2025‐03‐11 - openid/ipsie GitHub Wiki

IPSIE WG Meeting Minutes

Date: 2025-03-11

Welcome and antitrust policy reminder
OpenID Contributor Agreement reminder https://openid.net/intellectual-property
Reminder about OpenID Slack
Update on upcoming call schedule - no call March 18 due to IETF
Review OpenID and SAML SL1 profiles
- OpenID SL1 Editor's Copy - https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html
  - Open issues - https://github.com/openid/ipsie/labels/sl1
- SAML SL1

Notetaker: Tom Clancy

Antitrust policy reminder
Slack invite link updated as of last night
Call schedule updates - no call for March 18 due to IETF
- IIW week schedule TBD, likely to cancel or move to a new day to minimize conflict
- Keep the conversation going during the gap by communicating on Slack
Start reviewing SL1 profile for OpenID -- editor's copy
Already some discussion on GitHub, Slack, etc on issues
Dean: let's start by collecting feedback on the draft
- Dick, Karl, others have already indicated there is feedback, others?
Karl: I opened a GitHub issue https://github.com/openid/ipsie/issues/61
- Do we want to start with the strongest foundation, such as FAPI2, or are we starting with a more accessible profile?
- SAML, as example, doesn't require confidential clients -- how do we want to begin?
- Do we want to address broader delegated access use cases?
Filip: I don't have an answer on whether SL1 should allow public clients
- Attacker model drives requirements in FAPI... What would attacker model say to drive public client
- SAML flow is more analogous to response_type=id_token which results in no access tokens issued, the need for client auth likely mostly stems from protecting the issuance of access tokens to protected resources. If SL1 is not about resource access then we should not use flows that result in issued access tokens