class="inbox-inbox-upperalpha inbox-inbox-simple" style="margin:12px 0px 0px;padding:0px 0px 0px 40px;list-style-type:upper-alpha"><li style="word-wrap:break-word">No. The token exchange spec does not return one.</li></ol><ol class="inbox-inbox-upperalpha inbox-inbox-simple" start="17" style="margin:12px 0px 0px;padding:0px 0px 0px 40px;list-style-type:upper-alpha"><li style="word-wrap:break-word">Should not the app just get a new consent if the scope is bigger than the original?</li></ol><ol class="inbox-inbox-upperalpha inbox-inbox-simple" style="margin:12px 0px 0px;padding:0px 0px 0px 40px;list-style-type:upper-alpha"><li style="word-wrap:break-word">Since there is no channel open with the user at the time, it is returning the error. However, it may be a good idea to condition it that "if the app has no way of obtaining consent out of band". The app may be able to obtain the consent for example via User Questioning API.</li></ol></div></div><div class="inbox-inbox-section" id="inbox-inbox-rst-header-new-issues" style="margin:0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px"><h2 style="margin:20px 0px 0px;padding:0px;font-size:20px;font-weight:400;line-height:1.5;font-style:inherit;letter-spacing:-0.008em"><a class="inbox-inbox-toc-backref" href="https://bitbucket.org/openid/connect/wiki/AB_meeting_notes_2018-01-22#rst-header-id4" style="color:rgb(0,82,204);text-decoration-line:none">3.   New Issues</a></h2><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word">There were no new issues.</p></div><div class="inbox-inbox-section" id="inbox-inbox-rst-header-aob" style="margin:0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px"><h2 style="margin:20px 0px 0px;padding:0px;font-size:20px;font-weight:400;line-height:1.5;font-style:inherit;letter-spacing:-0.008em"><a class="inbox-inbox-toc-backref" href="https://bitbucket.org/openid/connect/wiki/AB_meeting_notes_2018-01-22#rst-header-id5" style="color:rgb(0,82,204);text-decoration-line:none">4.   AOB</a></h2><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word">John is going to get hold of Mike to discuss the alignment between JWS and draft-cavage-http-signatures.</p><ul class="inbox-inbox-simple" style="margin:12px 0px 0px;padding:0px 0px 0px 40px"><li style="word-wrap:break-word">The meeting was adjourned at 13:39 UTC.</li></ul></div></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><p dir="ltr">Nat Sakimura</p>
<p dir="ltr">Chairman of the Board, OpenID Foundation</p>
</div>