2025‐05‐27 - openid/ipsie GitHub Wiki

IPSIE WG Meeting Minutes

Date: 2025-05-27

Attendees

  • Aaron Parecki (Okta)
  • Dean H. Saxe (Beyond Identity)
  • Dick Hardt (Hellō)
  • George Fletcher (Practical Identity LLC)
  • Jon Bartlett (Zscaler)
  • Sean Miller (RSA)
  • Kenn Chong (RSA)
  • Filip Skokan (Okta)
  • Shannon Roddy (self/LBNL)
  • Bjorn Hjelm (Yubico)
  • Mike Jones (Self-Issued Consulting)
  • Travis Tripp (HPE)
  • Anatoly Podstrelov (EDETEK)
  • Quanpu Cai (Obsidian Security)
  • Jen Schreiber (Workday)
  • Jeff Bounds (SailPoint)
  • Pat Buffolino (Paramount)
  • Mike Kiser (SailPoint)
  • vatsal gupta (apple)

Agenda

Notetaker: Dean H. Saxe

Minutes

  • Call for adoption for OpenID Connect enterprise extensions
    • Add a +1 to the call for adoption on the mailing list please
    • this is a dependency for SL1
  • OpenID Provider commands v1 was just published, addressing issues in the last version, aligning to IL1/2/3
  • Last week we discussed how the RP checks the IdP session
    • updates to the issue #74
    • Aaron captured the discussion in the issue comments
    • Recap of last week
      • goal: address mobile apps and more
      • When the app AT expires and the app uses the RT, does the app's AS check the session at the IdP to ensure the session is still valid
      • How should this work?
      • If the RP has a RT, it can check the state of the authenticated session
      • want to make sure RPs CAN do this, but it should not be required
      • App at SL1 must respect the session lifetime
      • Dick: the session lifetime fits well into the enterprise extensions work where the session lifetime is communicated to the RP
      • Dick: need a mechanism to have the RP communicate to the OP that they are using the refresh token to narrow the session lifetime.
      • Kenn: Not mandating IdPs to issue RTs?
        • Aaron: Open question
        • Kenn: Some IdPs may not issue RTs, requiring a full page redirect
        • Aaron: Yes.
        • Dick: Clarify, extending the session
        • Aaron: We need to define how to negotiate the capabilities.
        • Dick: Full page redirect is always an option for the RP
        • Aaron: RT can be used as an optimization which can be used instead of a full page redirect
        • Filip: This won't impact SAML SL1
        • Dick: SAML has no background refresh. SAML requires a full reauthN
        • Sean: We're describing how the session is established and it's lifetime at the app, right?
        • Aaron: Yes. Identity service can send a session lifetime to the RP
        • George: How does the RP know the user logged out? Pull vs. Push mechanism. We haven't discussed whether the IdP can tell the RP how frequently to check the session state at the IdP. RTs are a convenient mechanism to enforce this. New AT will not be issued if the session is logged out.
        • Dick: Refers to the SL1 table requirements.
        • George: Is the session lifetime a default maximum or a configured session lifetime?
        • Dick: ID service tells RP the length of the user's session before the user needs to be reauthenticated through the IdP.
        • George: User logs out of the IdP before the session is expired - RP session could outlive the IdP session in this case. This may be undesirable.
        • Aaron: This is addressed at SL2. SL1 is suboptimal for some use cases.
        • George: SL2 says it will push a command that the RP must log out the user. Lacking clarity on the value of the RT
        • Dick: advantage of RT is that I am logged into an app and can use it for days without having to go through a full page refresh flow. Enables RP to reset the session lifetime.
        • George: Only viable if the RPs AS is allowed to obtain an offline RT
        • Aaron: Not a forever credential, must check back using RTs.
        • George: Different definition of session lifetime.
        • Aaron: Language is unclear, like's Dick's definition
        • George: taking internal IdP session of out the equation for SL1. Need to know cadence for refreshing the app's session. Setting IdP and App session length are two different things, our language conflates them
        • Dean: We need better clarity around IdP vs. RP session lifetime for mere mortals who don't sit on these calls.
        • George: "Application specific session lifetime" where the app gets a specific session lifetime that may be different from the IdP session
        • Aaron: Future state, claim in an ID token that sets a specific session lifetime and it may be distinct from the IdP session lifetime.
        • Aaron updated the SL1 table and explanatory text to drive clarity. PR forthcoming, we'll leave the PR open until the next call to allow for comments.
        • Aaron/Dean: Is this the explainer doc for IPSIE? How do we ensure we don't have to re-explain this for SAML vs OIDC? Do we turn this into an adopted spec?
        • Dean: We can use this to share how we got to the normative text.
        • Aaron: Link the spec back to specific requirements in the explainer. Work to be done later
          • ACTION ITEM: Create an issue to ensure we create the backlinks and publish the explainer. (Explainer is the IPSIE levels doc)
        • Dean/Aaron: Push forward on the OIDC Profile spec, explainer can trail behind. Need to determine how we publish the explainer. Explainer will be evolving over time.
        • Dick: Application session vs. IdP session. IdP session is out of scope. IdP tells the RP how long the RP session should be.
        • Aaron: We are not setting policy for IdP/RP, but we are allowing the IdP to set a session lifetime for the RP. At SL2, IdP can forcibly terminate sessions
    • Need editors for the IPSIE levels page to turn it into an explainer doc. Unclear the level of detail, but greater than what we have today.
      • Aaron and George will work on this.
      • Dean cannot commit until FAL2 work is complete.