[Openid-specs-ipsie] 2025-05-27 IPSIE WG Meeting Minutes

Aaron Parecki aaron.parecki at okta.com
Thu May 29 23:56:11 UTC 2025 

Hi all, please find the meeting minutes from this week's meeting below.

As a reminder, there is no call next week as many of us will be at
Identiverse. I hope to see you there!

We'll resume the normal call schedule on June 10.

Aaron


-------------------------------

# IPSIE WG Meeting Minutes
Date: 2025-05-27

## Attendees

* Aaron Parecki (Okta)
* Dean H. Saxe (Beyond Identity)
* Dick Hardt (Hellō)
* George Fletcher (Practical Identity LLC)
* Jon Bartlett (Zscaler)
* Sean Miller (RSA)
* Kenn Chong (RSA)
* Filip Skokan (Okta)
* Shannon Roddy (self/LBNL)
* Bjorn Hjelm (Yubico)
* Mike Jones (Self-Issued Consulting)
* Travis Tripp (HPE)
* Anatoly Podstrelov (EDETEK)
* Quanpu Cai (Obsidian Security)
* Jen Schreiber (Workday)
* Jeff Bounds (SailPoint)
* Pat Buffolino (Paramount)
* Mike Kiser (SailPoint)
* vatsal gupta (apple)

## Agenda

- Welcome and antitrust policy reminder https://openid.net/antitrust
- OpenID Contributor Agreement reminder
https://openid.net/intellectual-property
- Reminder about OpenID Slack
    - invite link:
https://join.slack.com/t/oidf/shared_invite/zt-30zg9louv-3HgJEwIL7vB3uWv2KEbLtw
- Community Events
    - Identiverse June 3-6
    - Identibeers - Brewdog Rooftop Monday night
- Review profiles & issues
    -
https://github.com/openid/ipsie/issues?q=state%3Aopen%20label%3A%22agenda%22
    - Check in with Dick about Connect WG status
        - https://github.com/dickhardt/enterprise-extensions
    - Refresh tokens vs full page redirects
        - https://github.com/openid/ipsie/issues/74


Notetaker: Dean H. Saxe

## Minutes

* Call for adoption for OpenID Connect enterprise extensions
    * Add a +1 to the call for adoption on the mailing list please
    * this is a dependency for SL1
* OpenID Provider commands v1 was just published, addressing issues in the
last version, aligning to IL1/2/3
* Last week we discussed how the RP checks the IdP session
    * updates to the issue #74
    * Aaron captured the discussion in the issue comments
    * Recap of last week
        * goal: address mobile apps and more
        * When the app AT expires and the app uses the RT, does the app's
AS check the session at the IdP to ensure the session is still valid
        * How should this work?
        * If the RP has a RT, it can check the state of the authenticated
session
        * want to make sure RPs CAN do this, but it should not be required
        * App at SL1 must respect the session lifetime
        * Dick: the session lifetime fits well into the enterprise
extensions work where the session lifetime is communicated to the RP
        * Dick: need a mechanism to have the RP communicate to the OP that
they are using the refresh token to narrow the session lifetime.
        * Kenn: Not mandating IdPs to issue RTs?
            * Aaron: Open question
            * Kenn: Some IdPs may not issue RTs, requiring a full page
redirect
            * Aaron: Yes.
            * Dick: Clarify, extending the session
            * Aaron: We need to define how to negotiate the capabilities.
            * Dick: Full page redirect is always an option for the RP
            * Aaron: RT can be used as an optimization which can be used
instead of a full page redirect
            * Filip: This won't impact SAML SL1
            * Dick: SAML has no background refresh. SAML requires a full
reauthN
            * Sean: We're describing how the session is established and
it's lifetime at the app, right?
            * Aaron: Yes.  Identity service can send a session lifetime to
the RP
            * George: How does the RP know the user logged out?  Pull vs.
Push mechanism.  We haven't discussed whether the IdP can tell the RP how
frequently to check the session state at the IdP. RTs are a convenient
mechanism to enforce this. New AT will not be issued if the session is
logged out.
            * Dick: Refers to the SL1 table requirements.
            * George: Is the session lifetime a default maximum or a
configured session lifetime?
            * Dick: ID service tells RP the length of the user's session
before the user needs to be reauthenticated through the IdP.
            * George: User logs out of the IdP before the session is
expired - RP session could outlive the IdP session in this case.  This may
be undesirable.
            * Aaron: This is addressed at SL2.  SL1 is suboptimal for some
use cases.
            * George: SL2 says it will push a command that the RP must log
out the user.   Lacking clarity on the value of the RT
            * Dick: advantage of RT is that I am logged into an app and can
use it for days without having to go through a full page refresh flow.
Enables RP to reset the session lifetime.
            * George: Only viable if the RPs AS is allowed to obtain an
offline RT
            * Aaron: Not a forever credential, must check back using RTs.
            * George: Different definition of session lifetime.
            * Aaron: Language is unclear, like's Dick's definition
            * George: taking internal IdP session of out the equation for
SL1.  Need to know cadence for refreshing the app's session. Setting IdP
and App session length are two different things, our language conflates them
            * Dean: We need better clarity around IdP vs. RP session
lifetime for mere mortals who don't sit on these calls.
            * George: "Application specific session lifetime" where the app
gets a specific session lifetime that may be different from the IdP session
            * Aaron: Future state, claim in an ID token that sets a
specific session lifetime and it may be distinct from the IdP session
lifetime.
            * Aaron updated the SL1 table and explanatory text to drive
clarity.  PR forthcoming, we'll leave the PR open until the next call to
allow for comments.
            * Aaron/Dean: Is this the explainer doc for IPSIE?  How do we
ensure we don't have to re-explain this for SAML vs OIDC?  Do we turn this
into an adopted spec?
            * Dean: We can use this to share how we got to the normative
text.
            * Aaron: Link the spec back to specific requirements in the
explainer.  Work to be done later
                * **ACTION ITEM:** Create an issue to ensure we create the
backlinks and publish the explainer. (Explainer is the IPSIE levels doc)
            * Dean/Aaron: Push forward on the OIDC Profile spec, explainer
can trail behind.  Need to determine how we publish the explainer.
Explainer will be evolving over time.
            * Dick: Application session vs. IdP session.  IdP session is
out of scope.  IdP tells the RP how long the RP session should be.
            * Aaron: We are not setting policy for IdP/RP, but we are
allowing the IdP to set a session lifetime for the RP.  At SL2, IdP can
forcibly terminate sessions
    * Need editors for the IPSIE levels page to turn it into an explainer
doc.  Unclear the level of detail, but greater than what we have today.
        * Aaron and George will work on this.
        * Dean cannot commit until FAL2 work is complete.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20250529/469ea32e/attachment.htm>

More information about the Openid-specs-ipsie mailing list