[Openid-specs-mobile-profile] SIBA notification and token response

Axel.Nennker at telekom.de Axel.Nennker at telekom.de
Wed Nov 2 15:03:52 UTC 2016

That's how I read it too.

-----Original Message-----
From: Lodderstedt, Torsten 
Sent: Wednesday, November 02, 2016 3:59 PM
To: Nennker, Axel
Cc: openid-specs-mobile-profile at lists.openid.net; Walter, Florian
Subject: AW: SIBA notification and token response

Hi Axel,

as far as I understand https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication-01.xml?at=default#rfc.section.13 the notification from OP to RP already contains the token response.

best regards,

> -----Ursprüngliche Nachricht-----
> Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-
> bounces at lists.openid.net] Im Auftrag von Nennker, Axel
> Gesendet: Freitag, 21. Oktober 2016 12:10
> An: Walter, Florian
> Cc: openid-specs-mobile-profile at lists.openid.net
> Betreff: [Openid-specs-mobile-profile] SIBA notification and token 
> response
> Hi Florian,
> the use case for SIBA called out in issue
> https://bitbucket.org/openid/mobile/issues/45/server-initiated-
> authentication is "The MODRNA WG will propose a reasonable mechanism 
> to perform authentication in cases, where no user agent is available 
> and the authentication process needs to initiated via server 2 server 
> communication. Use cases are for example user authentication in the 
> context of a call center call. The idea is to introduce an extension 
> to the token endpoint (TBD: new grant type or JWT bearer assertion), 
> which is used in conjunction with the standard scope value "openid" 
> and potentially other OIDC scope values and parameters to initiate the 
> authentication. The authentication process is conducted out of band 
> using the same mechanisms the ID gateway uses for the standard Mobile 
> Connect/OpenID Connect authentication flow via browser redirect. To be considered:
> callback/polling needed RP potentially knows MSISDN or PPID and wants 
> to enforce it (2nd factor authentication via Mobile Connect)"
> In the webex regarding SIBA that we just had you explained the 
> non-polling flow as follows:
> - the user calls call center and agent knows MSISDN
> - the agent triggers SIBA
> - client sends SIBA authn request to AZ SIBA endpoint and receives an 
> OK
> - AZ sends mobile connect message to the user's authentication device
> - user clicks OK or enters PIN and approves the request
> - authentication device sends response to OP
> - AZ sends notification to client
> - Client retrieves authentication response using HTTP get
> - call center agent is happy
> Why does the notification not already contain the token response?
> I see no reason for the second to last step.
> I understand section "Issuing Successful Token" differently which 
> seems to send the tokens directly in the notification.
> Could you or the list please clarify?
> Cheers
> Axel
> _______________________________________________
> Openid-specs-mobile-profile mailing list Openid-specs-mobile- 
> profile at lists.openid.net 
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile

More information about the Openid-specs-mobile-profile mailing list