<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Spec Call Notes 28-Mar-22<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Jones<o:p></o:p></p>
<p class="MsoNormal">Kristina Yasuda<o:p></o:p></p>
<p class="MsoNormal">Karthik Sivasamy<o:p></o:p></p>
<p class="MsoNormal">Tobias Looker<o:p></o:p></p>
<p class="MsoNormal">David Waite<o:p></o:p></p>
<p class="MsoNormal">Vittorio Bertocci<o:p></o:p></p>
<p class="MsoNormal">Edmund Jay<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth/IETF Debrief<o:p></o:p></p>
<p class="MsoNormal"> DPoP entered WGLC today<o:p></o:p></p>
<p class="MsoNormal"> Please respond to the thread "[OAUTH-WG] WGLC for DPoP Document"<o:p></o:p></p>
<p class="MsoNormal"> Tobias asked whether the server side nonce remains optional<o:p></o:p></p>
<p class="MsoNormal"> Mike said that he didn't think that it was discussed<o:p></o:p></p>
<p class="MsoNormal"> Kristina remarked that the server nonce for the VCI spec has different characteristics than the DPoP server nonce<o:p></o:p></p>
<p class="MsoNormal"> Daniel Fett led a session about OAuth libraries<o:p></o:p></p>
<p class="MsoNormal"> Vittorio said that we might want to be more prescriptive about having metadata<o:p></o:p></p>
<p class="MsoNormal"> Mike recounted the history of the OpenID Foundation having failed to maintain libraries over time<o:p></o:p></p>
<p class="MsoNormal"> Vittorio and Mike agreed that objective quality bars could be useful, but not Foundation-developed libraries<o:p></o:p></p>
<p class="MsoNormal"> Step-up Authentication<o:p></o:p></p>
<p class="MsoNormal"> Brian and Vittorio described an OAuth step-up authentication draft using OpenID Connect parameters<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://datatracker.ietf.org/doc/draft-bertocci-oauth-step-up-authn-challenge/">
https://datatracker.ietf.org/doc/draft-bertocci-oauth-step-up-authn-challenge/</a><o:p></o:p></p>
<p class="MsoNormal"> Vittorio said that errors are expected when the requested ACRs can't be met<o:p></o:p></p>
<p class="MsoNormal"> He described the use of the unmet_authentication_requirements error code<o:p></o:p></p>
<p class="MsoNormal"> There was a discussion at the IETFF on public clients versus confidential clients and OAuth 2.1 credentialed clients<o:p></o:p></p>
<p class="MsoNormal"> One camp says that anything with a credential is credentialed client, no matter when obtained<o:p></o:p></p>
<p class="MsoNormal"> Another dimension is whether the client is a singleton or has multiple instances<o:p></o:p></p>
<p class="MsoNormal"> This could eventually have an impact on existing implementations<o:p></o:p></p>
<p class="MsoNormal"> For instance, it could affect developer portals<o:p></o:p></p>
<p class="MsoNormal"> Security BCP<o:p></o:p></p>
<p class="MsoNormal"> The security BCP is planned to go to WGLC after some review comments have been acted upon<o:p></o:p></p>
<p class="MsoNormal"> Review it now!<o:p></o:p></p>
<p class="MsoNormal"> OAuth 2.1<o:p></o:p></p>
<p class="MsoNormal"> There are a number of issues that will need to be resolved before it goes to WGLC<o:p></o:p></p>
<p class="MsoNormal"> The minutes are at <a href="https://notes.ietf.org/notes-ietf-113-oauth">
https://notes.ietf.org/notes-ietf-113-oauth</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">W3C FedID Community Group<o:p></o:p></p>
<p class="MsoNormal"> Vittorio reported that we want to have an actionable identity path forward while enhancing user privacy<o:p></o:p></p>
<p class="MsoNormal"> FedCM is the only work item at present<o:p></o:p></p>
<p class="MsoNormal"> Google wants the ability to retain account selection<o:p></o:p></p>
<p class="MsoNormal"> It is a completely different identity solution from OpenID Connect and SAML, with the browser at the center<o:p></o:p></p>
<p class="MsoNormal"> It's not sufficient for us to replace our current functionality, especially logout<o:p></o:p></p>
<p class="MsoNormal"> Vittorio asked whether the time may be approaching for the OpenID Foundation and others to make public statements about FedCM<o:p></o:p></p>
<p class="MsoNormal"> Tobias asked whether Vittorio thinks that existing Browser features that we need will be going away soon<o:p></o:p></p>
<p class="MsoNormal"> In the worst case, we may lose link decoration, redirection, and third-party cookies<o:p></o:p></p>
<p class="MsoNormal"> Vittorio talked about logout not being preserved<o:p></o:p></p>
<p class="MsoNormal"> Mike said that the OpenID Foundation has written open letters in the past<o:p></o:p></p>
<p class="MsoNormal"> For instance, the open letter about SignOn with Apple<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://openid.net/2019/06/27/open-letter-from-the-openid-foundation-to-apple-regarding-sign-in-with-apple/">
https://openid.net/2019/06/27/open-letter-from-the-openid-foundation-to-apple-regarding-sign-in-with-apple/</a><o:p></o:p></p>
<p class="MsoNormal"> That was effective because it was very specific and actionable<o:p></o:p></p>
<p class="MsoNormal"> Any future letter should hopefully be similarly actionable<o:p></o:p></p>
<p class="MsoNormal"> Any letter needs to be informed by both the business and the engineering realities<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tobias asked why WebFinger and AccountChooser weren't widely adopted<o:p></o:p></p>
<p class="MsoNormal"> Mike said that if they were adopted, user choice of identity providers would be commonplace<o:p></o:p></p>
<p class="MsoNormal"> Nat opined (offline) that asking people to type in an identifier during login was probably a non-starter<o:p></o:p></p>
<p class="MsoNormal"> Vittorio said that business solutions will be achieved, no matter what the specs said<o:p></o:p></p>
<p class="MsoNormal"> Vittorio said that having specs doesn't mean that all features of the spec will be implemented<o:p></o:p></p>
<p class="MsoNormal"> Mike agreed that unless a feature meets an immediate felt business need, it likely won't be adopted<o:p></o:p></p>
<p class="MsoNormal"> Vittorio said that user agency is overrated<o:p></o:p></p>
<p class="MsoNormal"> DW said that the more user choice there is, the more you have to handle if the person switches providers<o:p></o:p></p>
<p class="MsoNormal"> He said that as OpenID 2.0 was ramping down, people often found that their OPs no longer existed - disrupting access to RPs<o:p></o:p></p>
<p class="MsoNormal"> Kristina agreed that RP behaviors have a huge effect and we need take that into account<o:p></o:p></p>
<p class="MsoNormal"> Mike said that, for instance, similar issues are likely to arise in the wallet space<o:p></o:p></p>
<p class="MsoNormal"> He expressed that we're having this discussion to try to have our shared experience and sense of history inform our current and future work<o:p></o:p></p>
<p class="MsoNormal"> Mike reported that Kristina invited those discussing OpenID Connect elsewhere to participate in the Connect working group<o:p></o:p></p>
<p class="MsoNormal"> Kristina pointed out that people who use crypto wallets appear to want more user choice than in other spheres<o:p></o:p></p>
<p class="MsoNormal"> Signin with Etherium is part of this space<o:p></o:p></p>
<p class="MsoNormal"> Tobias sees a huge overlap between SIOP and this space<o:p></o:p></p>
<p class="MsoNormal"> Kristina plans to do a PR updating the definition of SIOP to uplevel it<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Pull Requests<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/">
https://bitbucket.org/openid/connect/pull-requests/</a><o:p></o:p></p>
<p class="MsoNormal"> We ran out of time to discuss PRs<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Open Issues<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a><o:p></o:p></p>
<p class="MsoNormal"> We ran out of time to discuss issues<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Next Call<o:p></o:p></p>
<p class="MsoNormal"> The next call will be the SIOP special topic call on Thursday, March 31, 2022 at 7am Pacific Time<o:p></o:p></p>
</div>
</body>
</html>