OpenID AB/Connect WG Meeting Notes (2023-09-18)

Date & Time: 2023-09-18 23:00 UTC
Location: https://zoom.us/j/97622169761?pwd=ek5kZUg3QnI1cCt6bTE3QzA3ZVlOQT09
Self: https://bitbucket.org/openid/connect/wiki/Connect_Meeting_Notes_2023-09-11_Pacific

Agenda

1. Roll Call
2. Events
- 2.1. OpenID Foundation Workshop
3. Liaisons
- 3.1. eKYC&IDA WG
4. Federation
- 4.1. PRs
- 4.2. Issues
5. Errata
- 5.1. PRs
  - 5.1.1. PR 617 - Removed Pragma and no-cache
- 5.2. Issues
  - 5.2.1. #2035 - Native clients and dynamic registration

1. Roll Call

Attendees: Mike, Nat, Sunil, Andril, Dima, Tom, Edmund, Naveen CM

2. Events

2.1. OpenID Foundation Workshop

OIDF planning workshop prior to IIW on Oct 9 at Cisco in Mountain View, California. Need to register 1 week before the workshop.

Link: https://openid.net/registration-workshop-october-9-2023/

The WG is in the process of separating verified claims section. It is related to OIDC RP metadata discussion. The relevant PR is https://bitbucket.org/openid/ekyc-ida/pull-requests/171. Please read and provide comments.

4. Federation

4.1. PRs

https://bitbucket.org/openid/connect/pull-requests/607
- Language cleanups. Merged.
https://bitbucket.org/openid/connect/pull-requests/616
- Adding diagrams. Merged.
- Nat asked if we could use SVG diagrams instead of ASCII.

4.2. Issues

~~#2059~~ Aligning trust_framework, verifier attestation, other signer/issuer/verifier related attributes
- JAdAS support is being requested.
~~#2062~~ Inconsistency between spec and provided examples
- Giusppe's comment seems to be reasonable. Opened.
~~#2063~~ Consumers may ignore the metadata and policies of Entity Types they are not interested in
- Agreed to be MAY ignore. A PR to be created.

5. Errata

5.1. PRs

5.1.1. PR 617 - Removed Pragma and no-cache

https://bitbucket.org/openid/connect/pull-requests/617

5.2. Issues

5.2.1. #2035 - Native clients and dynamic registration

~~#2035~~

In the case of native applications, the port number is not known until it is run. This makes it impossible to register manually. RFC 8252 makes an exception to the local loopback address for the exact match that the port should be ignored.

The authorization server MUST allow any port to be specified at the time of the request for loopback IP redirect URIs, to accommodate clients that obtain an available ephemeral port from the operating system at the time of the request.

Clients SHOULD NOT assume that the device supports a particular version of the Internet Protocol. It is RECOMMENDED that clients attempt to bind to the loopback interface using both IPv4 and IPv6 and use whichever is available. (Source) https://datatracker.ietf.org/doc/html/rfc8252#section-7.3

Tom asked how it could be secure. Sunil pointed out that PKCE takes care of the problem.

The call adjourned at 23:52 UTC.

Wiki

connect / Connect_Meeting_Notes_2023-09-18_Pacific