Do a survey on the revision of the OIDC
5 years are passing since we have ratified OIDC 1.0.
Like in ISO, we probably should do a survey on whether we should do a revision.
In ISO, the questionnaire will be like:
- Revise
- Confirm
- Stabilize
- Cancel
If the answer was "Revise", then there will be a question of
- Major revision
- Minor revision
Comments (5)
-
-
+1 to the points made by @mbj
-
reporter The purpose of such survey is to measure the temperature around it. Such organizations like ISO requires to do the survey (called systematic review) at least every 5 years (they do the pre-survey in 3 years usually) and in many cases, the technical committee recommends to do no revision. FYI, the choices are:
- confirm (i.e., no revision)
- minor revision (only doing a very limited set of changes. Similar to publishing errata integrated version.)
- full revision
- withdrawal
From the point of view of the board, it will need the input from the technical community, i.e., WG in this case, to make any decision.
From the process sanity point of view, it is good to record the result of such review periodically.
Chair hat off:
- my sense for the Core 1.0 is either "confirm" or "minor revision"
-
reporter - changed status to open
On 2021-06-15 call, @David Waite pointed out that there should be guidance around OAuth metadata and opened metadata, use of PKCE, etc. falls into this bucket.
@Michael Jones suggested that it can be dealt with Implementers Note instead of minor revision and David agreed.
So the questionnaire options are now:
- confirm
- minor revision
- Implementers Note
As to the trigger events, browser interactions changes and OAuth changes etc. were suggested. Vittorio will write about it in this ticket.
-
On the 14-Jun-21 working group call, we discussed that the time to do a survey would probably be once there are major technology triggers in place driving the need for changes - such as knowing how the browser interactions/privacy changes are going to shake out and what methods will be available to continue doing federated login on the Web. Doing a survey before we know those outcomes would likely be premature, as we wouldn’t yet have actionable information to base any revisions on.
- Log in to comment
I've thought about this for a while and I believe that it's not yet time to do this survey. There's a lot of work on the working group's plate - finishing errata, session management, front-channel logout, back-channel logout, and federation. We should double-down on all of that important work and finish it before we even consider revising Connect in any way.
Also, I believe that any such possibility should first be discussed by the board before being presented to the working group. The possibility of changing Connect in any way could introduce feelings of unease and instability in the marketplace that could be detrimental to adoption. Any actual changes would necessary fragment deployments.
We should not undertake the possibility of revisions lightly since Connect is the technical foundation of nearly all the work that the OpenID Foundation is doing, including work in other working groups such as MODRNA, iGov, HEART, FAPI, etc. All working groups would be affected and so this isn't a decision that should belong to the Connect working group alone. Doing so would have to be a Foundation-wide decision.