Skip to content

2025‐08‐26

Jump to bottom
Aaron Parecki edited this page Aug 26, 2025 · 1 revision

IPSIE WG Meeting Minutes

Date: 2025-08-26

Attendees

  • Aaron Parecki (Okta)
  • Kenn Chong (RSA)
  • Jon Bartlett (Zscaler)
  • Sean Miller (RSA)
  • Mike Kiser (SailPoint)
  • Jeff Bounds (SailPoint)
  • George Fletcher (Practical Identity LLC)
  • Bjorn Hjelm (Yubico)
  • Shannon Roddy (self)

Agenda

Notetaker: Sean Miller

Minutes

  • Welcome and antitrust policy reminder https://openid.net/policies/

  • OpenID Contributor Agreement reminder https://openid.net/intellectual-property

  • Reminder about OpenID Slack

  • Community Events

  • Interop Event Planning

    • Date confirmed Thursday, January 22nd, 2026 at Okta HQ San Francisco
    • Working on getting a webpage up for this event

  • Common Requirements

  • Call for adoption of SCIM IL1 Profile

  • Review open PRs

  • Discuss in scope/out of scope issues for interop event

    • All issues that have not been deferred to a later date or assigned to SL2/3
    • PR#104 - Remove refresh token requirement as in PR#11 of SL1
    • PR#101 - Unique subject identifiers - Dick and Karl to chat
      • Dick: https://openid.github.io/openid-provider-commands/aud_sub.html
      • Dick: RP can include aud_sub as one of the accounts so the op knows to use that identifier for the account
      • Sean: Do we need to call out aud_sub as required from the IPSIE side as it is needed to identify. What do we need to call out in the SL1 spec so it is clear what the relying party requires or what to do if not provided
      • Aaron: Dean to followup here
    • PR#92 - OIDC SL1 - prompt parameter - George to make PR adding OP requirement
      • Aaron: Do we need this for interop?
      • George: Different use cases for must challenge use cases versus cases (solve some authentication method), where you may want to challenge, and finally use cases where the must not be challenged. Maybe prompt=login is user visible, prompt=none and max_age has not expired then no challenge.
      • Aaron: IDP are required to show something to the user and not be compliant if they just returned success and didnt challenge the user
      • George: Yes if we are trying to meet FAL2. What does re-authenticate mean and what are we trying to do with it. For IPSIE SL1, we should be a little prescriptive for what that means
      • Aaron: Shall we accept the requirements as written in the PR? IDP must comply with the request or return an error. Where should this go in the document? OpenID Providers section - expand the max_age requirement.
      • George will update the OpenID Providers section
    • PR#74 - Refresh tokens vs full page redirects - how should the resource authorization server check the IdP session
      • Confirmed this text was added to the spec "Re-validation can occur with a new single sign-on flow, or using refresh tokens"
      • Kenn: For systems that dont support refresh token we can just force a new sign-on flow
      • George: For interop, do we need an indicator if the RP supports refresh tokens or do we assume it doesnt when we arent returned a token?
      • Aaron: So we need a requirement on the RP to be prescriptive. Too early for things like online_access
      • For next week's call, Aaron will reformat the checksheet for the interop even (ie. recognize the refresh token and use it, or no refresh token was provided so started a new flow)
    • PR#60 - how to let IdP dictate RP session lifetime in OpenID Connect
      • Aaron: I dont think we need to do anything with this for the interop
      • Sean: is this different than the issue George raised for max_age?
      • Aaron: This is the other way with session_expiry claim where the Idp is driving
      • Aaron to work with Jon Bartlett on a revision to this PR

  • AOB

    • None - wrapped up early (47 mins)
Clone this wiki locally