<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Arial">Hi Tony, not sure I understand your point.<br>
<br>
Are you saying that we (the proposers of the new WG) *technically*
needn't account for feedback such as Torsten's in this review
cycle?<br>
<br>
Paul<br>
<br>
</font>
<div class="moz-cite-prefix">On 7/2/13 1:03 PM, Anthony Nadalin
wrote:<br>
</div>
<blockquote
cite="mid:e0ba0360ae0d4401a7559c81b992859a@BY2PR03MB189.namprd03.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.hoenzb
{mso-style-name:hoenzb;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Since
this is slated to be an OpenID WG, it’s what the WG wants to
do.<o:p></o:p></span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></a></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs-bounces@lists.openid.net">openid-specs-bounces@lists.openid.net</a>
[<a class="moz-txt-link-freetext" href="mailto:openid-specs-bounces@lists.openid.net">mailto:openid-specs-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Torsten Lodderstedt<br>
<b>Sent:</b> Tuesday, July 2, 2013 9:53 AM<br>
<b>To:</b> Paul Madsen<br>
<b>Cc:</b> John Bradley; <a class="moz-txt-link-abbreviated" href="mailto:ashishjain@vmware.com">ashishjain@vmware.com</a>;
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs@lists.openid.net">openid-specs@lists.openid.net</a><br>
<b>Subject:</b> Re: Native application SSO Working Group<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Paul,<br>
<br>
got it :-) Would it make sense to add this assumption to the
charter? <br>
<br>
Does this mean:<br>
- a single AZA manages access to multiple authz servers?<br>
- an app needs to be able to register its authz server/idp at
the AZA?<br>
<br>
Thanks,<br>
Torsten.<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
Paul Madsen <<a moz-do-not-send="true"
href="mailto:pmadsen@pingidentity.com">pmadsen@pingidentity.com</a>>
schrieb:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Arial","sans-serif"">Hi
Torsten, wrt the possibility of an id_token being used
against a 'home' IdP, the current model is that it would
be the AZA that would perform this exchange</span>, not
the native app itself - this because the overarching
assumption being that the AZA should do as much of the
heavy lifting as possible - and thereby simplify life for
the native apps.<br>
<br>
But that is separate I think from the use case of an
native app wanting to consume an id_token directly (for
access control, customization etc) and so i will look at
charter to make sure this scenario is supported.<br>
<br>
paul<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 7/2/13 11:31 AM, Torsten
Lodderstedt wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi,<br>
<br>
I agree with Nat on this use case. Another one is that
the app wants to use the id_token as credential on its
"home" IDP (probably via JWT bearer token profile). This
is more or less 3rd party login for apps.<br>
<br>
regards,<br>
Torsten.<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
Nat Sakimura <a moz-do-not-send="true"
href="mailto:sakimura@gmail.com"><sakimura@gmail.com></a>
schrieb:
<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Yes. If the app wants the
identity information to evaluate its own access
control, then it would probably want to know about
the user identity (i.e., set of attributes related
to the entity), and id_token is the right thing.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">When I was talking to some
law enforcement people in EU, they were talking
similar things. Right now, we do not have any
location data defined in the claims, but we may
also want to do so in such cases. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Nat<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">2013/7/3 Paul Madsen <<a
moz-do-not-send="true"
href="mailto:paulmadsen@rogers.com"
target="_blank">paulmadsen@rogers.com</a>><o:p></o:p></p>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif"">Hi
Nat, the current AZA model does not
preclude an access token being formatted
as an id_token.<br>
<br>
I believe Torsten was conjecturing that
there was potential value in an id_token
being delivered to a native app in
addition to an access token (whether
formatted as id_token or not)<br>
<br>
Regards</span><span
style="font-family:"Arial","sans-serif";color:#888888"><br>
<br>
<span class="hoenzb">paul</span><br>
<span class="hoenzb"> </span></span> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 7/2/13 10:53 AM,
Nat Sakimura wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">I actually do see
some utility in the access token in
the format of ID Token.
<o:p></o:p></p>
<div>
<p class="MsoNormal">It can give
appropriate audience restriction
etc. <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">2013/7/2 Paul
Madsen <<a
moz-do-not-send="true"
href="mailto:paulmadsen@rogers.com"
target="_blank">paulmadsen@rogers.com</a>><o:p></o:p></p>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-family:"Arial","sans-serif"">Hi Torsten,
the current model is that
the Authorization Agent
(AZA) may itself obtain an
id_token and use it to
obtain an access token, but
that only access tokens
would be 'handed over' by
the AZA to its constituent
native apps.<br>
<br>
Are you proposing that there
may be value in allowing the
AZA to also hand over
id_tokens (suitably
targeted) as well?<br>
<br>
paul</span><o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On
7/1/13 1:38 PM, Torsten
Lodderstedt wrote:<o:p></o:p></p>
</div>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">Hi
John,<br>
<br>
I interpreted the text
of the charter the other
way around, so a client
would be able to use
an(y) id_token (as a
credential) to obtain an
access token. I'm fine
if the mechanism is
intended to support
id_token issuance.<br>
<br>
regards,<br>
Torsten.<br>
<br>
Am 01.07.2013 15:06,
schrieb John Bradley:<br>
<br>
<o:p></o:p></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi
Torsten, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In
point 3 the charter
talks about using
id_tokens to get
access tokens.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So
it is imagined that
the mechanism would
issue id_tokens
likely along the
lines that Google is
doing for the play
store by having a
3rd party as an
audience and using
"azp" to indicate
the client the token
was issued to. We
don't want to be too
specific on the
solution in the
charter.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If
you think something
needs to be added
let me know.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John
B.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<p
class="MsoNormal">On
2013-07-01, at
2:17 AM, Torsten
Lodderstedt <<a
moz-do-not-send="true" href="mailto:torsten@lodderstedt.net"
target="_blank">torsten@lodderstedt.net</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p
class="MsoNormal"
style="margin-bottom:12.0pt">Hi,<br>
<br>
it would be
great to have
such a mechanism
across
platforms!<br>
<br>
I'm wondering
whether the
mechanism should
issue id tokens
as well. Right
now it seems to
focus on access
tokens.<br>
<br>
Regards,<br>
Torsten.<o:p></o:p></p>
<div>
<p
class="MsoNormal"><br>
<br>
John Bradley
<<a
moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>>
schrieb:
<o:p></o:p></p>
<blockquote
style="border:none;border-left:solid
#CCCCCC
1.0pt;padding:0in
0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<pre style="white-space:pre-wrap;word-wrap:break-word"><span style="font-family:"Arial","sans-serif"">The enclosed Work Group Charter is being sent to the Specs Council for review in anticipation of chartering the Group.<o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif"">It is best have this activity under the foundation IPR as soon as possible.<o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif"">Regards<o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif"">John B.<o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
<div
style="border:none;border-bottom:solid
black
1.0pt;padding:0in
0in 0in
0in;margin-top:30.0pt;margin-bottom:12.0pt">
<p
class="MsoNormal"><o:p> </o:p></p>
</div>
<pre style="text-align:center;white-space:pre-wrap;word-wrap:break-word"><span style="font-family:"Arial","sans-serif""><hr align="center" size="2" width="100%"></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif"">specs mailing list<o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><a moz-do-not-send="true" href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></span></pre>
</blockquote>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
</div>
</div>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>specs mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
specs mailing list<br>
<a moz-do-not-send="true"
href="mailto:specs@lists.openid.net"
target="_blank">specs@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <br>
Nat Sakimura (=nat) <o:p></o:p></p>
<div>
<p class="MsoNormal">Chairman,
OpenID Foundation<br>
<a moz-do-not-send="true"
href="http://nat.sakimura.org/"
target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <br>
Nat Sakimura (=nat) <o:p></o:p></p>
<div>
<p class="MsoNormal">Chairman, OpenID Foundation<br>
<a moz-do-not-send="true"
href="http://nat.sakimura.org/"
target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</blockquote>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
</blockquote>
<br>
</body>
</html>