[Openid-specs-fapi] Issue #199: CIBA - which modes to support (openid/fapi)

Dave Tonge issues-reply at bitbucket.org
Wed Dec 19 13:57:52 UTC 2018

New issue 199: CIBA - which modes to support

Dave Tonge:

The new CIBA Core draft specifies 3 different modes:

 - poll - the RP polls the token endpoint
 - ping - the OP notifies the RP at it's notification endpoint when to get the tokens
 - push - the OP delivers the tokens directly to the RP's notification endpoint

My proposal for the FAPI profile is that OPs:

1. shall not support CIBA push mode;
2. shall support CIBA poll mode;
3. may support CIBA ping mode;

The rationale for this is:

 - Push mode has quite different security characteristics. Because it is quite different from all other OAuth profiles there is a greater chance of error. It is also potentially harder to implement sender-constrained tokens in push mode.
 - Poll mode is the closest to standard OAuth profiles and I think in the interests of interoperability it should be required for the FAPI CIBA profile
 - Ping mode brings the benefits of Push mode, but with the security of Poll mode. However I don't think we can mandate its implementation, hence I suggest we say `may`.

Responsible: dgtonge

More information about the Openid-specs-fapi mailing list