[Openid-specs-mobile-profile] SIBA notification and token response

Axel.Nennker at telekom.de Axel.Nennker at telekom.de
Fri Oct 21 10:09:54 UTC 2016


Hi Florian,

the use case for SIBA called out in issue https://bitbucket.org/openid/mobile/issues/45/server-initiated-authentication is
"The MODRNA WG will propose a reasonable mechanism to perform authentication in cases, where no user agent is available and the authentication process needs to initiated via server 2 server communication. Use cases are for example user authentication in the context of a call center call. The idea is to introduce an extension to the token endpoint (TBD: new grant type or JWT bearer assertion), which is used in conjunction with the standard scope value "openid" and potentially other OIDC scope values and parameters to initiate the authentication. The authentication process is conducted out of band using the same mechanisms the ID gateway uses for the standard Mobile Connect/OpenID Connect authentication flow via browser redirect. To be considered: callback/polling needed RP potentially knows MSISDN or PPID and wants to enforce it (2nd factor authentication via Mobile Connect)"

In the webex regarding SIBA that we just had you explained the non-polling flow as follows:
- the user calls call center and agent knows MSISDN
- the agent triggers SIBA
- client sends SIBA authn request to AZ SIBA endpoint and receives an OK
- AZ sends mobile connect message to the user's authentication device
- user clicks OK or enters PIN and approves the request
- authentication device sends response to OP
- AZ sends notification to client
- Client retrieves authentication response using HTTP get
- call center agent is happy

Why does the notification not already contain the token response?
I see no reason for the second to last step.

I understand section "Issuing Successful Token" differently which seems to send the tokens directly in the notification.

Could you or the list please clarify?

Cheers
Axel


More information about the Openid-specs-mobile-profile mailing list