[Openid-specs-mobile-profile] SIBA notification and token response

Torsten.Lodderstedt at telekom.de Torsten.Lodderstedt at telekom.de
Wed Nov 2 14:59:19 UTC 2016


Hi Axel,

as far as I understand https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication-01.xml?at=default#rfc.section.13 the notification from OP to RP already contains the token response.

best regards,
Torsten.

> -----Ursprüngliche Nachricht-----
> Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-
> bounces at lists.openid.net] Im Auftrag von Nennker, Axel
> Gesendet: Freitag, 21. Oktober 2016 12:10
> An: Walter, Florian
> Cc: openid-specs-mobile-profile at lists.openid.net
> Betreff: [Openid-specs-mobile-profile] SIBA notification and token response
> 
> Hi Florian,
> 
> the use case for SIBA called out in issue
> https://bitbucket.org/openid/mobile/issues/45/server-initiated-
> authentication is "The MODRNA WG will propose a reasonable mechanism to
> perform authentication in cases, where no user agent is available and the
> authentication process needs to initiated via server 2 server
> communication. Use cases are for example user authentication in the context
> of a call center call. The idea is to introduce an extension to the token
> endpoint (TBD: new grant type or JWT bearer assertion), which is used in
> conjunction with the standard scope value "openid" and potentially other
> OIDC scope values and parameters to initiate the authentication. The
> authentication process is conducted out of band using the same mechanisms
> the ID gateway uses for the standard Mobile Connect/OpenID Connect
> authentication flow via browser redirect. To be considered:
> callback/polling needed RP potentially knows MSISDN or PPID and wants to
> enforce it (2nd factor authentication via Mobile Connect)"
> 
> In the webex regarding SIBA that we just had you explained the non-polling
> flow as follows:
> - the user calls call center and agent knows MSISDN
> - the agent triggers SIBA
> - client sends SIBA authn request to AZ SIBA endpoint and receives an OK
> - AZ sends mobile connect message to the user's authentication device
> - user clicks OK or enters PIN and approves the request
> - authentication device sends response to OP
> - AZ sends notification to client
> - Client retrieves authentication response using HTTP get
> - call center agent is happy
> 
> Why does the notification not already contain the token response?
> I see no reason for the second to last step.
> 
> I understand section "Issuing Successful Token" differently which seems to
> send the tokens directly in the notification.
> 
> Could you or the list please clarify?
> 
> Cheers
> Axel
> _______________________________________________
> Openid-specs-mobile-profile mailing list Openid-specs-mobile-
> profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile


More information about the Openid-specs-mobile-profile mailing list