<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.hoenzb
{mso-style-name:hoenzb;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Since this is slated to be an OpenID WG, it’s what the WG wants to do.<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></a></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext"> openid-specs-bounces@lists.openid.net [mailto:openid-specs-bounces@lists.openid.net]
<b>On Behalf Of </b>Torsten Lodderstedt<br>
<b>Sent:</b> Tuesday, July 2, 2013 9:53 AM<br>
<b>To:</b> Paul Madsen<br>
<b>Cc:</b> John Bradley; ashishjain@vmware.com; openid-specs@lists.openid.net<br>
<b>Subject:</b> Re: Native application SSO Working Group<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Paul,<br>
<br>
got it :-) Would it make sense to add this assumption to the charter? <br>
<br>
Does this mean:<br>
- a single AZA manages access to multiple authz servers?<br>
- an app needs to be able to register its authz server/idp at the AZA?<br>
<br>
Thanks,<br>
Torsten.<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
Paul Madsen <<a href="mailto:pmadsen@pingidentity.com">pmadsen@pingidentity.com</a>> schrieb:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Arial","sans-serif"">Hi Torsten, wrt the possibility of an id_token being used against a 'home' IdP, the current model is that it would be the AZA that would perform this exchange</span>,
not the native app itself - this because the overarching assumption being that the AZA should do as much of the heavy lifting as possible - and thereby simplify life for the native apps.<br>
<br>
But that is separate I think from the use case of an native app wanting to consume an id_token directly (for access control, customization etc) and so i will look at charter to make sure this scenario is supported.<br>
<br>
paul<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 7/2/13 11:31 AM, Torsten Lodderstedt wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi,<br>
<br>
I agree with Nat on this use case. Another one is that the app wants to use the id_token as credential on its "home" IDP (probably via JWT bearer token profile). This is more or less 3rd party login for apps.<br>
<br>
regards,<br>
Torsten.<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
Nat Sakimura <a href="mailto:sakimura@gmail.com"><sakimura@gmail.com></a> schrieb:
<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Yes. If the app wants the identity information to evaluate its own access control, then it would probably want to know about the user identity (i.e., set of attributes related to the entity), and id_token is the right thing.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">When I was talking to some law enforcement people in EU, they were talking similar things. Right now, we do not have any location data defined in the claims, but we may also want to do so in such cases. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Nat<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">2013/7/3 Paul Madsen <<a href="mailto:paulmadsen@rogers.com" target="_blank">paulmadsen@rogers.com</a>><o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Hi Nat, the current AZA model does not preclude an access token being formatted as an id_token.<br>
<br>
I believe Torsten was conjecturing that there was potential value in an id_token being delivered to a native app in addition to an access token (whether formatted as id_token or not)<br>
<br>
Regards</span><span style="font-family:"Arial","sans-serif";color:#888888"><br>
<br>
<span class="hoenzb">paul</span><br>
<span class="hoenzb"> </span></span> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 7/2/13 10:53 AM, Nat Sakimura wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">I actually do see some utility in the access token in the format of ID Token.
<o:p></o:p></p>
<div>
<p class="MsoNormal">It can give appropriate audience restriction etc. <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">2013/7/2 Paul Madsen <<a href="mailto:paulmadsen@rogers.com" target="_blank">paulmadsen@rogers.com</a>><o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Arial","sans-serif"">Hi Torsten, the current model is that the Authorization Agent (AZA) may itself obtain an id_token and use it to obtain an access token, but that only access tokens
would be 'handed over' by the AZA to its constituent native apps.<br>
<br>
Are you proposing that there may be value in allowing the AZA to also hand over id_tokens (suitably targeted) as well?<br>
<br>
paul</span><o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On 7/1/13 1:38 PM, Torsten Lodderstedt wrote:<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">Hi John,<br>
<br>
I interpreted the text of the charter the other way around, so a client would be able to use an(y) id_token (as a credential) to obtain an access token. I'm fine if the mechanism is intended to support id_token issuance.<br>
<br>
regards,<br>
Torsten.<br>
<br>
Am 01.07.2013 15:06, schrieb John Bradley:<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi Torsten, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In point 3 the charter talks about using id_tokens to get access tokens.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So it is imagined that the mechanism would issue id_tokens likely along the lines that Google is doing for the play store by having a 3rd party as an audience and using "azp" to indicate the client the token was issued to. We don't want
to be too specific on the solution in the charter.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If you think something needs to be added let me know.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On 2013-07-01, at 2:17 AM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi,<br>
<br>
it would be great to have such a mechanism across platforms!<br>
<br>
I'm wondering whether the mechanism should issue id tokens as well. Right now it seems to focus on access tokens.<br>
<br>
Regards,<br>
Torsten.<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>> schrieb:
<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<pre style="white-space:pre-wrap;word-wrap:break-word"><span style="font-family:"Arial","sans-serif"">The enclosed Work Group Charter is being sent to the Specs Council for review in anticipation of chartering the Group.<o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif"">It is best have this activity under the foundation IPR as soon as possible.<o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif"">Regards<o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif"">John B.<o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
<div style="border:none;border-bottom:solid black 1.0pt;padding:0in 0in 0in 0in;margin-top:30.0pt;margin-bottom:12.0pt">
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<pre style="text-align:center;white-space:pre-wrap;word-wrap:break-word"><span style="font-family:"Arial","sans-serif""><hr size="2" width="100%" align="center"></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><o:p> </o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif"">specs mailing list<o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><o:p></o:p></span></pre>
<pre><span style="font-family:"Arial","sans-serif""><a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></span></pre>
</blockquote>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
</div>
</div>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>specs mailing list<o:p></o:p></pre>
<pre><a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><o:p></o:p></pre>
<pre><a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <br>
Nat Sakimura (=nat) <o:p></o:p></p>
<div>
<p class="MsoNormal">Chairman, OpenID Foundation<br>
<a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <br>
Nat Sakimura (=nat) <o:p></o:p></p>
<div>
<p class="MsoNormal">Chairman, OpenID Foundation<br>
<a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</blockquote>
</div>
</div>
</body>
</html>