[Openid-specs-mobile-profile] Async authentication

Torsten.Lodderstedt at telekom.de Torsten.Lodderstedt at telekom.de
Fri Oct 14 13:57:21 UTC 2016

Hi John,

I agree with you proposal to standardize a general push method. Do you think we can achieve a real on-the-wire standard or should we aim for a general pattern?

best regards,

Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] Im Auftrag von John Bradley
Gesendet: Donnerstag, 13. Oktober 2016 17:43
An: Openid-specs-mobile-profile
Cc: Openid-specs-mobile-profile
Betreff: [Openid-specs-mobile-profile] Async authentication

On the call today Rolland raised a use case in Sweden where OpenID Connect is used for identity proofing, leading to a split between the access channel and the authentication channel.

This is the link to the Swedish spec https://github.com/SUNET/se-leg-docs/blob/master/proofing.md

I pointed out that the MODRNA WG is considering a very similar issue in Backchannel Authentication https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication-01.xml?at=default

There was a fair amount of discussion on that draft at our meeting in September, and Gaonzalo should have an update shortly.

This is also similar to the OAuth device profile. https://tools.ietf.org/html/draft-ietf-oauth-device-flow

The device profile currently only supports polling.

I think that it may be time to standardize a general push method for the AS to provide the token endpoint response to the client.

We don’t have that in device at the moment because most devices are not directly addressable, though we did discuss it at one point.

My personal preference would be for the client to register a callback URI during registration, and provide the AS with a access token for that endpoint in the authorization request.

There are security issues that need to be considered around an attacker getting that callback AT and being able to impersonate the AS.

I can see the need for this and we should get on top of it before we have a large number of incompatible solutions in the wild.

John B.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20161014/a647e88f/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list