[Openid-specs-native-apps] Notes from Feb 19 call
John Bradley
jbradley at me.com
Thu Feb 20 00:04:45 UTC 2014
Attendees
Thomas DeBenning OneLogin.
John Bradley Ping
Morteza Ansari Cisco
Discussed bindings.
iOS can send the name of the application to the invoking app.
Windows phone has no information about the caller via the URL scheme.
Morteza thinks asymmetric keys would be fine for encrypting the tokens to the end native apps.
Thomas is going to get updates to the bindings based on there research out in the next couple of weeks.
If we develop a way of boot-straping web sessions from the TA using 3rd party id_tokens then it may be possible to bootstrap the web session back to the AS to collect additional consents.
We don't however currently have a way to start a session at a client (or AS acting as a client) by passing a unsolicited id_token due to XSRF protection.
Some work probably needs to go into a security analysis on what a IdP initiated JWT/id_token login flow needs to look like.
Morteza would like the WG members attending IETF in London to try and find a time to get together. He is not arriving until late Sunday.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20140219/0ebe9ed6/attachment.p7s>
More information about the Openid-specs-native-apps
mailing list