Wiki
Clone wikiconnect / Connect_Meeting_Notes_2021-11-15_Pacific
OpenID AB/Connect WG Meeting Notes (2021-11-15)
- Date & Time: 2021-10-18 23:00 UTC
- Location: https://global.gotomeeting.com/join/181372694
Agenda
The meeting was called to order at 23:05 UTC.
1. Roll Call
- Attending:
- Andrew Hughes
- Anthony Nadalin (it)
- David Waite
- Edmund Jay
- Jeremie Miller
- Kristina Yasuda
- Nat Sakimura
- Vittorio Bertocci
- Jeremie Miller
- Tom Jones
- Regret:
- Guest:
2. Adoption of Agenda (Nat)
- Adopted as is.
3. External Orgs & Events
3.1. OAuth Security Workshop
11/30 - 12/1
Vittorio asked if there is any planning for OSW.. Would like to have sessions on
- sign out
- browser interactions/changes.
- multitenancy for OIDC
There will also be a session for Cross-device security.
3.2. FAPI and Berlin Group Workshop
First workshop was held today.
Explained each group’s positions and situation.
Was planning to have another plenary meeting of both groups in 10 days, but decided to change to a technical deepdive
session with a smaller audience.
Another large format meeting is planned for mid-December.
3.3. mDL Interop
Event was held last week for implementers of ISO 18013-5
ISO SC17 group members only
Next one in March 2022 will be open
Event focused on mDL on the web using OIDC
Only one vendor implemented OIDC as defined in ISO 18013-5 mdl
Most implemented simple Web API which is less secure
Web API Flow:
- User will pass a token to the reader/verifier.
- The verifier takes that token and passes it to the Web API which then receives a mDL in response.
For Connect flow, the verifier would exchange the mDL retrieval token at the Connect assertion endpoint with the code and obtain a ID Token.
This flow has extra request and response compared to the web API, so people implemented the web API flow.
But OIDC is required when they’re trying to give people access to digital government services using mDL.
Each did different things so there’s no interoperability with mDL on the web.
Some asked the user to upload the mDL to the iDP.
The user goes to the RP which then redirects to the iDP.
The iDP asks the user to upload mDL.
It’s only possible because the user's app is controlled by the same provider who controls the iDP.
There’s no standard protocol there.
mDL is then sent back.
Another flow is the the user goes to the RP which redirects to iDP which talks to the issuer (standard OIDC), but everyone is doing them differently.
There is no interoperability in the web, everyone doing flows differently.
For in person, mDL over NFC, bluetooth works well.
Most have offline situations that they need to resolve.
Kristina will send list of relevant specs to ML.
Trying to have over the web presentation of mDL directly between user and the reader using new HTTP post method. This is similar to SIOP. This work is in 18013-7.
Trying to work on direct presentation between reader and wallet
4. PRs (Nat)
- https://bitbucket.org/openid/connect/pull-requests/45 - additional security considerations
- When VP is being sent outside ID Token, not embedded, it has to include nonce, client ID, and audience corresponding to both to prevent replay.
- Daniel requested some editorial changes. Will merge when Torsten modifies PR.
- https://bitbucket.org/openid/connect/pull-requests/59 - clarifies discovery metadata for IA
- Reorganized section so that new and old parameters are mentioned separately.
- Nat, others to review
- https://bitbucket.org/openid/connect/pull-requests/60 - Require refresh tokens
- Removes optional wording from Refresh token text.
- Refresh tokens are used for shorter lived access tokens and downscoping.
- Kristina stated that refresh tokens are not allowed for VC issuance. This is related to binding material because the material you’re requesting the credential to be bound to is supposed to be in real time to prove possession of it.
- Another reason is that it should not issue access tokens without the user’s consent because the users requests annotations.
- But in these cases, long lived access tokens would not work either.
- There is a proposal for synchronous flow where requests for credential cannot be issued right away by the provider.
- Instead of having a long lived access token, a receipt is sent to the user which can be exchanged at the endpoint when the credential is ready.
- Nat suggested CIBA might be better fit for this situation.
- Kristina Will update comment in issue
#1311
- https://bitbucket.org/openid/connect/pull-requests/55 - Point to RFC 7591 for Dynamic Client Registration metadata
- Conflicts needed to be resolved and need to include Connect DCR and OAuth registration references.
- https://bitbucket.org/openid/connect/pull-requests/65 - Move Distributed Token Validity API contribution to its own subfolder
- David gave overview of contents.
- Was a way for session management.
- Vittorio was concerned about going from simple iframe messaging to a complex mechanism.
- It might be better to abstract the protocol layer and leave the persistence layer to the implementation.
- Another secondary use is for pushing revocation of tokens to an RP in the system.
Also used for local introspection and validity checks and caching.
- https://bitbucket.org/openid/connect/pull-requests/63 - Require sender constrained tokens
- Makes sender constrained tokens mandatory but there are doubts about feasibility of DPoP and MTLS.
- Kristina asked whether it must be sender constrained token if the user is passing a proof to which the credential will be bound to?
- Vittorio mentioned that if it’s mandatory, it might add barriers so that people will not implement this part.
- Kristina suggested that if you’re sending the proof for the bound credential, adding hash of the access token in the proof, to prove you have control of the signature and access token.
- Kristina will comment on
#1284.
Updated