[Openid-specs-fapi] FAPI CIBA Profile

Dave Tonge dave.tonge at momentumft.co.uk
Fri Jan 4 08:52:49 UTC 2019

Dear WG

We are keen to finish the FAPI profile of CIBA (Client Initiated
Backchannel Authentication) as soon as possible.

The core CIBA draft is here:

The current FAPI profile draft is here:

We currently have these issues open:

Should the FAPI profile mandate the use of signed authentication requests
(note this would be for non-repudiation rather than for authentication or
integrity protection).

Query about the alignment between FAPI RW and FAPI CIBA re acr/amr

Should FAPI CIBA poll mode have this requirement:

> "shall not reject or return 'slow_down' to clients that are polling at an
interval of 100ms or longer (except in exceptional circumstances where
unexpected and unprecedented server load is present), this requirement
shall not apply if CIBA ping mode is supported"

Should we require the use of login_hint_tokens rather than just login_hints.

Please can I ask WG members to read the drafts, comment on the above issues
(and raise any additional issues) by *next Friday (11 Jan)*. I would like
to finalise discussions on the FAPI CIBA profile on the next Atlantic call
(16 Jan) if possible so that ideally we can start a review process before
the end of the month.


Dave Tonge
FAPI WG Co-Chair
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190104/db69ddfc/attachment-0001.html>

More information about the Openid-specs-fapi mailing list