OIDC Deployment Working Group

[Nick Roy <>]

Somewhat off-topic (my apologies), but did anyone notice Andreas
Solberg's comment on openid-specs-ab that the Norwegian R&E federation
is now OpenID connect by default? I have not dug into this further with
Andreas, but might be interesting to chat with him. Let me know what you
think and if that would be something this group would be interested in.
If not, I can pursue it with him separately.

Best,

Nick


On 8/9/18 10:22 AM, Eric Goodman wrote:
> I separately sent a note to Nathan that I'm on the agenda for the UC-wide 
> API "standards" workgroup to discuss what people are doing/looking with 
> OIDC/OAuth. That meeting is a week from Friday, so hopefully I'll have some 
> data points to provide after that meeting -- which is unfortunately after 
> our next OIDC group meeting. Vaguely related, I'm at a conference next 
> Tuesday, so may miss next week's call.
>
> --- Eric
>
> -----Original Message-----
> From: 
> 
>  
> <>
>  On Behalf Of Steven Carmody
> Sent: Thursday, August 9, 2018 8:43 AM
> To: 
> 
> Subject: a start, OAuth2 use cases, thoughts on addressing each
>
> Hi,
>
> On last week's call, Alan, Roland, and I volunteered to identify the 
> most common OAuth2 use cases currently in place on campuses; step 2 was 
> to identify best practice for addressing each; step 3 would be to see 
> how much of the required support is already available in the 
> Shibboleth-GEANT-Finish OIDC work.
>
> We had an email conversation, but it quickly became clear that this 
> would benefit from participation by the broader group.
>
> I've created a new google doc:
>
> https://docs.google.com/document/d/15G_YRWisEa-5Kj5gU_D-i4MLMh-IJWl0Q5CAsqSy4ag/edit?usp=sharing
>
> everyone should be able to edit that doc. It includes large portions of 
> the email that Alan and I exchanged.
>
> I'm on the way out the door to a family wedding (this won't be anywhere 
> near as much fun as our daughter's wedding in Dublin this past June -- 
> that was five days of parties!), but fun nonetheless !
>
> As you'll quickly see, this doc needs a lot of editing. More than that, 
> it needs people with more OAuth2 knowledge than me working on it. I'm 
> also not completely sure that I may be operating with out-of-date 
> assumptions. For instance, a couple of years ago most Native Apps were 
> using OAuth2 to authenticate users -- is that still true ? The current 
> recommendation for Native Apps seems to be to use "Authorization Code 
> Grant Type with PKCE (Proof Key for Code Exchange)" -- do apps really 
> use that ?
>
> The doc also leaves too many open questions hanging ... again, here's 
> hoping that people with more knowledge and more current knowledge can 
> improve the doc.
>
> Here's hoping people have a chance to review this, mark it up, improve 
> it, and perhaps discuss it on the next call. Unfortunately, I'll miss 
> the next call. Sorry.
>
>
>