[Openid-specs-fapi] Issue #116: CIBA - authentication methods and proof of possession (openid/fapi)
issues-reply at bitbucket.org
Mon Jul 17 09:57:56 UTC 2017
New issue 116: CIBA - authentication methods and proof of possession
The FAPI CIBA profile should require `Signed Request Object` for authentication to the backchannel authentication endpoint (it is recommended in the main CIBA spec).
The draft should be adjusted to reflect this.
Where `MTLS` is used to provide proof of possession semantics for tokens, a note should be added requiring that the signed request object is sent over a mutual TLS connection. This is not for the propose of authenticating the client, but for the purpose of giving the AS the attributes it needs to issue sender-constrained tokens.
More information about the Openid-specs-fapi