<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 2-Jul-20<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Tom Jones<o:p></o:p></p>
<p class="MsoNormal">Tim Cappalli<o:p></o:p></p>
<p class="MsoNormal">Bjorn Hjelm<o:p></o:p></p>
<p class="MsoNormal">Joseph Heenan<o:p></o:p></p>
<p class="MsoNormal">John Bradley<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth JAR<o:p></o:p></p>
<p class="MsoNormal"> Nat submitted -25 adding require_signed_request_object<o:p></o:p></p>
<p class="MsoNormal"> He asked the AD Ben Kaduk to send it back to the IESG<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Events<o:p></o:p></p>
<p class="MsoNormal"> The SIOP Virtual Meetup was last week<o:p></o:p></p>
<p class="MsoNormal"> 105 attendees<o:p></o:p></p>
<p class="MsoNormal"> The event recording was sent out to attendees<o:p></o:p></p>
<p class="MsoNormal"> We want to have a second SIOP Virtual Meetup in a pacific-friendly timeslot<o:p></o:p></p>
<p class="MsoNormal"> We're thinking two hours starting with the OpenID Connect call timeslot<o:p></o:p></p>
<p class="MsoNormal"> 4pm Pacific Time, July 20 / July 21 Asia/Pacific<o:p></o:p></p>
<p class="MsoNormal"> FDX-OIDF Workshop<o:p></o:p></p>
<p class="MsoNormal"> 11am Eastern Time, July 21<o:p></o:p></p>
<p class="MsoNormal"> Related to FAPI<o:p></o:p></p>
<p class="MsoNormal"> Possible topics include security and certification<o:p></o:p></p>
<p class="MsoNormal"> OSW 2020<o:p></o:p></p>
<p class="MsoNormal"> July 21-24<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://barcamptools.eu/oauth-security-workshop-2020/events">
https://barcamptools.eu/oauth-security-workshop-2020/events</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Data minimization in the context of a UserInfo request<o:p></o:p></p>
<p class="MsoNormal"> Request from eKYC-IDA working group<o:p></o:p></p>
<p class="MsoNormal"> See <a href="http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20200622/007835.html">
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20200622/007835.html</a><o:p></o:p></p>
<p class="MsoNormal"> and <a href="https://bitbucket.org/openid/ekyc-ida/issues/1185/">
https://bitbucket.org/openid/ekyc-ida/issues/1185/</a><o:p></o:p></p>
<p class="MsoNormal"> The ask is for a signal to only return the requested claims (and not all authorized claims)<o:p></o:p></p>
<p class="MsoNormal"> Nat points out that SIOP has the same data minimization situation<o:p></o:p></p>
<p class="MsoNormal"> We could define a claims parameter like _only_requested_claims<o:p></o:p></p>
<p class="MsoNormal"> Or we could define a new request parameter like only_requested_claims<o:p></o:p></p>
<p class="MsoNormal"> Nat instead advocates having a query parameter at the resource to restrict the set of claims returned<o:p></o:p></p>
<p class="MsoNormal"> He said that we could reuse the claims request syntax<o:p></o:p></p>
<p class="MsoNormal"> John said that this could make sense in a signed response<o:p></o:p></p>
<p class="MsoNormal"> In this model, the authorization server would authorize a full set of claims<o:p></o:p></p>
<p class="MsoNormal"> and the set actually returned could be down-scoped at the resource server<o:p></o:p></p>
<p class="MsoNormal"> John points out that for self-issued, all the claims are already coming back in the signed ID Token<o:p></o:p></p>
<p class="MsoNormal"> Nat said that the use case he's thinking of third party claims providers<o:p></o:p></p>
<p class="MsoNormal"> He said that these could be normal UserInfo style resources<o:p></o:p></p>
<p class="MsoNormal"> Mike pointed out that for response_type=id_token there is no UserInfo Endpoint<o:p></o:p></p>
<p class="MsoNormal"> So the information would have to be sent directly to the Authorization Server<o:p></o:p></p>
<p class="MsoNormal"> Nat is interested in querying claims providers to provide specific information for the response<o:p></o:p></p>
<p class="MsoNormal"> Edmund's draft enables queries like this<o:p></o:p></p>
<p class="MsoNormal"> Edmund's draft uses a different endpoint than the UserInfo Endpoint<o:p></o:p></p>
<p class="MsoNormal"> This would be an additional specification<o:p></o:p></p>
<p class="MsoNormal"> Tom has other use cases for healthcare information<o:p></o:p></p>
<p class="MsoNormal"> John thinks that trying to reuse the UserInfo Endpoint could add more confusion than having a separate endpoint<o:p></o:p></p>
<p class="MsoNormal"> This is really a backchannel data exchange and not a request from the client<o:p></o:p></p>
<p class="MsoNormal"> We should involve Torsten and Mark Haine in the discussion<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Federation Specification<o:p></o:p></p>
<p class="MsoNormal"> New draft uses either signed request objects (JAR) or pushed authorization requests (PAR) for client authentication of automatic registration requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://openid.net/2020/07/01/openid-connect-federation-draft-incorporating-feedback-from-first-interop-event/">
https://openid.net/2020/07/01/openid-connect-federation-draft-incorporating-feedback-from-first-interop-event/</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Certification<o:p></o:p></p>
<p class="MsoNormal"> We want people to run the old and the new test suites and get free certifications<o:p></o:p></p>
<p class="MsoNormal"> This will give us actionable feedback on the new test suite<o:p></o:p></p>
<p class="MsoNormal"> See <a href="https://openid.net/certification/migration/">
https://openid.net/certification/migration/</a><o:p></o:p></p>
<p class="MsoNormal"> Nat suggested that we send an e-mail to those who had certified in the past<o:p></o:p></p>
<p class="MsoNormal"> Mike Jones will follow up with Don and Mike Leszcz<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> (We ran out of time before covering open issues)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next working group call is Monday, July 6th at 4pm Pacific Time<o:p></o:p></p>
</div>
</body>
</html>