Open ID Specification Work (Cont.)
Session Topic: OPEN ID Specification Work (cont) (TH5B)
Convener: Mike Jones
Notes-taker(s): Mike Jones
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
George Fletcher
Nat Sakimura
John Bradley
Pamela Dingle
Tony Nadalin
Dale Olds
Vikas Jain
Breno de Medeiros
Edmund Jay
Mike Jones
Michael Buck
How do we request directional or omnidirectional identifiers?
In OpenID 2.0, could only request directional identifiers. ICAM profile has PAPE parameter to ask for directional identifiers.
Decision: Allow “idType” claim value in request. Default type is omnidirectional.
IdPs should be allowed to only support one idType.
MUST be illegal to return omnidirectional if directional or ephemeral requested.
Discussion: “ephemeral”, “transactional” may be a request types we define in the future, based upon use cases.
Unsigned JWT: base64url({“sig”:”none”}).base64url({claims…}).
Breno: Define maxAuthAge=seconds query parameter as common case
Breno: If a defined parameter occurs twice, it should be an error
Nat: Wants requested language preference of RP to be expressible to IdP. Canada wants the same thing.
==
Final remaining open issue: OpenID 2.0 compatibility/migration issues
One element of support: “openid_identifier” UserInfo field
OpenID 2.0 allows identifier delegation – we already decided not to support this in ABC
George: Need a way for IdP to say that old identifier and new identifier are the same
Breno: Treat identifier migration as a form of account recovery – John: it’s an account linking problem
Breno: need to define an OpenID discovery endpoint to allow OPs to discover the clientID of RP realm for the issuer to enable migration
Breno: For compatibility, have openid_realm parameter in request, which must match beginning substring of redirect URI
- Then can generate OpenID 2.0 OP local identifier and put it in the UserInfo endpoint
RP must verify that OP is authoritative for OP local identifier returned
Need OpenID 2.0 service that identifies OpenID ABC endpoint
WE APPEAR TO HAVE CLOSED ALL THE OPEN ISSUES!!!
Spec editing tasks:
Revise spec to reference (not include!) OAuth 2.0
Breno: Spec as a whole needs to be reworked to be much more readable, complete
John: John, Nat, Mike together in Munich next week – take an initial pass at it together
Compatibility not in core spec – Breno volunteered for this
UserInfo endpoint schema in its own spec – Pamela volunteered for this
Claims request and claims response – Mike will write up, Edmund will then turn into spec language