Dear all,

Yesterday at the "ACAMP" (un)conference at the I2 TechEX we had a very useful discussion on how to build a practical OIDC Federation for Reseaerch and e-Infrastructures, the requirements, scope of such a federation, and how to technically implement and operate it. Thanks to Roland (who was there and - for those of you who don't review list membership daily is now also on the list) there is a good amount of reference software tools to implement the concepts, and the rest we can easily add using standard operational tools.

it was a very fruitful discussion, and Heather Flanagan was kind enough to take notes during the breakout. The notes are linked to the Wiki page at https://wiki.eugridpma.org/Main/OIDCFed and directly at

https://wiki.eugridpma.org/pub/Main/OIDCFed/ACAMP2017-Wednesday-3_50pm-OIDC-...

We also discussed the idea of having JWS key distribution based on reference (URIs in the meta-data statement) only. That is much easier on the side of the entity and ors involved, keeping much of the simplicity of OIDC. The protocol draft will require that then the federation operator (FO) signs the key again at its source URL -- and the practical solution we could use for that is that the org publishes its public key, and the FO frequently checks whether a new key is avaialvle (from a URL pre-registered with the FO) and as it changes immediately re-signs it and publishes the signed key on the FO URI location. Easily automatable at the FO side using crond and Last-Modified HTTP headers, and - if you want it quicker than once a minute - you can even add a trigger URL service to it. Practical, simple and keeps complexity away from clients. And trivial to implement :) Opinions on this one welcome as well.

Cheers, DavidG.