[Openid-specs-mobile-profile] Notes from Moderna Aug 24

[John Bradley]

Bjorn
Gonzalo
Nat
James
Shiva
Mohajeri
John 


September WS we need agenda and info to book hotels.

Gonzalo Back channel draft.
New version uploaded last week.
 https://bitbucket.org/openid/mobile/src/75eae8b8e50737059c069965c8c37e794843b510/draft-mobile-client-initiated-backchannel-authentication-01.html?at=default&fileviewer=file-view-default <https://bitbucket.org/openid/mobile/src/75eae8b8e50737059c069965c8c37e794843b510/draft-mobile-client-initiated-backchannel-authentication-01.html?at=default&fileviewer=file-view-default>  

Need discussion on the auth_req_id  vs dymamic redirect_uri for post response

Need discussion on defining a new response_type vs a scope for signalling the flow.

Long discussion on poling response vs Post push.

We discussed the similarity with the device flow that uses long polling and may be updated to support out of band push for consent/authentication rather as well as the current type the URI method.
https://tools.ietf.org/html/draft-ietf-oauth-device-flow <https://tools.ietf.org/html/draft-ietf-oauth-device-flow>

John observed that polling may be easier logic for some RP to implement, and can work with non server devices.
Posting back to the client also introduces new security considerations, if mutual TLS is not used.  
The whole response may need to be signed eg include the auth_req_id inside the id_token.
Connect is defining Session ID  “sid” as part of logout, that might be something we could use instead of auth_req_id to correlate in the POST case, as it will be a id_token claim.

Shiva is going to get feedback from operators on the backchannel draft and circulate to the WG.

John B.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160824/145e555a/attachment.html>