OpenID AB/Connect WG Meeting Notes (2021-05-06)
- Date & Time: 2020-12-17 15:00 UTC
- Location: https://global.gotomeeting.com/join/181372694
The meeting was called to order at 15:__ UTC.
- Attending: Nat, John, Pam, Tony, Alen Horvat, Oliver, Mark, Jeremie, Brian, Tom, Gorge, Joseph, Kristina, David Chadwick, David Torsten, Adam, Bjorn Hjelm, Tim, Vittorio
- Regrets: Mike J.
The core of the issues was characterized as the ambiguity of section "5.5. Requesting Claims using the "claims" Request Parameter" of the OIDC Core 1.0. There, RP is allowed to request claims to be returned either from ID Token or UserInfo Endpoint but not specifying the OP behaviour.
Torsten expressed an opinion that the OP is expected to support returning from both.
John pointed out that some OP such as SIOP cannot have userinfo endpoint and thus cannot support both and that is why it is not mandated so.
Brian expressed that the claims parameter is not used widely so many implementations only support UserInfo.
Vittorio expressed that it may not be the case that large OP did not support userinfo endpoint for a long time so expecting that all the claims are being returned from an userinfo endpoint in most case is false.
John pointed out that perhaps we need to do a survey on the current implementation.
It was then pointed out that it seems it is about OP metadata that can express what claims can be returned from which mechanism that it probably is useful to extend the OP metadata / Discovery so that it can be expressed.
John pointed out that it could cause some burden on the RP but Mark counter-argued that it would decrease the optionality for the RP so it would lighten the burden for ann RP.
Nat asked Mark to make modifications to the tickets so that the delineation between the discovery issue and RP requests issues are clearer to assist the WG to further the discussion.
SIOP Special call is recommending the draft attached in http://lists.openid.net/pipermail/openid-specs-ab/2021-May/008228.html which is recorded as http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210505/a198527a/attachment-0001.pdf as a working group document.
Tom and Tony opposed the adoption expressing concerns around 1) user consent, 2) lack of clarity between credentials and presentation.
Torsten explained that OIDF specifications do provide the facility to obtain the consent but "consent" is a legal notion and what makes it a valid consent is jurisdiction-specific and OIDF does not provide any legal advice.
David C. also provided a view that the user providing the signed presentation constitute a consenting mechanism.
Nat suggested creating an issue on the issue tracker to track the issues around the adoption of the document.
George asked Nat that there needs to be clarity on the adoption criteria that in general any document should be adopted so that the technical content can be discussed unless it is deemed that the WG does not want to work on the subject.
Nat clarified that he is fine with asking for the adoption of the document to the WG but he would also like to provide an opportunity for Tom and Tony to express their reasoning so that if it could be a threat to the foundation to adopt the document or if there are overlaps.
Nat also asked Kristina to provide the relationship to other drafts and specifications so that the WG members can evaluate if there is an overlap etc.
While the reporting from Browser Interactions SC etc. were on the agenda, the call did not get there.
The meeting was adjourned at 15:06 UTC