[Openid-specs-native-apps] Minutes - March 19

[Paul Madsen]

Attending

Paul
John
Chuck
Ashish

1) Ashish reported back on the RSA F2F

Attending were Mike & Caleb from MSFT, some MobileIron & Airwatch folks, 
somebody from OneLogin

Ashish asked for people's assessment of group value. Group agreed there 
was a need and worthwhile

Microsoft challenging the value - claiming that something like this 
would be eventually be addressed by the OS vendors. Group feels the 
interapp piece (that the OS vendors will address) is just half the 
problem, the other half is the on-the-wire protocol between TA & AS

In offline conversations with John, MSFT reps agreed that there was 
value in defining the on-the-wire protocol.

Perhaps we can clarify that we don't intend to mandate a particular 
interapp protocol

Ashish adds there was agreement that we need more ISVs participating , 
action item was to reach out to contacts at the SaaS.

John indicates he talked to Layer7 at MWC and that they feel they have 
comparable functionality

2) Discussion of the different models for token-chaining, and how/where 
the complexity of dealing with token chaining sits - does the TA deal 
with the exchange, or does the app deal with the exchange

John points out the implications of the trust models, and who needs to 
know what?

AI - John will put together a summary of the different models and the 
pros/cons of each

Ashish asked about a model where the trust and token exchange happens at 
the AS level

Permuations appear to be

- TA asks downstream AS for AT
- Downstream app asks downstream AS for AT
- Upstream AS asks downstream AS for AT

Implications for consent gathering

2) Discussion about the use case of bridging from the TA into web app SSO

Everybody has a different way to do this

Ashish points out an issue about how to get session info into a web clip....

Different UI implications/models

AI - Paul will start a thread on the use case on the NAPPS list

3) Chuck remains concerned about the consent model - believes the spec 
as it is is primarily focused on authentication, and not about authz.

Different consent models differ on where the consent happens, at the TA 
or at the AS

John points out that this relates to the lack of the 'pre-authenticated 
authz request'

Chuck wants their server involved in collecting consent, and wants that 
to happen JIT and not a priori

John points out that this ties in with the bootstrap to browser app piece

AI - Chuck will summarize his thoughts on consent (where & when) on the list

Meeting closed










-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20140320/2dc00437/attachment.html>