OpenID Connect Call Notes 2022-04-11 ## Attendees * Chair: Mike Jones * Note Taker: Aaron Parecki * Tom Jones * Vittorio Bertocci * Karthik Sivasamy * Tobias Looker * Anthony Nadalin * Nat Sakamura * Kristina Yasuda * Naveen CM * Jeremie Miller * Edmund Jay * John Bradley * David Waite * add yourself... ## Agenda * Triage logout issues * Future events (IIW, OpenID Workshop, OAuth Security Workshop, EIC) ## Notes ### Logout Issues https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Logout 1216 * https://bitbucket.org/openid/connect/issues/1216/query-over-rp-initiated-logout * Mike: suggest we don't need spec changes, would like feedback from Joseph * Nat: sounds good 1182 * https://bitbucket.org/openid/connect/issues/1182/add-logout_hint-parameter-to-rp-initiated * Mike: today incorporated most of Filip's suggested text. Would like to leave open for a week for people to review, should be the last normative change for RP-initiated logout. 1185 * https://bitbucket.org/openid/connect/issues/1185/mention-of-post-requests-and-samesite * Mike: Front-channel logout and session management spec added caveats warning about the future browser changes. RP-initiated logout spec is not directly affected because it doesn't use cookies. Proposal is to not discuss here since it is discussed in the other specs. * Mike: Leave this issue open for a week and close if there are no objections in a week 1183 * https://bitbucket.org/openid/connect/issues/1183/handling-errors-during-openid-connect-rp * Mike: Because it's clear to not redirect, suggest to not add any text 1338 * https://bitbucket.org/openid/connect/issues/1338/custom-scheme-for-post_logout_redirect_uri * Mike: Request is to be able to use custom schemes. Suggested text in the last comment adapted from the core. Will create a PR to add this. 1468 * https://bitbucket.org/openid/connect/issues/1468/openid-connect-back-channel-logout-10 * Mike: One improvements to JWTs in the JWT BCP was explicit typing of JWTs. Seems like a good idea is for the logout token be explicitly typed. Unless there any disagreements, will create a PR * Vittorio: In general typed JWTs are a good idea, we did that for the JWT profile for access tokens. However that is the biggest blocker for adoption, since people never worried about the type, so SDKs don't make it easy to do that. That isn't a reason not to do it, but we might want to do more promotion of validating types in SDKs. * Mike: That is the reason for making it RECOMMENDED and not mandatory in the comment. Some existing certified implementations would break if it were required. * Nat: Why is it difficult for implementers? * Vittorio: Many existing JWT libraries don't provide hooks for setting or validating the typ header. * Aaron: If it's going to be recommended and not required, it would be a good idea to tell people why it's recommended and what you lose if you don't use it. 1184 * https://bitbucket.org/openid/connect/issues/1184/unclear-what-to-do-if-id_token_hint-user * Mike: (continuing from last comment) ... What should the OP show in this case? There is guidance on what not to do already. https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Session Syntax error in example JS https://bitbucket.org/openid/connect/issues/1202/suggested-op-iframe-javascript-suggests-a Mike: Proposal to leave this open for a week for feedback Mike: Logout issues triage complete ### W3C FedID Vittorio: the w3C fedID CG has a question about the session management spec Vittorio: We are trying to understand the impact of 3rd party cookies going away. Interested in understanding the scenarios that will be the most impacted. Logout and background refreshes are the most impacted. It doesn't look like it's easy to see any session management implementations in the wild, the only distributed logout implementations are front channel logout, which is in line with my experience. Does anyone know of production use of session management spec for logout? We would like to identify how amenable they would be to the mitigations being proposed. Mike: AAD v1 supports it and is still running Vittorio: Do you know how used that is? Mike: Not at the moment, but I can try to find the managers of the RP side. Mike: Also Roland Hedberg's libraries support it, and there are some other notes in the certification table. Nat: Google probably had one in the past. Naveen Agarwal probably knows. ### Logout Mike: Tom Jones asked in the chat: "I worry about error messages. Especially where the ID's do not match. It seems that the OP might be giving an attacker information that the attacker does not have." Mike: In the issue comment conversation, the RP initiated logout spec doesn't define error codes, because if there is an error there is no safe way to deliver it back. If the attacker is a human in front of a screen, you may be able to tell you sent a bad RP initiated logout and way. Tom: You said if there was an error you prompt the user to log out and tell them what to log out from, that might be too much information. Mike: You would be logging out of an RP session that you already had Tom: I thought you would be logging out of the OP Mike: Yes but you would be logging out based on an existing RP session that you have. Let me think about this some more. Tom if you'd like to make a comment in one of the issues ### Future Events Mike: What sessions would you like to see at IIW? For instance those working on the VP and VC flows and SIOP v2 could have educational and working sessions on those. Tobias: May present https://identity.foundation/bbs-signature/draft-bbs-signatures.html#name-usecases Tobias: When you're worried about using bearer tokens, group signatures like BBS use a derived proof so those presentations mitigate replay attacks, but don't require the same kind of private keys per client. Would be interested if that has applicability here to things like access tokens in OAuth. https://identity.foundation/bbs-signature/draft-bbs-signatures.html#appendix-A.2.2 Kristina: May present things related to MDL. Considering doing sessions at IIW about the basics of OpenID Connect. Kristina: Would like feedback on: Also thinking about changing OpenID Connect for Credential Issuance spec from OIDC based to OAuth based. Also interested in changing SIOP to require a native app wallet to also allow OPs to support unique keys per user. Vittorio: One big topic that will come up is discussions with the browser vendors. Try not to have overlap with the OpenID sessions. Vittorio: Another useful session could be about the ecosystem. A lot of the things that will need to be in place for VCs to work are beyond the protocols, like incentives and infrastructure. This conversation could involve both OpenID and Blockchain folks. Upcoming: OpenID Workshop https://openid.net/2022/03/22/registration-open-for-openid-foundation-workshop-at-google-monday-april-25-2022/