[Openid-specs-mobile-profile] claims request in CIBA

Torsten.Lodderstedt at telekom.de Torsten.Lodderstedt at telekom.de
Wed Nov 23 12:17:05 UTC 2016


Hi all,

I agree with Axel (except OAuth is part of the game and should be mentioned).

Here is the list of OAuth and OIDC parameters, which (in my opinon) should be omitted/forbidden/do not make any sense in SIBA:
OAuth (https://tools.ietf.org/html/rfc6749#section-4.1.1)
- response_type
- redirect_uri
- state
OIDC (http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
- response_mode
- nonce
- display
- prompt
- max_age

best regards,
Torsten.

> -----Ursprüngliche Nachricht-----
> Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-
> bounces at lists.openid.net] Im Auftrag von Nennker, Axel
> Gesendet: Mittwoch, 23. November 2016 09:58
> An: gonzalo.fernandezrodriguez at telefonica.com; torsten at lodderstedt.net
> Cc: Walter, Florian; openid-specs-mobile-profile at lists.openid.net
> Betreff: Re: [Openid-specs-mobile-profile] claims request in CIBA
> 
> Not sure whether adding the next parameter is the right approach.
> 
> Maybe it is simpler to allow everything from MODRNA and not mention OAuth2
> at all in this section and then state that redirect_uri "of course" makes
> no sense so that is a MUST NOT.
> It depends which explanation is clearer (and maybe shorter):
> - allow all parameters from MODRNA minus redirect_uri
> - list what is allowed and forbidden/useless
> 
> Honestly not sure about this. I think actually writing both versions and
> discuss then would help me.
> 
> Regarding implementation: I think that OPs might use the same code like in
> MODRNA but where currently only GET is allowed they allow POST too and then
> do the CIBA handling in the POST case - e.g. ignore redirect_uri or error
> on it.
> Maybe it makes sense to look at implementations and check which parameters
> make sense in both cases and which do not.
> 
> Cheers
> Axel
> 
> 
> -----Original Message-----
> From: GONZALO FERNANDEZ RODRIGUEZ
> [mailto:gonzalo.fernandezrodriguez at telefonica.com]
> Sent: Wednesday, November 23, 2016 8:37 AM
> To: Torsten Lodderstedt; Nennker, Axel
> Cc: Walter, Florian; openid-specs-mobile-profile at lists.openid.net
> Subject: Re: [Openid-specs-mobile-profile] claims request in CIBA
> 
> I agree,
> 
> If nobody disagree I will add it.
> 
> Best,
> Gonza.
> 
> 
> 
> 
> On 23/11/16 08:25, "Openid-specs-mobile-profile on behalf of Torsten
> Lodderstedt" <openid-specs-mobile-profile-bounces at lists.openid.net on
> behalf of torsten at lodderstedt.net> wrote:
> 
> >Hi Axel,
> >
> >I think that should be possible. In my opinion, any function/parameter not
> directly bound to managing/securing the OIDC front channel communication
> should be allowed/supported in/by SIBA.
> >
> >best regards,
> >Torsten.
> >
> >> Am 22.11.2016 um 18:28 schrieb <Axel.Nennker at telekom.de>
> <Axel.Nennker at telekom.de>:
> >>
> >> Hi,
> >>
> >> Can the Client ask for "claims" in "OpenID Connect MODRNA Client
> initiated Backchannel Authentication Flow 1.0"?
> >>
> >> This sentence seems to prohibit this:
> >> "Authentication Requests are made using the MODRNA profile. Only the
> following parameters are taken into consideration in the Client initiated
> Backchannel Authentication flow. The rest of the request parameters defined
> in OAuth 2.0 [RFC6749] MUST be ignored by the Authorization Server. "
> >>
> >> "the  following parameters" are
> >> scope, client_req_id, client_notification_endpoint, acr_values,
> >> login_hint_token, id_token_hint, login_hint and context
> >> (binding_message)
> >>
> >> Can the Client ask e.g. for "claims" in CIBA?
> >>
> >> Cheers
> >> Axel
> >>
> >> https://bitbucket.org/openid/mobile/raw/default/draft-mobile-
> authentication-01.txt
> >> MODRNA adds these parameters to the authentication request of
> OpenID.core.
> >> acr_values, login_hint and binding_message
> >>
> >> OpenID.core parameters allows/requires the following parameters:
> >> https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
> >> scope, response_type, client_id, redirect_uri, state, response_mode,
> >> nonce, display, prompt, max_age, ui_locales, id_token_hint, login_hint,
> acr_values and a bunch more like "claims".
> >>
> >> CIBA:
> >> https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&form
> >> at=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile
> >> /raw/tip/draft-mobile-client-initiated-backchannel-authentication-01.
> >> xml?at=default
> >>
> >>
> >> _______________________________________________
> >> Openid-specs-mobile-profile mailing list
> >> Openid-specs-mobile-profile at lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
> >
> >_______________________________________________
> >Openid-specs-mobile-profile mailing list
> >Openid-specs-mobile-profile at lists.openid.net
> >http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
> _______________________________________________
> Openid-specs-mobile-profile mailing list Openid-specs-mobile-
> profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile


More information about the Openid-specs-mobile-profile mailing list