<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 23-Apr-20<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Brian Campbell<o:p></o:p></p>
<p class="MsoNormal">Tim Cappalli<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">George Fletcher<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Migration from Mercurial to Git<o:p></o:p></p>
<p class="MsoNormal"> We've migrated our repository<o:p></o:p></p>
<p class="MsoNormal"> New Git repository: <a href="https://bitbucket.org/openid/connect/">
https://bitbucket.org/openid/connect/</a><o:p></o:p></p>
<p class="MsoNormal"> Old Mercurial repository: <a href="https://bitbucket.org/openid/connect.mercurial/">
https://bitbucket.org/openid/connect.mercurial/</a><o:p></o:p></p>
<p class="MsoNormal"> There was a permission issue when we tried to assign an issue to Roland<o:p></o:p></p>
<p class="MsoNormal"> Mike will investigate<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth JAR<o:p></o:p></p>
<p class="MsoNormal"> A new version was published allowing client_id to be passed as a request parameter<o:p></o:p></p>
<p class="MsoNormal"> There's a clarification of the request_uri parameter requested by the PAR people<o:p></o:p></p>
<p class="MsoNormal"> John and Nat are working on that change with Torsten<o:p></o:p></p>
<p class="MsoNormal"> John said that the request_uri always references a JWT<o:p></o:p></p>
<p class="MsoNormal"> But that if it's not dereferenced, this could be implicit<o:p></o:p></p>
<p class="MsoNormal"> The current language "points to the Request Object" is probably what people are tripping over<o:p></o:p></p>
<p class="MsoNormal"> John said we should make it clear that people could push to something and return a URN rather than a location<o:p></o:p></p>
<p class="MsoNormal"> We could show this in an example<o:p></o:p></p>
<p class="MsoNormal"> Brian cited several examples in the JAR spec that would make people think that the request_uri always refers to a JWT<o:p></o:p></p>
<p class="MsoNormal"> George talked about the situation where the AS is both generating the request_uri and consuming it<o:p></o:p></p>
<p class="MsoNormal"> In that case, other representations than JWTs can be used<o:p></o:p></p>
<p class="MsoNormal"> John suggested that we say that it must point to a Request Object when it's a locator<o:p></o:p></p>
<p class="MsoNormal"> and just refers to a representation of a request when it's an identifier<o:p></o:p></p>
<p class="MsoNormal"> John said that if what's being referred to is not a Request Object, then some of the validation rules may not be right<o:p></o:p></p>
<p class="MsoNormal"> We might be creating security holes<o:p></o:p></p>
<p class="MsoNormal"> John: Logical representation of the contents of a Request Object<o:p></o:p></p>
<p class="MsoNormal"> Brian volunteered to create a PR for JAR to address the perceptions<o:p></o:p></p>
<p class="MsoNormal"> Then Nat and John and Mike and others can review it<o:p></o:p></p>
<p class="MsoNormal"> Nat's repository is at <a href="https://bitbucket.org/Nat/oauth-jwsreq/src/master/draft-ietf-oauth-jwsreq.xml">
https://bitbucket.org/Nat/oauth-jwsreq/src/master/draft-ietf-oauth-jwsreq.xml</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> #1164 insecure front-channel use of private_key_jwt client authentication<o:p></o:p></p>
<p class="MsoNormal"> Tried to assign to Roland, following substantial discussion on the list<o:p></o:p></p>
<p class="MsoNormal"> Mike will investigate the repository permission issue and then do this<o:p></o:p></p>
<p class="MsoNormal"> #1149 Front-channel logout that doesn't rely on cookies<o:p></o:p></p>
<p class="MsoNormal"> Placed on hold for now, per discussion on 9-Apr-20 call<o:p></o:p></p>
<p class="MsoNormal"> #1057 OIDCC appears to override single-use nature of auth code in RFC6749<o:p></o:p></p>
<p class="MsoNormal"> Marked as won't fix, given that this was an intentional choice<o:p></o:p></p>
<p class="MsoNormal"> The Certification tests OP-OAuth-2nd and OP-OAuth-2nd-30s cover these behaviors<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next working group call is Monday, April 27 at 4pm Pacific Time<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>