<div dir="auto">This is a small part of the larger problem I addressed in issue 104. It will be a little while before I can get to writing a full solution, but I do believe two things at this time.<div dir="auto">1 the problem should be addressed at a higher level</div><div dir="auto">2 the connect document has some unacceptable requirements</div><div dir="auto"><br></div><div dir="auto">..tom<br><br><div data-smartmail="gmail_signature" dir="auto">thx ..Tom (mobile)</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Jul 20, 2017 3:41 AM, "Nat Sakimura via Openid-specs-fapi" <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="auto" style="direction:ltr;margin:0;padding:0;font-family:sans-serif;font-size:11pt;color:black;background-color:white">Has there been any feedback on this? <br>
<br>
</div>
<div dir="auto" style="direction:ltr;margin:0;padding:0;font-family:sans-serif;font-size:11pt;color:black;background-color:white"><div dir="auto" style="direction:ltr;margin:0;padding:0;font-family:sans-serif;font-size:11pt;color:black;background-color:white">Get <a href="https://aka.ms/ghei36" target="_blank">Outlook for Android</a></div>
<br>
</div>
<br><br><br>
<div class="gmail_quote">On Tue, Jul 11, 2017 at 11:16 PM +0200, "Axel Nennker via Openid-specs-fapi" <span dir="ltr"><<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.<wbr>openid.net</a>></span> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="3D"ltr"">
<div class="m_1939764447997651994WordSection1">
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span lang="EN-US">In Client Initiated Backchannel Authentication there are two modes how the results are transferred back to the client.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Polling and notification.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">When the mode is notification then the OP posts the authentication result (the tokens) back to the client.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.3" target="_blank">https://xml2rfc.tools.ietf.<wbr>org/cgi-bin/xml2rfc.cgi?<wbr>Submit=Submit&format=ascii&<wbr>mode=html&type=ascii&url=<wbr>https://bitbucket.org/openid/<wbr>mobile/raw/tip/draft-mobile-<wbr>client-initiated-backchannel-<wbr>authentication.xml?at=default#<wbr>rfc.section.3.5.3</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Obviously not everybody on the Internet should be able to post to that client endpoint.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">So when the Client sends an CIBA Authentication Request that request contains a bearer token and when the user has authenticated and the OP notifies the Client this token is used to authenticate the OP to the Client.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Currently there is no other way to authenticate the OP when notifications are posted.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Should we make CIBA more flexible here?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Does FAPI require better authentication?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Kind regards<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Axel<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<pre><span lang="EN-US">In the example from CIBA this “Authorization: Bearer 8d67dc78-7faa-4d41-aabd-<wbr>67707b374255” is the bearer token which is provided by the client in the Authentication request "client_notification_token": "8d67dc78-7faa-4d41-aabd-<wbr>67707b374255".<u></u><u></u></span></pre>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif">DEUTSCHE TELEKOM AG</span></b><span style="font-size:8.0pt;font-family:"Arial",sans-serif"><br>
T-Labs (Research & Innovation)<br>
Axel Nennker<br>
Winterfeldtstr. 21, 10781 Berlin<br>
<a href="tel:+49%20170%202275312" value="+491702275312" target="_blank">+491702275312</a> (Tel.)<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">E-Mail: <a href="mailto:axel.nennker@telekom.de" target="_blank">axel.nennker@telekom.de</a><u></u><u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</blockquote>
</div>
</div><br>______________________________<wbr>_________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net">Openid-specs-fapi@lists.<wbr>openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>fapi</a><br>
<br></blockquote></div></div>