<scribe> scribenick: kaz
McCool: talked about OAuth2
... any objections to accept the minutes?
(none)
McCool: approved
McCool: typo of [[e'll]] for [[we'll]]
McCool: presentation link to be placed at the top of the session
Kaz: ok
McCool: talked about 4 issues
... signing TDs
... need to follow up with a concrete PR
... for the future agenda
... another typo for [[referencable]]
Kaz: will check the whole minutes using the spell checker again
<scribe> ACTION: kaz to check the vf2f minutes using the spell checker
McCool: DIDs, OAuth2, ...
... Lagally had input from the viewpoint of profiles
... then End-to-End security
... another typo for [[havea]]
... any objections to accept the minutes?
(none)
McCool: accepted
McCool: OAuth2 flow?
Cristiano: added a PR on OAuth2 flow to the wot-usecases repo
McCool: (adds some clarification to
the "Expected Data" section)
... one thing not mentioned here is scope
... one is various URLs, 2nd is bare tokens, and then
scopes
... BTW, the spelling for OAuth should be "OAuth" (capital "O"
and capital "A")
... (adds another note to the bottom of the "Motivation"
section as well)
... reasonable summary for the scope here?
Cristiano: seems OK
McCool: to support OAuth 2.0, all the
devices must support TLS connection
... also verify an access token
... both producer and consumer
... and here "token" means a bearer token
... (updates the "Motivation" section with some more
clarifications)
... (clarifications on the "Actors")
Kaz: btw, there is "Thing Descriptor" but did you actually meant "Thing Description"?
Cristiano: yes
McCool: (fixed the typo)
... (discussion on the sequence flow diagram)
... steps A and B defines what is known as authorization grant
type of flow.
... what is important to realize here is that ot all of these
interactions are meant to take place over a network
protocol.
Cristiano: there are the owner of the data and the owner of the service
McCool: a bit confused here
... want to specify which is which
... (adds clarification)
... in some cases, interaction with a human through a user
interface may be intended
... (and modifies the four basic features for OAuth 2.0)
... code, implicit, password (of resource owner), client
(credentials of the client)
... (and adds some more notes)
... btw, do we expect HTTP is the protocol to be used here?
Cristiano: basically yes
McCool: (modifies the description for the "Description" section as well)
Kaz: maybe we should think about delegates who handle the authentication for the resource owners too?
McCool: yeah
... should add another term for that
... (creating a pullrequet based on the discussion today)
McCool: and merged it
... we'll need testing requirements too
... would like to get requirements for OAuth2 flows as
well
... thank you very much for your initial input, Cristiano
... let's have further discussion next time
... are there any other PRs?
... this OAuth2 flows use case should be finalized
... if you have any ideas, you can create an issue and/or a
pullrequest
... to be discussed next time
... if you could create sequence diagrams as well, that would
be great
Cristiano: can try
McCool: also let's talk about the
deprecated flows next time
... Cristiano will generate flow diagrams
... and people should review the proposal
Cristiano: discovery call today?
McCool: yes
[adjourned]