Wiki
Clone wikiconnect / Connect_Meeting_Notes_2019-01-07_Pacific
OpenID AB/Connect Call Note (2019-01-07)
Date: 2019-01-07 23:00 UTC
Location: GoToMeeting https://www3.gotomeeting.com/join/695548174
Agenda
- 1. Roll Call
- 2. Adoption of the agenda
- 3. Topics from the mailing list and previous calls
- 4. Internal Liaisons
- 5. Other organizations
- 6. Events (Nat)
- 7. Issues from the tracker
- 7.1. #1059: Core makes "aud" in request object optional unexpectedly (Joseph)
- 7.2. #1058: sector_identifier_uri should have a /.well-known/ path (James)
- 7.3. #1057: OIDC appears to override single-use nature of auth code in RFC6749 (Joseph)
- 7.4. #1056: Use of id_token in RP-Initiated Logout as the id_token_hint (Rasitha)
- 8. AOB
The meeting was called to order at 23:04 UTC.
1. Roll Call
- Present: Nat, Brian, Edmund, Filip, George, John, Bjorn, Rich
- Regret:
2. Adoption of the agenda
- Removed "Status of Errata" as Mike was not available.
3. Topics from the mailing list and previous calls
3.1. Question about representing assurance and other entity categories in OIDC (Nick Roy)
URL is just fine and also don't need to register new short names.
3.2. Does anyone know of any implementations of self-issued id (Tom Jones)
- http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20181217/007122.html
- Nat has sent Tom message with some information.
- Others are welcome to contribute more information about other implementations.
3.3. Native SSO specs (George)
- It's a way to do SSO for native apps from the same company using a backchannel mechanism.
- Basically, allows Authorization server to issue the device instance "secret" that gets put in shared key store that contains a context referenced by ID Token.
- When doing SSO for an user into another app on the same device, app sends ID Token from first app binded with shared secret.
- Can only do SSO on that device
- First app contains new scope that returns secret
- Second app sends device secret for a new access token
- George to send the draft to the list. Nat will ask the WG if there is any objection to adopt it as a new work.
4. Internal Liaisons
- We will discuss if there is any report from the other WGs.
4.1. EAP (Mike)
n/a
4.2. FAPI (Nat)
- We are starting CIBA profile for FAPI
- Asked Torsten to make a technical white paper for security issues for related protocols
- Nat made a call for adoption of it as basis for a technical report
4.5. iGov (John)
- Starting the implementer's draft vote at the end of the week.
- Received some feedback from Torsten for next draft
4.6. Modrna (Bjorn/John)
- Completed the update of the CIBA core spec.
- Announcement for the I-D will go out on Jan 14.
- A few issues came up during the public review.
- Game plan for the new year is to complete the Modrna profile for CIBA, bring the authentication to the final, then discovery profile.
- Will discuss process for introducing changes in next call.
4.7. RISC (Adam)
n/a
5. Other organizations
5.1. IETF: OAuth WG (Mike/John)
- Implicit flow
- Rotation of refresh token after calls for a new access token.
- George asked question regarding how many AS implementations rotate Refresh tokens on every access token call
- Torsten trying to find best practice for this
- Some implementations can. Ping's is disabled by default now.
- How to detect replay from inappropriate source? Multiple servers, touching and reading same refresh token and updating from other one resulting in synchronization issue.
- Not an issue in a single application in single user's browser. Becomes issue of rotating tokens for specific types of clients.
- On unreliable networks, devices makes a refresh call, AS process requests an issues new refresh token, but client does not receive it.
- Consensus result in mailing list with text. Torsten published another draft stating it shouldn't be done unless certain conditions are met.
5.2. IETF: Token Binding WG (John)
- Reverse proxy and TLS 1.3 negotiation.
- Nobody seems to be interested in 0-RTT.
- General prognosis of Token Binding.
- Microsoft is not removing it from the core system.
- Microsoft is now a chromium team so will see. Intent is that Microsoft will support it in chromium and and make it available for OS X and other chromium platforms under Edge badge.
- Mozilla will probably support it.
- Google's cookie syncing will be harmed by Token Binding and is removed in Chrome.
- Some positive discussion with Apple as well. Their main concern is privacy. Thus, it is unlikely that 0-RTT will be allowed.
5.3. WebAuthn (FIDO/W3C) (John)
- Web Authen is progressing in Safari. It only supports CTAP2.
5.5. ISO (Nat/Tony)
- Next SC 27 meetings are in the beginning of April.
6. Events (Nat)
6.1. 5 years anniversary of OpenID Connect (Nat)
- Feb. 26 marks the 5 year anniversary of the OIDC Core etc.
- OIDF-J plans to do an event for it in Tokyo (Feb. 25) and Fukuoka (Feb. 28)
- Any other locations celebrating it?
6.2. RSA San Francisco (Nat)
- Board meeting:
6.3. OAuth Security Workshop (Torsten)
- March 20 - 22. Links seem to be stale. New information needed.
6.4. IETF (Mike/John)
- March 24 - 29.
6.5. Others
- April 29: IIW WS.
- May 14 - 17: EIC.
7. Issues from the tracker
7.1. #1059: Core makes "aud" in request object optional unexpectedly (Joseph)
- Reason was to support the static request object used by devices with limited resources so they can be used by multiple RPs.
- Issue arised from OpenBanking wanting to always require 'aud'. Will be breaking change.
- Tighten it up by profiles.
7.2. #1058: sector_identifier_uri should have a /.well-known/ path (James)
- It will be a breaking change.
- New document on sector identifier for multi-tenant probably is needed.
- Sector identifier can include path. We went wrong with not specifying that it should be the entire path instead of the host.
- Not sure if including .well-known works.
- 8.1 of Core.
7.3. #1057: OIDC appears to override single-use nature of auth code in RFC6749 (Joseph)
- Brian and Mike has responded in ticket and Joseph is OK with it
- Some people use code as state mechanism
- Close the ticket.
7.4. #1056: Use of id_token in RP-Initiated Logout as the id_token_hint (Rasitha)
- add POST support for endpoint so that URL length will not be an issue.
- Someone should create a pull request.
8. AOB
- FIDO man-in-the-middle blog post (George)
8.1. Topics for the next call:
- Status of errata
- #1055: Limits on overall url length (Joseph)
- #1054: Do a survey on the revision of the OIDC (Nat)
- #1053: Impact of ITP2 on implicit flows (George)
#1052: make clear that nonce is always required for Hybrid flows (Hans/Brian)
- Related to
#972. It should be closed as "duplicate." Is Hans OK with it?- There is a pull request No.4 https://bitbucket.org/openid/connect/pull-requests/4/clarify-that-in-hybrid-authn-requests for it.
The call closed at 00:02 UTC
Updated