<div dir="ltr"><div dir="ltr">Hi all,<div>Here are the notes from today's call. They are also stored <a href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20250520">here</a>.</div><div><br></div><div>Atul</div><div><br></div></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div dir="ltr" style="margin-left:0pt" align="left"><table style="border:none;border-collapse:collapse"><colgroup><col width="165"><col width="160"></colgroup><tbody><tr style="height:74.5pt"><td style="vertical-align:middle;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:137px;height:68px"><img src="https://lh7-us.googleusercontent.com/OubMXEaSzW6cz-Rt9RyUGsuX2z_G2pbaWOSLNAI_1YuZEk9lVaehxLoZgJt6AbxshlaXTZ4HHvQjpxPRVTWVxlwCl-fPKhGsbSTcgVVvejMX1rS_DaeeX4yOVQyvp2y3cFkC6XMBihqiTrDY3qBYwq8" width="137" height="68" style="margin-left:0px;margin-top:0px"></span></span></p></td><td style="vertical-align:top;padding:5pt;overflow:hidden"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Poppins,sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline"> Atul Tulshibagwale</span></p><p dir="ltr" style="line-height:1.5;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Poppins,sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline"> CTO</span></p><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(136,136,136);background-color:transparent;vertical-align:baseline"> </span><a href="https://www.linkedin.com/in/tulshi/" target="_blank"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:24px;height:24px"><img src="https://lh7-us.googleusercontent.com/nf4RO594hvFNyujzHdKSn1RCJcOIC1-Mk2-_S2GLH4LUi6Prxj4bL0tyguJ-6XH50k_fHPq6nynNBdkJwAzgGdYlImXDDKv07yQuj5PcskVaBqf9vL1Z2esDwZsb5Z9J4tvDcPiiZdQSuyzywRbH3Fs" width="24" height="24" style="margin-left:0px;margin-top:0px"></span></span></a><a href="mailto:atul@sgnl.ai" target="_blank"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:24px;height:24px"><img src="https://lh7-us.googleusercontent.com/jy9xWqMUZyDKsa5W_-BxVILzsnbgKHSkJVzdCeCWVVSvhJbGal-I_Ja-qTTnA1SpYE65RrEcWMMLNPfbrp9HXjBOKdeXNIVuhOBg-vZe-Ed8e0rCV8BMjih-COWlyljD_Hfqg2SzCuqKASIsPk1O6_w" width="24" height="24" style="margin-left:0px;margin-top:0px"></span></span></a></p></td></tr></tbody></table>---</div><div dir="ltr" style="margin-left:0pt" align="left"><h1 class="gmail-part" id="gmail-WG-Meeting-2025-05-20">WG Meeting: 2025-05-20</h1><h2 class="gmail-part gmail-in-view" id="gmail-Agenda"><a class="gmail-anchor gmail-hidden-xs" href="#Agenda" title="Agenda"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Agenda</h2><ul class="gmail-part gmail-in-view">
<li class="gmail-">Cancel meeting during Identiverse?</li>
<li class="gmail-">Working Group Last Call</li>
<li class="gmail-">Questions about Receiver endpoint auth (<a href="https://github.com/openid/sharedsignals/issues/258" target="_blank" rel="noopener">https://github.com/openid/sharedsignals/issues/258</a>)</li>
<li class="gmail-">Proposal to add interop profile to the last call</li>
</ul><h2 class="gmail-part gmail-in-view" id="gmail-Attendees"><a class="gmail-anchor gmail-hidden-xs" href="#Attendees" title="Attendees"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Attendees</h2><ul class="gmail-part gmail-in-view">
<li class="gmail-">Atul Tulshibagwale (SGNL)</li>
<li class="gmail-">Tushar Raibhandare (Google)</li>
<li class="gmail-">Shayne Miel (Cisco)</li>
<li class="gmail-">Yair Sarig (Omnissa)</li>
<li class="gmail-">Apoorva Deshpande (Okta)</li>
<li class="gmail-">John Marchesini (Jamf)</li>
<li class="gmail-">Jen Schreiber (Workday)</li>
<li class="gmail-">Sean O'Dell (Disney())</li>
</ul><h2 class="gmail-part gmail-in-view" id="gmail-Notes"><a class="gmail-anchor gmail-hidden-xs" href="#Notes" title="Notes"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Notes</h2><h3 class="gmail-part gmail-in-view" id="gmail-Cancel-the-meeting-on-June-3rd"><a class="gmail-anchor gmail-hidden-xs" href="#Cancel-the-meeting-on-June-3rd" title="Cancel-the-meeting-on-June-3rd"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Cancel the meeting on June 3rd?</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-">Agreed</li>
</ul><h3 class="gmail-part gmail-in-view" id="gmail-WGLC"><a class="gmail-anchor gmail-hidden-xs" href="#WGLC" title="WGLC"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>WGLC</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-">Last date to respond: EOD on 5/27</li>
</ul><h3 class="gmail-part gmail-in-view" id="gmail-Recever-Endpoint-Auth"><a class="gmail-anchor gmail-hidden-xs" href="#Recever-Endpoint-Auth" title="Recever-Endpoint-Auth"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Recever Endpoint Auth</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-">We talk about the authorization / authentication of the Transmitter endpoint</li>
<li class="gmail-">In PUSH, the receiver owns it, so how is it authenticated?</li>
<li class="gmail-">Can the receiver push API have an authorization requirement?</li>
<li class="gmail-">Is this the only authorization supported?</li>
<li class="gmail-">(Apoorva) The current spec may lead implementers to believe that the value of the <code>authorization_header</code> is just the value part of the HTTP <code>Authorization</code> request header. If we change the format, it might break implementations</li>
<li class="gmail-">(Tushar) We could also specify that it can be an open endpoint</li>
<li class="gmail-">(Yair) We could add another configuration field called <code>authorization_header_name</code> which can be used in conjunction with the <code>authorization_header</code> to specify a header value other than <code>Authorization</code></li>
<li class="gmail-">(Shayne) Or we could just add another field called <code>headers</code>, where you could add any custom headers and their values</li>
<li class="gmail-">(Apoorva) This is guided by RFC 8935 (section 5.1)</li>
<li class="gmail-">(Tushar) Right now we only specify the Authorization request header value.</li>
<li class="gmail-">(Tushar) Should OAuth be allowed?</li>
<li class="gmail-">(Yair) If someone provides an authorization</li>
<li class="gmail-">(Apoorva) We shouldn't add OAuth specific language here, but if a push endpoint does support OAuth it would just work.</li>
<li class="gmail-">(Tushar) We could still clarify that the content of the <code>authorization_header</code> is just the value and not the name of the request header.</li>
<li class="gmail-">(Sean) Providing examples would be good enough. 3 examples - OAuth, Auth header, and cert-based</li>
<li class="gmail-">(Yair) Specifying a value without the name of the header could be confusing. Adding the header name will clarify it</li>
<li class="gmail-">(Shayne) We do say it is the <code>Authorization</code> request header</li>
<li class="gmail-">(Yair) but then does the value include the <code>Bearer</code> or other prefix?</li>
<li class="gmail-">(Shayne)</li>
<li class="gmail-">(Atul) update text to reference http Header</li>
<li class="gmail-">(Atul) is taking the action to callout the Authorization use or non-standard use and will annotate this in the email to the larger group that this might cause backward compatiblity issues based on prior implementers implementation</li>
</ul><h3 class="gmail-part gmail-in-view" id="gmail-Add-Interop-spec-to-last-call"><a class="gmail-anchor gmail-hidden-xs" href="#Add-Interop-spec-to-last-call" title="Add-Interop-spec-to-last-call"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Add Interop spec to last call?</h3><ul class="gmail-part gmail-in-view">
<li class="gmail-">(Apoorva) We have used this spec in the Gartner interop, so should we add it to the last call for final?</li>
<li class="gmail-">(Jen) We had postponed it the last time we discussed, because we <span class="gmail-smartypants">…</span></li>
<li class="gmail-">(Shayne)</li>
<li class="gmail-">(Apoorva) Because most of the implementations are based on this, should we push it to final?</li>
<li class="gmail-">(Jen) Perhaps we can do this after Identiverse?</li>
<li class="gmail-">(Sean) How about use V1 Final as a baseline for the interop spec as a baseline?</li>
</ul><h2 class="gmail-part gmail-in-view" id="gmail-Action-Items"><a class="gmail-anchor gmail-hidden-xs" href="#Action-Items" title="Action-Items"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Action Items</h2><ul class="gmail-part gmail-in-view">
<li class="gmail-">Atul to add the reference to the <code>Authorization</code> HTTP request header in section 6.1.1</li></ul></div></span></div></div></div>