<div dir="ltr">George: I understand what issue you are trying to solve. But my comment is that we need to take the view from the RP.<div><br></div><div>What is it exactly that the RP needs to know about their registered users to be able to recognize them no matter what device they are using?</div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>..tom</div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 21, 2022 at 8:57 AM George Fletcher <<a href="mailto:george.fletcher@capitalone.com">george.fletcher@capitalone.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">I agree with you Karl regarding not solving the issue of the user having the same app (public client) installed on multiple devices and wanting to revoke just one of the devices. Usually this hits snags if the user is required to "name" the device. <input name="virtru-metadata" type="hidden" value="{"email-policy":{"state":"closed","expirationUnit":"days","disableCopyPaste":false,"disablePrint":false,"disableForwarding":false,"enableNoauth":false,"persistentProtection":false,"expandedWatermarking":false,"expires":false,"isManaged":false,"sms":false},"attachments":{},"compose-id":"7","compose-window":{"secure":false}}"><div><br></div><div>Of course, Dynamic Client Registration can solve the "identification" of the device problem.. but the naming side of it still exists.</div><div><br></div><div>Thanks for the clarification on how it's being used. For me the bigger question is do we want a spec that solves the cross-device SSO problem (in most cases this is a new device use case).</div><div><br></div><div>Tom, I think passkeys and authentication at that level is orthogonal to this spec. It is addressing how the user authenticates where this spec is about sharing the authentication state once the user has authenticated. Is that fair?</div><div><br></div><div>Thanks,</div><div>George</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 21, 2022 at 11:36 AM Tom Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">The talk raised larger issues. Since the big guys support cross device and webauth is device only (AFAIK) how is a RP able to keep track of people if devices/big guys are in the ID mix?<div><br></div><div><div><div dir="ltr"><div dir="ltr"><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap"> </span>..tom</div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 21, 2022 at 8:27 AM Karl McGuinness via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="auto"><div>This talk was more aspirational with cross-device scenarios with keychain. <font color="#000000"><span>We currently only have customers in production using the intended native app to app (app suite) on a single device use case. </span></font></div><div><br></div><div>Interested to hear the feedback. The lack of interoperable way to tag a refresh token with “device_id” or “device_name” is a common gap today with users using the same app (client_id) across their devices (e.g phone and tablet) which is much more common with public clients and wanting to revoke tokens for a specific device that I’m surprised we haven’t resolved yet in some other OAuth spec (don’t see any registrations in <a href="https://urldefense.com/v3/__https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml*parameters__;Iw!!FrPt2g6CO4Wadw!PdVsktzJjFe4Z2zMaBPeGu9YCHqUKAZQ6fKllz26Mb_n35GfATo808AbH3Gs2AllC7dQduAxtgA1cYRVSs_Ykmv8orFHeZ7drUegEfM$" target="_blank">https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters</a>).</div><div><br></div><div>-Karl</div><div><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div dir="ltr" style="color:rgb(0,0,0);font-family:arial;font-size:small"><div dir="ltr"><div style="color:rgb(80,0,80)"><br></div></div></div></div></div></div></div></div></div></div><div><blockquote type="cite"><div>On Sep 20, 2022, at 11:02 AM, George Fletcher via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:</div><br><div><div style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><p><strong>This message originated outside your organization.</strong></p><br><hr><br></div><div dir="ltr" style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div dir="ltr">For those that missed this talk (Frictionless authentication with mobile single-sign-on; <a href="https://urldefense.com/v3/__https://www.youtube.com/watch?v=8BkblIYjegk__;!!PwKahg!4gaWgD58arjDKiAw8ptJBYOccKxhuF1PoyA2cquMoQ1cLwBYOqmqrU0VIvISxMp0yRn6GSAn3Sq7N2kNuJ6T-q_3ThHocRU$" target="_blank">https://www.youtube.com/watch?v=8BkblIYjegk</a>) at Identiverse in June... it covers an additional use case for the native sso spec. I'd like to discuss this aspect as well on 9/22. I suspect some additional text in the spec may be required to address this use case.<div><br></div><div>Thanks,</div><div>George</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 9, 2022 at 4:46 PM Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div lang="EN-US"><div><p class="MsoNormal">It was decided at yesterday’s working group call to advance the OpenID Connect Native SSO for Mobile Apps specification to Implementer’s Draft status. Prior to the foundation-wide review, please review the specification at<a href="https://urldefense.com/v3/__https://openid.net/specs/openid-connect-native-sso-1_0.html__;!!FrPt2g6CO4Wadw!I0ljc7o-nQa84JH_sl9lYFQhmv7ta1ezRPgP6r5C0sUc9VCSrnrkisjkNpkO_2ifbwuZ-u6KjtxkbHVafArRiq1A_2JZmvauBSXbCeM$" target="_blank">https://openid.net/specs/openid-connect-native-sso-1_0.html</a><span> </span>and file any issues at<a href="https://urldefense.com/v3/__https://bitbucket.org/openid/connect/issues?status=new&status=open__;!!FrPt2g6CO4Wadw!I0ljc7o-nQa84JH_sl9lYFQhmv7ta1ezRPgP6r5C0sUc9VCSrnrkisjkNpkO_2ifbwuZ-u6KjtxkbHVafArRiq1A_2JZmvauesDydW0$" target="_blank">https://bitbucket.org/openid/connect/issues?status=new&status=open</a>. Please complete your reviews in time for the working group call on Thursday, September 22<sup>nd</sup>.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"> <span> </span>-- Mike<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br><a href="https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!I0ljc7o-nQa84JH_sl9lYFQhmv7ta1ezRPgP6r5C0sUc9VCSrnrkisjkNpkO_2ifbwuZ-u6KjtxkbHVafArRiq1A_2JZmvauQIwnTfk$" rel="noreferrer" target="_blank">https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!I0ljc7o-nQa84JH_sl9lYFQhmv7ta1ezRPgP6r5C0sUc9VCSrnrkisjkNpkO_2ifbwuZ-u6KjtxkbHVafArRiq1A_2JZmvauQIwnTfk$</a> <span> </span><br></div></blockquote></div></div><hr style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><font color="#404040" style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.</font><br style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><table border="0" cellspacing="0" cellpadding="0" width="100%" height="30" style="font-family:Helvetica;letter-spacing:normal;text-indent:0px;text-transform:none;word-spacing:0px;text-decoration:none"><tbody><tr></tr></tbody></table><br style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">_______________________________________________</span><br style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">Openid-specs-ab mailing list</span><br style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="mailto:Openid-specs-ab@lists.openid.net" style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">Openid-specs-ab@lists.openid.net</a><br style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!PdVsktzJjFe4Z2zMaBPeGu9YCHqUKAZQ6fKllz26Mb_n35GfATo808AbH3Gs2AllC7dQduAxtgA1cYRVSs_Ykmv8orFHeZ7dBUc-c7E$" style="font-family:Helvetica;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div></blockquote></div><br></div></div>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!PdVsktzJjFe4Z2zMaBPeGu9YCHqUKAZQ6fKllz26Mb_n35GfATo808AbH3Gs2AllC7dQduAxtgA1cYRVSs_Ykmv8orFHeZ7dBUc-c7E$" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!PdVsktzJjFe4Z2zMaBPeGu9YCHqUKAZQ6fKllz26Mb_n35GfATo808AbH3Gs2AllC7dQduAxtgA1cYRVSs_Ykmv8orFHeZ7dBUc-c7E$" rel="noreferrer" target="_blank">https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!PdVsktzJjFe4Z2zMaBPeGu9YCHqUKAZQ6fKllz26Mb_n35GfATo808AbH3Gs2AllC7dQduAxtgA1cYRVSs_Ykmv8orFHeZ7dBUc-c7E$</a> <br>
</blockquote></div></div>
<hr><br><font color="#404040">The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.</font><table border="0" cellspacing="0" cellpadding="0" width="100%" height="30"><tbody><tr><td><br>
</td></tr><tr>
</tr><tr><td><br>
<br>
</td></tr></tbody></table><br>
</blockquote></div>