2.1.   OAuth Security Workshop 2024

Submissions are open.

Deadline: 11th February for early submissions.

https://oauth.secworkshop.events/osw2024

The next deadline is March 10 for submissions.

2.2.   OpenID Foundation Workshop

April 15 @ Google. Details to be published this week.

4.1.   Issues

Opened the following issues:

• https://bitbucket.org/openid/connect/issues/2108/track-national-identity-schems-that-uses
• https://bitbucket.org/openid/connect/issues/2111/federation-location-and-scope-of
• https://bitbucket.org/openid/connect/issues/2112/syntax-error-in-trust-mark-request-example
• https://bitbucket.org/openid/connect/issues/2113/specify-private_key_jwt-as-the-default
• https://bitbucket.org/openid/connect/issues/2114/client-authentication-and-the-federation
• https://bitbucket.org/openid/connect/issues/2110/federation-multiple-entity_type-at-the
• https://bitbucket.org/openid/connect/issues/2078/federation-specify-the-applicable-json

Questions regarding the AS requirement on POST came up.

• https://gitlab.com/openid/conformance-suite/-/issues/1293

In 3.1.2.1 of OIDC Core, it says:

Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 7231 [RFC7231] at the Authorization Endpoint.

However, the current test suite does not test the support of POST. It was suggested that it should be added. Now that 3rd party cookie restriction is kicking in, the POST is becoming obsolete. It was suggested that perhaps we should remove the requirement. Tom will add an issue on this. Separately, Aaron will create an issue to align to OAuth 2.1.

The call adjourned at 23:52 UTC.