[Openid-specs-fapi] Issue #199: CIBA - which modes to support (openid/fapi)
Dave Tonge
issues-reply at bitbucket.org
Wed Dec 19 13:57:52 UTC 2018
New issue 199: CIBA - which modes to support
https://bitbucket.org/openid/fapi/issues/199/ciba-which-modes-to-support
Dave Tonge:
The new CIBA Core draft specifies 3 different modes:
- poll - the RP polls the token endpoint
- ping - the OP notifies the RP at it's notification endpoint when to get the tokens
- push - the OP delivers the tokens directly to the RP's notification endpoint
My proposal for the FAPI profile is that OPs:
```
1. shall not support CIBA push mode;
2. shall support CIBA poll mode;
3. may support CIBA ping mode;
```
The rationale for this is:
- Push mode has quite different security characteristics. Because it is quite different from all other OAuth profiles there is a greater chance of error. It is also potentially harder to implement sender-constrained tokens in push mode.
- Poll mode is the closest to standard OAuth profiles and I think in the interests of interoperability it should be required for the FAPI CIBA profile
- Ping mode brings the benefits of Push mode, but with the security of Poll mode. However I don't think we can mandate its implementation, hence I suggest we say `may`.
Responsible: dgtonge
More information about the Openid-specs-fapi
mailing list