[Openid-specs-ipsie] Initial draft of OpenID Connect IPSIE SL1 Profile

Thu Apr 3 19:32:29 UTC 2025

Thanks for the productive discussions on this over the last few weeks. On
the last call, I had some concrete takeaways for changes folks would like
to see in this before adoption. The changes are summarized below:

* IdPs are required to support public clients, RPs can be either public or
confidential clients
* Redirect URL registration and matching is required
* localhost and custom URL scheme redirect URLs are not allowed
* Access tokens can only be used to retrieve identity claims at the IdP
* PAR is removed from SL1

I've made all these changes to the draft, you can see the diff here:
https://github.com/aaronpk/ipsie-openid-sl1/commit/214d74913e7c800cea5103e111889dbd75feb8fe

The compiled HTML version of the draft is attached as well as linked here:
https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html

Please consider this the version submitted for the working group adoption
call. Thanks!

Aaron

On Fri, Mar 7, 2025 at 12:28 PM Aaron Parecki <aaron.parecki at okta.com>
wrote:

> Hi all,
>
> As promised on the last call, I've started a draft of the SL1 profile for
> OpenID Connect. I've attached the HTML here to contribute it to the OIDF as
> per the IPR process. However you'll probably find it easier to read in the
> working copy on my GitHub:
>
>
> https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html
> https://github.com/aaronpk/ipsie-openid-sl1
>
> It's written in the same format as FAPI, and shares many of the same
> requirements. I also added the requirements that we've laid out for SL1 for
> ID tokens. I thought this would be better than treating it as an
> implementation guide that re-states all the OAuth/OpenID request/response
> parameters. While that format is definitely more helpful for developers, it
> does make it a lot longer and might be harder to parse for someone wanting
> to quickly check their current implementation against the requirements. Let
> me know what you think though.
>
> The two main questions that came up for me as I was putting this together
> are:
>
> * Should PAR be required? (It's required in FAPI, but we might not have
> the same needs)
> * What claim should we use for the IdP to indicate the RP session
> lifetime? (like SAML's SessionNotOnOrAfter)
>
> I've captured these as issues on GitHub with the "SL1" label:
>
> https://github.com/openid/ipsie/issues?q=state%3Aopen%20label%3Asl1%20
>
> Thanks, and sorry to miss the call next week! I look forward to catching
> up with the minutes after, as well as talking with whoever will be at IETF
> Bangkok!
>
> Aaron
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20250403/2e170caf/attachment-0001.htm>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20250403/2e170caf/attachment-0001.html>