<html><head/><body><html><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type" /></head><body bgcolor="#FFFFFF" text="#000000">Hi Paul,<br>
<br>
got it :-) Would it make sense to add this assumption to the charter? <br>
<br>
Does this mean:<br>
- a single AZA manages access to multiple authz servers?<br>
- an app needs to be able to register its authz server/idp at the AZA?<br>
<br>
Thanks,<br>
Torsten.<br><br><div class="gmail_quote"><br>
<br>
Paul Madsen <pmadsen@pingidentity.com> schrieb:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<font face="Arial">Hi Torsten, wrt the possibility of an id_token
being used against a 'home' IdP, the current model is that it
would be the AZA that would perform this exchange</font>, not the
native app itself - this because the overarching assumption being
that the AZA should do as much of the heavy lifting as possible -
and thereby simplify life for the native apps.<br />
<br />
But that is separate I think from the use case of an native app
wanting to consume an id_token directly (for access control,
customization etc) and so i will look at charter to make sure this
scenario is supported.<br />
<br />
paul<br />
<br />
<br />
<div class="moz-cite-prefix">On 7/2/13 11:31 AM, Torsten Lodderstedt
wrote:<br />
</div>
<blockquote cite="mid:c42d2d85-d41b-434a-8f36-599adf83b299@email.android.com" type="cite">Hi,<br />
<br />
I agree with Nat on this use case. Another one is that the app
wants to use the id_token as credential on its "home" IDP
(probably via JWT bearer token profile). This is more or less 3rd
party login for apps.<br />
<br />
regards,<br />
Torsten.<br />
<br />
<div class="gmail_quote"><br />
<br />
Nat Sakimura <a class="moz-txt-link-rfc2396E" href="mailto:sakimura@gmail.com"><sakimura@gmail.com></a> schrieb:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div dir="ltr">Yes. If the app wants the identity information
to evaluate its own access control, then it would probably
want to know about the user identity (i.e., set of
attributes related to the entity), and id_token is the right
thing.
<div>
<br />
</div>
<div>When I was talking to some law enforcement people in
EU, they were talking similar things. Right now, we do not
have any location data defined in the claims, but we may
also want to do so in such cases. </div>
<div><br />
</div>
<div style="style">Nat</div>
</div>
<div class="gmail_extra"><br />
<br />
<div class="gmail_quote">2013/7/3 Paul Madsen <span dir="ltr"><<a moz-do-not-send="true" href="mailto:paulmadsen@rogers.com" target="_blank">paulmadsen@rogers.com</a>></span><br />
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font face="Arial">Hi Nat, the current AZA model does not
preclude an access token being formatted as an
id_token.<br />
<br />
I believe Torsten was conjecturing that there was
potential value in an id_token being delivered to a
native app in addition to an access token (whether
formatted as id_token or not)<br />
<br />
Regards<span class="HOEnZb"><font color="#888888"><br />
<br />
paul<br />
</font></span></font>
<div>
<div class="h5"><br />
<div>On 7/2/13 10:53 AM, Nat Sakimura wrote:<br />
</div>
<blockquote type="cite">
<div dir="ltr">I actually do see some utility in
the access token in the format of ID Token.
<div>It can give appropriate audience
restriction etc. </div>
</div>
<div class="gmail_extra"><br />
<br />
<div class="gmail_quote"> 2013/7/2 Paul Madsen
<span dir="ltr"><<a moz-do-not-send="true" href="mailto:paulmadsen@rogers.com" target="_blank">paulmadsen@rogers.com</a>></span><br />
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font face="Arial">Hi Torsten, the current
model is that the Authorization Agent
(AZA) may itself obtain an id_token
and use it to obtain an access token,
but that only access tokens would be
'handed over' by the AZA to its
constituent native apps.<br />
<br />
Are you proposing that there may be
value in allowing the AZA to also hand
over id_tokens (suitably targeted) as
well?<br />
<br />
paul<br />
<br />
</font>
<div>
<div>
<div>On 7/1/13 1:38 PM, Torsten
Lodderstedt wrote:<br />
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div> Hi John,<br />
<br />
I interpreted the text of the
charter the other way around, so a
client would be able to use an(y)
id_token (as a credential) to
obtain an access token. I'm fine
if the mechanism is intended to
support id_token issuance.<br />
<br />
regards,<br />
Torsten.<br />
<br />
Am 01.07.2013 15:06, schrieb John
Bradley:<br />
<blockquote type="cite"> Hi
Torsten,
<div><br />
</div>
<div>In point 3 the charter
talks about using id_tokens to
get access tokens.</div>
<div><br />
</div>
<div>So it is imagined that the
mechanism would issue
id_tokens likely along the
lines that Google is doing for
the play store by having a 3rd
party as an audience and using
"azp" to indicate the client
the token was issued to. We
don't want to be too specific
on the solution in the
charter.</div>
<div><br />
</div>
<div>If you think something
needs to be added let me know.</div>
<div><br />
</div>
<div>John B.</div>
<div><br />
</div>
<div>
<div>
<div>On 2013-07-01, at 2:17
AM, Torsten Lodderstedt
<<a moz-do-not-send="true" href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>>
wrote:</div>
<br />
<blockquote type="cite">Hi,<br />
<br />
it would be great to have
such a mechanism across
platforms!<br />
<br />
I'm wondering whether the
mechanism should issue id
tokens as well. Right now
it seems to focus on
access tokens.<br />
<br />
Regards,<br />
Torsten.<br />
<br />
<div class="gmail_quote"><br />
<br />
John Bradley <<a moz-do-not-send="true" href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>>
schrieb:
<blockquote class="gmail_quote" style="margin:0pt 0pt
0pt
0.8ex;border-left:1px
solid
rgb(204,204,204);padding-left:1ex">
<pre style="white-space:pre-wrap;word-wrap:break-word;font-family:sans-serif;margin-top:0px">The enclosed Work Group Charter is being sent to the Specs Council for review in anticipation of chartering the Group.
It is best have this activity under the foundation IPR as soon as possible.
Regards
John B.
</pre>
<div style="margin-top:2.5em;margin-bottom:1em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(0,0,0)"><br />
</div>
<pre style="white-space:pre-wrap;word-wrap:break-word;font-family:sans-serif;margin-top:0px"><hr />
specs mailing list
<a moz-do-not-send="true" href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
</blockquote>
</div>
</blockquote>
</div>
<br />
</div>
</blockquote>
<br />
<br />
<fieldset></fieldset>
<br />
</div>
</div>
<pre>_______________________________________________
specs mailing list
<a moz-do-not-send="true" href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
</blockquote>
<br />
</div>
<br />
_______________________________________________<br />
specs mailing list<br />
<a moz-do-not-send="true" href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br />
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br />
<br />
</blockquote>
</div>
<br />
<br clear="all" />
<div><br />
</div>
-- <br />
Nat Sakimura (=nat)
<div>Chairman, OpenID Foundation<br />
<a moz-do-not-send="true" href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br />
@_nat_en</div>
</div>
</blockquote>
<br />
</div>
</div>
</div>
</blockquote>
</div>
<br />
<br clear="all" />
<div><br />
</div>
-- <br />
Nat Sakimura (=nat)
<div>Chairman, OpenID Foundation<br />
<a moz-do-not-send="true" href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br />
@_nat_en</div>
</div>
</blockquote>
</div>
</blockquote>
<br />
</blockquote></div></body></html></body></html>