[Openid-specs-fapi] CIBA: client notification endpoint authentication methods

[Axel.Nennker at telekom.de]

Hi,

In Client Initiated Backchannel Authentication there are two modes how the results are transferred back to the client.
Polling and notification.

When the mode is notification then the OP posts the authentication result (the tokens) back to the client.
https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.3

Obviously not everybody on the Internet should be able to post to that client endpoint.
So when the Client sends an CIBA Authentication Request that request contains a bearer token and when the user has authenticated and the OP notifies the Client this token is used to authenticate the OP to the Client.

Currently there is no other way to authenticate the OP when notifications are posted.

Should we make CIBA more flexible here?
Does FAPI require better authentication?

Kind regards
Axel


In the example from CIBA this "Authorization: Bearer 8d67dc78-7faa-4d41-aabd-67707b374255" is the bearer token which is provided by the client in the Authentication request "client_notification_token": "8d67dc78-7faa-4d41-aabd-67707b374255".





DEUTSCHE TELEKOM AG
T-Labs (Research & Innovation)
Axel Nennker
Winterfeldtstr. 21, 10781 Berlin
+491702275312 (Tel.)
E-Mail: axel.nennker at telekom.de



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170614/035293c3/attachment-0001.html>