[Openid-specs-fapi] CIBA: client notification endpoint authentication methods

Nat Sakimura nat at sakimura.org
Thu Jul 20 10:41:29 UTC 2017

Has there been any feedback on this? 

Get Outlook for Android

On Tue, Jul 11, 2017 at 11:16 PM +0200, "Axel Nennker via Openid-specs-fapi" <openid-specs-fapi at lists.openid.net> wrote:



In Client Initiated Backchannel Authentication there are two modes how the results are transferred back to the client.

Polling and notification.


When the mode is notification then the OP posts the authentication result (the tokens) back to the client.



Obviously not everybody on the Internet should be able to post to that client endpoint.

So when the Client sends an CIBA Authentication Request that request contains a bearer token and when the user has authenticated and the OP notifies the Client this token is used to authenticate the OP to the Client.


Currently there is no other way to authenticate the OP when notifications are posted.


Should we make CIBA more flexible here?

Does FAPI require better authentication?


Kind regards


In the example from CIBA this “Authorization: Bearer 8d67dc78-7faa-4d41-aabd-67707b374255” is the bearer token which is provided by the client in the Authentication request "client_notification_token": "8d67dc78-7faa-4d41-aabd-67707b374255".







T-Labs (Research & Innovation)

Axel Nennker

Winterfeldtstr. 21, 10781 Berlin

+491702275312 (Tel.)

E-Mail: axel.nennker at telekom.de




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170720/917ba71c/attachment-0001.html>

More information about the Openid-specs-fapi mailing list