<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">+1<br>
<br>
</font>
<div class="moz-cite-prefix">On 7/2/13 2:15 PM, John Bradley wrote:<br>
</div>
<blockquote
cite="mid:A3BB5A10-846C-4460-ABDB-BF03705DB4CE@ve7jtb.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Correct and feedback from the specs list can and should influence
the final charters scope.
<div><br>
</div>
<div>I agree that we need to consider how a agent would work with
multiple authorization servers rather than being hardcoded to
only one.</div>
<div><br>
</div>
<div>Google's play store is an example of a authorization agent
that is getting ether access tokens for Google API, or
id_token/assertions for 3rd party API.</div>
<div><br>
</div>
<div>At the moment it is up to the app in the 3rd party case to
decide if it wants to use the id_token as a access token or in a
JWT assertion flow at a 3rd party AS to get a access token.</div>
<div><br>
</div>
<div>I think the changes we made to connect to support the use of
id_tokens as JWT allows us some flexibility. </div>
<div><br>
</div>
<div>In some cases the AZA might perform the function of trading a
id_token/assertion to a 3rd party AS and getting back a access
token to give to the app.</div>
<div><br>
</div>
<div>I think the charter should allow for all of those scenarios,
though the WG may decide to only support a subset of options in
a specification.</div>
<div><br>
</div>
<div>John B.</div>
<div><br>
</div>
<div><br>
<div>
<div>On 2013-07-02, at 1:55 PM, Anthony Nadalin <<a
moz-do-not-send="true" href="mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div bgcolor="#FFFFFF">
<div>
<div style="font-size:11pt;
font-family:Calibri,sans-serif">Just saying that
ultimatly the WG decides what the work product is
regardless of input but constrained by the charter
<br>
<br>
Sent from my Windows Phone</div>
</div>
<div dir="ltr">
<hr>
<span style="font-size:11pt;
font-family:Calibri,sans-serif; font-weight:bold">From:
</span><span style="font-size:11pt;
font-family:Calibri,sans-serif"><a
moz-do-not-send="true"
href="mailto:paulmadsen@rogers.com">Paul Madsen</a></span><br>
<span style="font-size:11pt;
font-family:Calibri,sans-serif; font-weight:bold">Sent:
</span><span style="font-size:11pt;
font-family:Calibri,sans-serif">7/2/2013 10:26 AM</span><br>
<span style="font-size:11pt;
font-family:Calibri,sans-serif; font-weight:bold">To:
</span><span style="font-size:11pt;
font-family:Calibri,sans-serif"><a
moz-do-not-send="true"
href="mailto:tonynad@microsoft.com">Anthony Nadalin</a></span><br>
<span style="font-size:11pt;
font-family:Calibri,sans-serif; font-weight:bold">Cc:
</span><span style="font-size:11pt;
font-family:Calibri,sans-serif"><a
moz-do-not-send="true"
href="mailto:torsten@lodderstedt.net">Torsten
Lodderstedt</a>;
<a moz-do-not-send="true"
href="mailto:pmadsen@pingidentity.com">Paul Madsen</a>;
<a moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com">
John Bradley</a>; <a moz-do-not-send="true"
href="mailto:ashishjain@vmware.com">ashishjain@vmware.com</a>;
<a moz-do-not-send="true"
href="mailto:openid-specs@lists.openid.net">openid-specs@lists.openid.net</a></span><br>
<span style="font-size:11pt;
font-family:Calibri,sans-serif; font-weight:bold">Subject:
</span><span style="font-size:11pt;
font-family:Calibri,sans-serif">Re: Native application
SSO Working Group</span><br>
<br>
</div>
<div><font face="Arial">Hi Tony, not sure I understand
your point.<br>
<br>
Are you saying that we (the proposers of the new WG)
*technically* needn't account for feedback such as
Torsten's in this review cycle?<br>
<br>
Paul<br>
<br>
</font>
<div class="moz-cite-prefix">On 7/2/13 1:03 PM, Anthony
Nadalin wrote:<br>
</div>
<blockquote type="cite">
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
@font-face
{font-family:Consolas}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
pre
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black}
span.hoenzb
{}
span.HTMLPreformattedChar
{font-family:Consolas;
color:black}
span.EmailStyle20
{font-family:"Calibri","sans-serif";
color:#1F497D}
.MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.WordSection1
{}
-->
</style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D">Since this is slated to be an
OpenID WG, it’s what the WG wants to do.</span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D"> </span></a></p>
<div>
<div style="border:none; border-top:solid #E1E1E1
1.0pt; padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:windowtext">From:</span></b><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:windowtext">
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:openid-specs-bounces@lists.openid.net">
openid-specs-bounces@lists.openid.net</a>
[<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:openid-specs-bounces@lists.openid.net">mailto:openid-specs-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Torsten Lodderstedt<br>
<b>Sent:</b> Tuesday, July 2, 2013 9:53 AM<br>
<b>To:</b> Paul Madsen<br>
<b>Cc:</b> John Bradley; <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ashishjain@vmware.com">
ashishjain@vmware.com</a>; <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:openid-specs@lists.openid.net">
openid-specs@lists.openid.net</a><br>
<b>Subject:</b> Re: Native application SSO
Working Group</span></p>
</div>
</div>
<div> <br class="webkit-block-placeholder">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi
Paul,<br>
<br>
got it :-) Would it make sense to add this
assumption to the charter? <br>
<br>
Does this mean:<br>
- a single AZA manages access to multiple authz
servers?<br>
- an app needs to be able to register its authz
server/idp at the AZA?<br>
<br>
Thanks,<br>
Torsten.</p>
<div>
<p class="MsoNormal"><br>
<br>
Paul Madsen <<a moz-do-not-send="true"
href="mailto:pmadsen@pingidentity.com">pmadsen@pingidentity.com</a>>
schrieb:</p>
<blockquote style="border:none; border-left:solid
#CCCCCC 1.0pt; padding:0in 0in 0in 6.0pt;
margin-left:4.8pt; margin-right:0in">
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-family:"Arial","sans-serif"">Hi
Torsten, wrt the possibility of an id_token
being used against a 'home' IdP, the current
model is that it would be the AZA that would
perform this exchange</span>, not the native
app itself - this because the overarching
assumption being that the AZA should do as
much of the heavy lifting as possible - and
thereby simplify life for the native apps.<br>
<br>
But that is separate I think from the use case
of an native app wanting to consume an
id_token directly (for access control,
customization etc) and so i will look at
charter to make sure this scenario is
supported.<br>
<br>
paul<br>
<br>
</p>
<div>
<p class="MsoNormal">On 7/2/13 11:31 AM,
Torsten Lodderstedt wrote:</p>
</div>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p class="MsoNormal"
style="margin-bottom:12.0pt">Hi,<br>
<br>
I agree with Nat on this use case. Another
one is that the app wants to use the
id_token as credential on its "home" IDP
(probably via JWT bearer token profile).
This is more or less 3rd party login for
apps.<br>
<br>
regards,<br>
Torsten.</p>
<div>
<p class="MsoNormal"><br>
<br>
Nat Sakimura <a moz-do-not-send="true"
href="mailto:sakimura@gmail.com"><sakimura@gmail.com></a>
schrieb:
</p>
<blockquote style="border:none;
border-left:solid #CCCCCC 1.0pt;
padding:0in 0in 0in 6.0pt;
margin-left:4.8pt; margin-right:0in">
<div>
<p class="MsoNormal">Yes. If the app
wants the identity information to
evaluate its own access control, then
it would probably want to know about
the user identity (i.e., set of
attributes related to the entity), and
id_token is the right thing.
</p>
<div>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
<div>
<p class="MsoNormal">When I was
talking to some law enforcement
people in EU, they were talking
similar things. Right now, we do not
have any location data defined in
the claims, but we may also want to
do so in such cases. </p>
</div>
<div>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
<div>
<p class="MsoNormal">Nat</p>
</div>
</div>
<div>
<div style="margin-bottom: 12pt; "> <br
class="webkit-block-placeholder">
</div>
<div>
<p class="MsoNormal">2013/7/3 Paul
Madsen <<a moz-do-not-send="true"
href="mailto:paulmadsen@rogers.com" target="_blank">paulmadsen@rogers.com</a>></p>
<blockquote style="border:none;
border-left:solid #CCCCCC 1.0pt;
padding:0in 0in 0in 6.0pt;
margin-left:4.8pt; margin-right:0in">
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif"">Hi
Nat, the current AZA model
does not preclude an access
token being formatted as an
id_token.<br>
<br>
I believe Torsten was
conjecturing that there was
potential value in an id_token
being delivered to a native
app in addition to an access
token (whether formatted as
id_token or not)<br>
<br>
Regards</span><span
style="font-family:"Arial","sans-serif";
color:#888888"><br>
<br>
<span class="hoenzb">paul</span><br>
<span class="hoenzb"> </span></span>
</p>
<div>
<div>
<div> <br
class="webkit-block-placeholder">
</div>
<div>
<p class="MsoNormal">On
7/2/13 10:53 AM, Nat
Sakimura wrote:</p>
</div>
<blockquote
style="margin-top:5.0pt;
margin-bottom:5.0pt">
<div>
<p class="MsoNormal">I
actually do see some
utility in the access
token in the format of
ID Token.
</p>
<div>
<p class="MsoNormal">It
can give appropriate
audience restriction
etc. </p>
</div>
</div>
<div>
<div style="margin-bottom:
12pt; "> <br
class="webkit-block-placeholder">
</div>
<div>
<p class="MsoNormal">2013/7/2
Paul Madsen <<a
moz-do-not-send="true"
href="mailto:paulmadsen@rogers.com" target="_blank">paulmadsen@rogers.com</a>></p>
<blockquote
style="border:none;
border-left:solid
#CCCCCC 1.0pt;
padding:0in 0in 0in
6.0pt;
margin-left:4.8pt;
margin-right:0in">
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-family:"Arial","sans-serif"">Hi
Torsten, the
current model is
that the
Authorization
Agent (AZA) may
itself obtain an
id_token and use
it to obtain an
access token,
but that only
access tokens
would be 'handed
over' by the AZA
to its
constituent
native apps.<br>
<br>
Are you
proposing that
there may be
value in
allowing the AZA
to also hand
over id_tokens
(suitably
targeted) as
well?<br>
<br>
paul</span></p>
<div>
<div>
<div>
<p
class="MsoNormal">On
7/1/13 1:38
PM, Torsten
Lodderstedt
wrote:</p>
</div>
</div>
</div>
<blockquote
style="margin-top:5.0pt;
margin-bottom:5.0pt">
<div>
<div>
<p
class="MsoNormal">Hi
John,<br>
<br>
I interpreted
the text of
the charter
the other way
around, so a
client would
be able to use
an(y) id_token
(as a
credential) to
obtain an
access token.
I'm fine if
the mechanism
is intended to
support
id_token
issuance.<br>
<br>
regards,<br>
Torsten.<br>
<br>
Am 01.07.2013
15:06, schrieb
John Bradley:<br>
<br>
</p>
<blockquote
style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p
class="MsoNormal">Hi
Torsten, </p>
<div>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
<div>
<p
class="MsoNormal">In
point 3 the
charter talks
about using
id_tokens to
get access
tokens.</p>
</div>
<div>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
<div>
<p
class="MsoNormal">So
it is imagined
that the
mechanism
would issue
id_tokens
likely along
the lines that
Google is
doing for the
play store by
having a 3rd
party as an
audience and
using "azp" to
indicate the
client the
token was
issued to.
We don't want
to be too
specific on
the solution
in the
charter.</p>
</div>
<div>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
<div>
<p
class="MsoNormal">If
you think
something
needs to be
added let me
know.</p>
</div>
<div>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
<div>
<p
class="MsoNormal">John
B.</p>
</div>
<div>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
<div>
<div>
<div>
<p
class="MsoNormal">On
2013-07-01, at
2:17 AM,
Torsten
Lodderstedt
<<a
moz-do-not-send="true"
href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>>
wrote:</p>
</div>
<p
class="MsoNormal"><br>
<br>
</p>
<blockquote
style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p
class="MsoNormal"
style="margin-bottom:12.0pt">Hi,<br>
<br>
it would be
great to have
such a
mechanism
across
platforms!<br>
<br>
I'm wondering
whether the
mechanism
should issue
id tokens as
well. Right
now it seems
to focus on
access tokens.<br>
<br>
Regards,<br>
Torsten.</p>
<div>
<p
class="MsoNormal"><br>
<br>
John Bradley
<<a
moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>>
schrieb:
</p>
<blockquote
style="border:none;
border-left:solid
#CCCCCC 1.0pt;
padding:0in
0in 0in 6.0pt;
margin-left:4.8pt;
margin-right:0in">
<pre style="white-space:pre-wrap; word-wrap:break-word"><span style="font-family:"Arial","sans-serif"">The enclosed Work Group Charter is being sent to the Specs Council for review in anticipation of chartering the Group.</span></pre>
<pre><span style="font-family:"Arial","sans-serif""> </span></pre>
<pre><span style="font-family:"Arial","sans-serif"">It is best have this activity under the foundation IPR as soon as possible.</span></pre>
<pre><span style="font-family:"Arial","sans-serif""> </span></pre>
<pre><span style="font-family:"Arial","sans-serif"">Regards</span></pre>
<pre><span style="font-family:"Arial","sans-serif"">John B.</span></pre>
<pre><span style="font-family:"Arial","sans-serif""> </span></pre>
<pre><span style="font-family:"Arial","sans-serif""> </span></pre>
<div
style="border:none;
border-bottom:solid
black 1.0pt;
padding:0in
0in 0in 0in;
margin-top:30.0pt;
margin-bottom:12.0pt">
<div> <br
class="webkit-block-placeholder">
</div>
</div>
<pre style="text-align:center; white-space:pre-wrap; word-wrap:break-word"><span style="font-family:"Arial","sans-serif""><hr align="center" size="2" width="100%"></span></pre>
<pre><span style="font-family:"Arial","sans-serif""> </span></pre>
<pre><span style="font-family:"Arial","sans-serif"">specs mailing list</span></pre>
<pre><span style="font-family:"Arial","sans-serif""><a moz-do-not-send="true" href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a></span></pre>
</blockquote>
</div>
</blockquote>
</div>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
</blockquote>
<p
class="MsoNormal"><br>
<br>
<br>
</p>
</div>
</div>
<pre>_______________________________________________</pre>
<pre>specs mailing list</pre>
<pre><a moz-do-not-send="true" href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a></pre>
<pre><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a></pre>
</blockquote>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
specs mailing list<br>
<a
moz-do-not-send="true"
href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a
moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
</p>
<div>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
<p class="MsoNormal">-- <br>
Nat Sakimura (=nat) </p>
<div>
<p class="MsoNormal">Chairman,
OpenID Foundation<br>
<a
moz-do-not-send="true"
href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</p>
</div>
</div>
</blockquote>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
</p>
<div>
<div> <br
class="webkit-block-placeholder">
</div>
</div>
<p class="MsoNormal">-- <br>
Nat Sakimura (=nat) </p>
<div>
<p class="MsoNormal">Chairman, OpenID
Foundation<br>
<a moz-do-not-send="true"
href="http://nat.sakimura.org/"
target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</p>
</div>
</div>
</blockquote>
</div>
</blockquote>
<div> <br class="webkit-block-placeholder">
</div>
</blockquote>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
specs mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
</blockquote>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me"><img src="cid:part30.05080807.05000207@aol.com"
alt="George Fletcher" height="113" width="359"></a></div>
</body>
</html>