1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect

Wiki

Clone wiki

connect / Browser Interactions Special Topics Call - 20210714

View History

OIDC Browser Interactions Special Topics Call

2021-07-14

Attendees

  • Tim Cappalli (Microsoft Identity)
  • John Bradley (Yubico)
  • George Fletcher (Verizon)
  • Brock Allen
  • Heather Flanagan
  • David Waite (Ping)
  • Kristina Yasuda (Microsoft Identity)
  • Vittorio Bertocci (Auth0)
  • Brian Campbell (Ping)
  • Tom Jones

Agenda

  • Intros, reintros, agenda bash
  • W3C Federated Identity WG update (Charter work)
  • Use case reviews
  • Topics for next call
  • Open Discussion

Notes

W3C Federated Identity CG Update

{Heather} officially exists. still bootstrapping. Administrative things like chair selection and getting first call scheduling. Sign up here: https://www.w3.org/community/fed-id/

{Vittorio} what's the sign up rate from browser folks?

{Heather} 40 people have signed up: Mozilla and Google will be joining. Nothing from Apple

{Tim} Microsoft in legal review

{Vittorio} straw poll: who is joining

{George} planning to join

{Brian} joined

{John Bradley} planning to

{Tom Jones} Which endpoints whould an RP host for identity. OIDF didn't like my definition of federation. I see healthcare as one big federation

{Vittorio} Charter has a very simple definition of federated authentication

{Tom Jones} Another example: federation of states who issue driver's license

{John} Federation of soverign independent entities

{Heather} The federation itself is out of scope (how it runs, how it forms, etc)

{Heather} Authentication and identity verification are not the same

{Vittorio} Core of this WG is providing continuity for existing workflows that businesses depend on

{John} SIOP profile of OIDC that is seeing a resurgence, aka IdP is something on the user's device. Making sure things aren't more broken.

Use Case Reviews

George presented the redirect-based SSO use case, specifically about RPs sharing the same eTLD+1 as the IdP. Shared cookie on root domain used for log in state. State could also be shared via postMessage in iFrame.

{Vittorio} Maybe go deeper. ex: cookie is present but for a different user. Chop into different scenarios

{George} Agreed: redirect-based SSO is a bunch of different use cases. Will make them more specific / descriptive

{Brock} via chat: another suggestion: it might be useful to include the RP/client-side cookies that are issued as part of the authorize request workflow. IOW, include the fact that there's a cookie created and needed in the protocol workflwo from the RP/client. I'm thinking nonce/state cookies, BTW

{Vittorio} what about licensing when we move this stuff to W3C repo?

{Heather} https://www.w3.org/community/about/agreements/cla/

{George} Folks should check with their legal team

{Vittorio} also need to remove IETF / notewell references

Updated