[Openid-specs-mobile-profile] Async authentication

John Bradley ve7jtb at ve7jtb.com
Thu Oct 13 15:43:19 UTC 2016

On the call today Rolland raised a use case in Sweden where OpenID Connect is used for identity proofing, leading to a split between the access channel and the authentication channel.   

This is the link to the Swedish spec https://github.com/SUNET/se-leg-docs/blob/master/proofing.md <https://github.com/SUNET/se-leg-docs/blob/master/proofing.md>

I pointed out that the MODRNA WG is considering a very similar issue in Backchannel Authentication https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication-01.xml?at=default <https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication-01.xml?at=default>

There was a fair amount of discussion on that draft at our meeting in September, and Gaonzalo should have an update shortly.

This is also similar to the OAuth device profile. https://tools.ietf.org/html/draft-ietf-oauth-device-flow

The device profile currently only supports polling.

I think that it may be time to standardize a general push method for the AS to provide the token endpoint response to the client.

We don’t have that in device at the moment because most devices are not directly addressable, though we did discuss it at one point.

My personal preference would be for the client to register a callback URI during registration, and provide the AS with a access token for that endpoint in the authorization request.

There are security issues that need to be considered around an attacker getting that callback AT and being able to impersonate the AS.

I can see the need for this and we should get on top of it before we have a large number of incompatible solutions in the wild.

John B.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20161013/0510bafd/attachment.html>

More information about the Openid-specs-mobile-profile mailing list