Wiki
Clone wikiconnect / Connect_Meeting_Notes_2020-11-16_Pacific
OpenID AB/Connect WG Meeting Notes (2020-11-16)
- Date & Time: 2020-11-17¥6 23:00 UTC
- Location: https://global.gotomeeting.com/join/181372694
Agenda
The meeting was called to order at 23:05 UTC.
1. Roll Call
- Attending: Nat, John, David, Kristina, Adam, Tim <ark, Tobias, Brian, Takahiko, Edmund, Kengo, Tom, Brian, Mark
- Regrets: Mike
- Guest:
2. Adoption of Agenda (Nat)
- Adopted as is.
4. Drafts
4.1. SIOP Requirements (Kristina)
We went over the current draft. A few issues were pointed out and they are going to be reflected.
- SIOP supports implicit flow
- Not really implicit flow, but hybrid flow
- SIOP is able to return Verifiable Credentials and Verifiable Presentations in the response
- David questioned whether the VCs should be separate from ID Token since current implementations don’t understand JSON-LD
- Kristina asked whether it’s possible to add id_token claims into VC/VP
- It’s possible, but it needs to be defined
- Tobias thinks VCs are different enough that they should not be part of id_token, instead be top level of token response
- In OIDC Credential provider, OP can support multiple formats and will return format that the client explicitly requests (e.g, JWT, VC, JOSN-LD)
- Data attribute will contain Credential will be at the top-level of token endpoint with format attribute to indicate format
- Key recovery and key rotation (cryptography itself is out of scope)
- “or OpenID Connect Federation entity statements.” was added
- It’s essentially a bidirectional exchange of metadata between OP and RP
- “or OpenID Connect Federation entity statements.” was added
- RP can discover SIOP, and differentiate it from not SIOP-enabled OPs
- Kim wanted to have deep links as option
- PWAs cannot use openid://
- 7.1/7.2
- This section allows SIOP to advertise dynamic and static configurations
- Client uses static configuration
- Client does not know which provider will respond when openid:// is called so it will need to be explicit in the request parameters in what it supports and provider will respond accordingly with what it supports
Tom also noted his objection of having "how to" in the requirement document but Tobias pointed out that we are not doing the exercise in the green field but rather on the basis of current chater 7 of the OIDC Core, so some of them needs to be grandfathered in.
4.2. prompt=create draft (George)
As George was not available at the call, the topic was skipped.
4.3. Session Management
As Mike was not available in the call, the topic was skipped.
5. Issues
5.1. 1201 Agree on the Self-issued OpenID Connect Provider Requirements Document (Kristina)
We had an agreement that the current document is "good enought" to proceed working with specs related to SIOP.
ACT: Nat to announce it in the list.
5.2. 1200 Impact of Implicit Grant Removal in OAuth 2.1
In all likelihood, we will continue referencing RFC6749 as there does not seem to be a good way to replace implicit flow in the case of SIOP.
If OAuth 2.1 is slated to obsolete RFC6749, we should resist.
As a future work, we may need to document an extension etc. to cope with OAuth 2.1, but that is yet to be determined.
5.3. 1096 Core - Section 8. Need more subject_type (Nat)
Agreement in the call to make it a new document.
Tom is going to open another thicket related to this: metadata to express other properties of sub such as what kind of structure, etc.
5.4. 1181 SIOP Issue 3 - Support for attesting keys from the past (Tobias)
Tobias is still in the process of documenting it.
We ran out of the time so this should be dealt with next week.
Updated