2024-04-10: SP-ICM Minutes
- Axel Nennker
- Ming Hui Foo
- Tet (Tetsuya) CHIBA
Identity and Consent Management meeting
Attendees (Please add or remove yourself, speakers in bold)
| Companies | Attendees |
|---|---|
| Deutsche Telekom AG | Axel Nennker, Shilpa Padgaonkar |
| Ericsson | Jan Friman |
| Gapask | Rajesh Murthy |
| KDDI | Tetsuya Chiba |
| KPN | Huub Appelboom |
| Nokia | Tanja De Groot, Gaurav Agarwal |
| Orange | |
| Simptel | Izahir Clemencia |
| Singtel | Foo Ming Hui |
| Spry Fox Networks | Ramesh Shanmugasundaram |
| T-Mobile PL | Artych Rafał |
| T-Mobile US | Karabulut, Murat |
| Telefónica | Jesús Peña García-Oliva, Juan Fabio García, Guido García |
| Vodafone | |
| Nicholas Venezia | |
| Kamel Idir | |
| Verizon | |
Agenda
- Welcome
- Please add or remove yourself from the attendees list
Issues and PRs. Priority discussions (most active issues and/or dependencies for release v0.2):
- issue More than one "purpose" in an authorization request. #140
- missing "openid" in scope
- issue Clarify role and usage of id token #136
- issue Clarification needed for login_hint, login_hint_token and id_token_hint #133
- issue Proposal to define a strict value for aud claim in the private_key_jwt #127
- PR Camara OIDC profile #121
- How to handle the absence of the
openidscope in the authorize request - Valid values for
audclaim in client assertions: Issue #127 Which error to return, if the user has revoked consent.- Purpose
- How to handle the absence of the
- YAML file for OIDC endpoints: propose to add to ICM repository
- new issue "Consent api spec #142"
- new issue "SP supporting CIBA with two IDPs: B2B/B2C" #141
- Should we include examples? Elisabeth Mueller
AoB
Welcome
Discussion on issue "SP supporting CIBA with two IDPs: B2B/B2C" #141
Nicholas Manolakos https://github.com/questsin
Discussion on issue "More than one "purpose" in an authorization request. #140"
Axel: We see that there might be UX issues if a clients needs to ask for multiple purposes but we got no business requirement from anybody.
After a long discussion we seem agree that the keep the basic idea to have a request-parameter `purpose`.
Axel proposed a wording change:
Purpose
An OPTIONAL transaction specific request parameter
purposeas specified in openid-connect-4-identity-assurance-1_0-13 allows the client to state the purpose of the requested scopes.The purpose string MUST use below format for interoperability
dpv:<dpvValue>
<dpvValue>is coming from W3C DPV purpose definition
Axel asked the group to approve that text and to close issue #140
Proposal to set a deadline to give feedback stating a business need to go for option 2. Otherwise ICM goes for Option 1.
Axel will raise that again at tomorrows TSC meeting.
Elisabeth Mueller proposed that TEF proposes some text regarding existing implementations. Jesús Peña García-Oliva takes the AP to propose a disclaimer text in PR #121
Discussion about Terms like SHALL, SHOULD, etc
Bjorn Hjelm asked why the document does not use the term "SHALL" in one particular sentence.
Axel answered that he prefers to phrase requirements using the term "MUST" or "REQUIRE" instead of "SHALL".
Discussion on "openid" missing in scope
TEF agrees that the openid scope is listed as required in the standard, but it does not specify a behavior in case it is not sent. In CAMARA profile, a behavior is being established (returning invalid_request) that TEF believes it could impact on implementations where OAuth2 and OIDC solutions coexist.
Discussion on issue "Clarify role and usage of id token #136"
Jesús Peña García-Oliva refers to his comment in this issue as TEF position on the matter.
Discussion on issue "Clarification needed for login_hint, login_hint_token and id_token_hint #133"
Jesús Peña García-Oliva commented on the issue: So the current PR content is already fine. We may be able to close this issue then.
Jesús clarifies that TEF is happy to close the issue as long as the WG agrees to document only the login_hint option in PR #121 context, which is what there was consensus for. And as long as the existing text in the OIDC profile is clear and consistent.
After discussing it, it is proposed to rephrase the text in PR #121 to make it clearer. Jesús Peña García-Oliva takes the AP to do it.
Discussion on "Proposal to define a strict value for aud claim in the private_key_jwt #127"
Propose to only allow a single value for aud claim and the aud claim value has to be the endpoint of the API invocation.
TEF propose to be is aligned with CIBA and FAPI standards as commented in the issue.
Discussion on "Camara OIDC profile #121"
- How to handle the absence of the
openidscope in the authorize request - Valid values for
audclaim in client assertions: Issue #127 - Which error to return, if the user has revoked consent.
- Purpose
Discussion on new issues
Did not happen. Axel asked participants to comment on the new issues.
- new issue "Consent api spec #142"
- new issue "SP supporting CIBA with two IDPs: B2B/B2C" #141
Discussion on "Examples"
Axel suggested to create an issue for that discussion. Elisabeth agreed to create it.
Discussion Should we include examples?
Elisabeth Mueller Please create an issue.
Closing Remarks
Axel kindly asked participants to comment on issues and to review PRs and most importantly contribute text changes to PR. WGs thrive only if members become participants. So, again please participate. Please comment and review.
AoB
- Next call schedule: April 24, 2024.