OAUTH Web Authentication Where the Protocol is and What’s Next (3C)
Session Topic:OAUTH Web Authorization (T3C)
Convener: Barry Leiba, Hannes
Notes-taker(s): Kent Landfield
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
The OAuth v2 draft has been approved by the working group is going thru final editing. RFC expected in Nov.
The working group needs to have a discussion on future work. This will require the working group to be re-chartered. It is hoped / expected that re-chartering will be complete by the end of the year.
Potential items to include in the next charter: More token types, token revocation, token type negotiation, UMA, discovery, User interface extensions - more handshaking between OpenID and OAuth work expected.
Discussion of better documentation of OpenID Connect as it pertains to Oauth.
Bearer token request ? Standard identity token? Structured with OpenID Connect? Discussion that there is a OAuth document that may cover most of this.
Phil, Mike discussed - is another layer needed for technologies that are not OpenID Connect? OAuth would need to carry authentication information and that is something that has been resisted by OAuth in the past. The first step is a new use case document to be written. Phil - that is coming
Show of hands of the number of people not involved in IETF OAuth work. Approximately 50% raised hands. Do you want to be ? Some discussion of participation means with mailing list activity proposed as a first step. There was definitely interest in doing so.
Discussion of whether or not OAuth should take the OpenID token format work.
JOSE - Javascript Object Signing andEncryption has agreed to take some work (see list below of breakout).
OAuth will take the OpenID token format work.
Dynamic registration a topic that may need to be included in OAuth. If so, OpenID will use it.
The following table lists the agreement of OpenID needs and IETF WG support moving forward: Mike put this on the whiteboard.
JWT - JSON Web Token
OAuth
JWS – JSON Web Signature
JOSE
JWE – JSON Web Encryption
JOSE
JWK - JSON Web Key
JOSE
SWD - Simple Web Discovery
OAuth
OAuth Assertions (Token type agnostic)
OAuth
OAuth SAML profile (Use Assertions)
OAuth
Token Revocation
OAuth
OAuth JWT profile (Use Assertions)
OAuth
Token Revocation focus was on well behaving clients needing to release tokens
Response serialization format - expired draft ?