[Openid-specs-risc] Call notes 2025-04-01

Shayne Miel (smiel) smiel at cisco.com
Tue Apr 1 18:28:01 UTC 2025 

Hi all,

Here are the meeting notes from today's call. They are also stored here<https://hackmd.io/@oidf-wg-sse/wg-meeting-20250401>.

Thanks,
Shayne

[cid:63d6a2df-569d-4dec-85ac-b64b9409a462]
[https://duo.com/assets/img/email/spacer.gif]
Shayne Miel  / Principal Engineer (he, him, his)
smiel at cisco.com<mailto:smiel at cisco.com>
(919) 923-6230
cisco.com<https://www.cisco.com/site/us/en/products/security/index.html>



WG Meeting: 2025-04-01
Agenda

  *   Review PRs
  *   Review Issues
  *   IPSIE Actions

Attendees

  *   Shayne Miel (Cisco)
  *   Sean O'Dell (Disney)
  *   Jen Schreiber (Workday)
  *   Thomas Darimont (OIDF)
  *   Yair Sarig (Omnissa)
  *   Mike Kiser (SailPoint)
  *   Apoorva Deshpande (Okta)
  *   JD Pawar (Workday)
  *   Tushar Raibhandare (Google)

Notes
IPSIE Action

  *   IPSIE group is looking to us
  *   (Jen) In SET spec, SETs can only be descriptive

Review PRs

  *   (Jen) Issue 247. Tried to phrase it to be backwards compatible.
  *   If Tx supports pull it should indicate as such
  *   (Shayne) Make it a MAY to be more normative and ship it
  *   (Jen) CAN vs MAY debate
  *   (Apoorva) if thte Tx does not contain events supported should it reject?
  *   (Jen and Shanye) Support backwards compatibility and non normative changes
  *   (Apoorva) Rather than default to defaulted channels error out
  *   (Yair) Implementations are broken regardless if the change is normative.
  *   (Shayne) Normative changes are ok.
  *   (Yair) In the spec you default to pull, but this would error if it not supported or say the Tx is not supporting this method
  *   (Apoorva / Jen) return back 400 or 405 or 406? Not 418
  *   (Group consensus) 400 was the group vote
  *   (Shayne) Issue 246
  *   (Shayne) Tx creates the audience value ahead of time for the Rx (new in the Interop)
  *   (SHayne) find a place in the spec that says this.
  *   (Shayne)If the aud value is agreed upon out of band than the Rx must validate it during stream creation.
  *   (Apoorva) aud it Tx supplied. In addition to what is in the Issue. The aud value returned in the stream creation api should be validated b the Rx.
  *   (Shayne Apoorva Jen) Talking about when you validate the aud value. Stream Response from Stream Create Request.
  *   (Shayne) if it is decided out of band it should be validated between the Tx and Rx
  *   (Apoorva) why would need to get the streams that are created
  *   (Apoorva) validate the set aud to match the stream aud
  *   (Yair) if the Rx provides the value it is different from the Tx. If the Rx does not validate then you upen yourself up to receiving events from someone else or spoofing.
  *   (Sean Yair Shayne Jen) Talking about Rx supplied vs Tx created
  *   (Jen) the aud is agreed upon out of band and is agreed upon
  *   (Yair) makes it unique with a binding pair
  *   (Shanye) how can a Rx validate the aud?
  *   (Sean) its like clientID maybe?
  *   (Jen)?
  *   (Yair) aud is the flipped side
  *   (Apoorva) can we table it?
  *   (Jen) Try rephrasing it
  *   Issue 245
  *   (Shayne)relationshp between Tx and Authorization Servier
  *   (Jen) text is confusing in interop profile
  *   (Jen) existing text must support at least one of the following for a short lived AT
  *   (Jen Shayne) Talking about authorization server and MUST obtain an access_token out of band
  *   (Jen and Apoorva) there is a PR to reorganize this ISSUE
  *   (Apoorva) What is the role of a resource server and authorization server?
  *   (Apoorva and Jen) will work together on this to push it over the finish line.
  *   (Apoorva and Jen) will open the issue and get wording down pat
  *   (Shayne) Issue 243
  *   (Jen Shayne Sean) SHOULD was agreed to and the interop profile is going to match on the same PR
  *   (Shayne) Issue 244 EVENT METADATA!!! Thunderdome!
  *   (Shayne) updating comment of Issue - Should be representative of the event rather than the subject.
  *   (Apoorva) remove "or actions" from line 177.
  *   (Jen) agreed
  *   (Sean)agreed and [:pray:]
  *   (Shayne) Rx's were overloading reason_admin
  *   (Thomas and Sean) what were you going to do and what can you pass in? Examples were given.
  *   (Apoorva Jen Sean) Size of the JWT will be an issue
  *   (Apoorva) makes interoperable hard
  *   (Jen Sean) not sure about that
  *   (Shayne) There is going to be a struggle to get shit done between 2 companies versus all companies
  *   (Apoorva) provide clear guidance on when, why, what to use
  *   (Apoorva) Issue 225 was reverted and asking why?
  *   (Everyone) see https://hackmd.io/@oidf-wg-sse/wg-meeting-20250211
  *   (Shaye Apoorva) Approved. Putting events_supported back into the well-known endpoint.
  *   (Sean) to approve.
  *   (Jenn Shayne) Can closse Issue 202

Review Issues
Action Items

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20250401/56d1eaee/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-cxtoehfm.png
Type: image/png
Size: 13713 bytes
Desc: Outlook-cxtoehfm.png
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20250401/56d1eaee/attachment-0001.png>

More information about the Openid-specs-risc mailing list