[Openid-specs-mobile-profile] claims request in CIBA

Axel.Nennker at telekom.de Axel.Nennker at telekom.de
Wed Nov 23 08:58:26 UTC 2016


Not sure whether adding the next parameter is the right approach.

Maybe it is simpler to allow everything from MODRNA and not mention OAuth2 at all in this section and then state that redirect_uri "of course" makes no sense so that is a MUST NOT. 
It depends which explanation is clearer (and maybe shorter): 
- allow all parameters from MODRNA minus redirect_uri
- list what is allowed and forbidden/useless

Honestly not sure about this. I think actually writing both versions and discuss then would help me.

Regarding implementation: I think that OPs might use the same code like in MODRNA but where currently only GET is allowed they allow POST too and then do the CIBA handling in the POST case - e.g. ignore redirect_uri or error on it.
Maybe it makes sense to look at implementations and check which parameters make sense in both cases and which do not.

Cheers
Axel


-----Original Message-----
From: GONZALO FERNANDEZ RODRIGUEZ [mailto:gonzalo.fernandezrodriguez at telefonica.com] 
Sent: Wednesday, November 23, 2016 8:37 AM
To: Torsten Lodderstedt; Nennker, Axel
Cc: Walter, Florian; openid-specs-mobile-profile at lists.openid.net
Subject: Re: [Openid-specs-mobile-profile] claims request in CIBA

I agree,

If nobody disagree I will add it.

Best,
Gonza.




On 23/11/16 08:25, "Openid-specs-mobile-profile on behalf of Torsten Lodderstedt" <openid-specs-mobile-profile-bounces at lists.openid.net on behalf of torsten at lodderstedt.net> wrote:

>Hi Axel,
>
>I think that should be possible. In my opinion, any function/parameter not directly bound to managing/securing the OIDC front channel communication should be allowed/supported in/by SIBA.
>
>best regards,
>Torsten.
>
>> Am 22.11.2016 um 18:28 schrieb <Axel.Nennker at telekom.de> <Axel.Nennker at telekom.de>:
>> 
>> Hi,
>> 
>> Can the Client ask for "claims" in "OpenID Connect MODRNA Client initiated Backchannel Authentication Flow 1.0"?
>> 
>> This sentence seems to prohibit this:
>> "Authentication Requests are made using the MODRNA profile. Only the following parameters are taken into consideration in the Client initiated Backchannel Authentication flow. The rest of the request parameters defined in OAuth 2.0 [RFC6749] MUST be ignored by the Authorization Server. "
>> 
>> "the  following parameters" are
>> scope, client_req_id, client_notification_endpoint, acr_values, 
>> login_hint_token, id_token_hint, login_hint and context 
>> (binding_message)
>> 
>> Can the Client ask e.g. for "claims" in CIBA?
>> 
>> Cheers
>> Axel
>> 
>> https://bitbucket.org/openid/mobile/raw/default/draft-mobile-authentication-01.txt   
>> MODRNA adds these parameters to the authentication request of OpenID.core.
>> acr_values, login_hint and binding_message
>> 
>> OpenID.core parameters allows/requires the following parameters:
>> https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
>> scope, response_type, client_id, redirect_uri, state, response_mode, 
>> nonce, display, prompt, max_age, ui_locales, id_token_hint, login_hint, acr_values and a bunch more like "claims".
>> 
>> CIBA:
>> https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&form
>> at=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile
>> /raw/tip/draft-mobile-client-initiated-backchannel-authentication-01.
>> xml?at=default
>> 
>> 
>> _______________________________________________
>> Openid-specs-mobile-profile mailing list 
>> Openid-specs-mobile-profile at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
>
>_______________________________________________
>Openid-specs-mobile-profile mailing list 
>Openid-specs-mobile-profile at lists.openid.net
>http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile


More information about the Openid-specs-mobile-profile mailing list