Wiki
Clone wikiconnect / Browser Interactions Special Topics Call - 20210714
OIDC Browser Interactions Special Topics Call
2021-07-14
Attendees
- Tim Cappalli (Microsoft Identity)
- John Bradley (Yubico)
- George Fletcher (Verizon)
- Brock Allen
- Heather Flanagan
- David Waite (Ping)
- Kristina Yasuda (Microsoft Identity)
- Vittorio Bertocci (Auth0)
- Brian Campbell (Ping)
- Tom Jones
Agenda
- Intros, reintros, agenda bash
- W3C Federated Identity WG update (Charter work)
- Use case reviews
- Topics for next call
- Open Discussion
Notes
W3C Federated Identity CG Update
{Heather} officially exists. still bootstrapping. Administrative things like chair selection and getting first call scheduling. Sign up here: https://www.w3.org/community/fed-id/
{Vittorio} what's the sign up rate from browser folks?
{Heather} 40 people have signed up: Mozilla and Google will be joining. Nothing from Apple
{Tim} Microsoft in legal review
{Vittorio} straw poll: who is joining
{George} planning to join
{Brian} joined
{John Bradley} planning to
{Tom Jones} Which endpoints whould an RP host for identity. OIDF didn't like my definition of federation. I see healthcare as one big federation
{Vittorio} Charter has a very simple definition of federated authentication
{Tom Jones} Another example: federation of states who issue driver's license
{John} Federation of soverign independent entities
{Heather} The federation itself is out of scope (how it runs, how it forms, etc)
{Heather} Authentication and identity verification are not the same
{Vittorio} Core of this WG is providing continuity for existing workflows that businesses depend on
{John} SIOP profile of OIDC that is seeing a resurgence, aka IdP is something on the user's device. Making sure things aren't more broken.
Use Case Reviews
George presented the redirect-based SSO use case, specifically about RPs sharing the same eTLD+1 as the IdP. Shared cookie on root domain used for log in state. State could also be shared via postMessage in iFrame.
{Vittorio} Maybe go deeper. ex: cookie is present but for a different user. Chop into different scenarios
{George} Agreed: redirect-based SSO is a bunch of different use cases. Will make them more specific / descriptive
{Brock} via chat: another suggestion: it might be useful to include the RP/client-side cookies that are issued as part of the authorize request workflow. IOW, include the fact that there's a cookie created and needed in the protocol workflwo from the RP/client. I'm thinking nonce/state cookies, BTW
{Vittorio} what about licensing when we move this stuff to W3C repo?
{Heather} https://www.w3.org/community/about/agreements/cla/
{George} Folks should check with their legal team
{Vittorio} also need to remove IETF / notewell references
Updated