[Openid-specs-mobile-profile] CIBA with id_token; was RE: Comments about CIBA Draft

Sun Apr 30 17:42:35 UTC 2017

Hi Charles,

CIBA is basically OIDC in backchannel mode so why shouldn’t there be an id_token returned if the use case requires it.

Scenario:

-          User visits <bank> and the clerk would like to ask the MNO for the user’s picture

-          Clerk initiates CIBA with claim request for the picture

-          User gets the authentication request on their  authentication device which displays the ID-GW generated message:
“Do you want to share your picture with <bank>?
user consents

-          AD responses to ID-GW

-          ID-GW creates id_token with picture

-          Clerk sees picture

Replace “picture” with any claim the MNO might hold.

Is this what you were asking or what are end-to-end use cases?

Cheers
Axel

From: charles.marais at orange.com [mailto:charles.marais at orange.com]
Sent: Wednesday, April 19, 2017 10:49 AM
To: John Bradley; Connotte, Jörg; Connotte, Jörg; Nennker, Axel; GONZALO FERNANDEZ RODRIGUEZ; Walter, Florian; Bjorn.Hjelm at VerizonWireless.com
Cc: CLEMENT Philippe IMT TECHNO; AILLERY Nicolas IMT-OLPS; MARIOTTE Hubert IMT-OLN; openid-specs-mobile-profile at lists.openid.net
Subject: Comments about CIBA Draft

Hi,

We would like to share with you some of our concerns about CIBA as it may be soon accepted at the end of the current implementer's draft period :

- The end-to-end use cases addressed by CIBA are still unclear for us. We do understand the necessity to have a specification allowing the retrieval of an OAuth 2.0 access_token in a back channel mode but we don't have in mind end-to-end use cases that require the delivery of an id_token in pure back channel mode. @John,Joerg : Did you have time to think about Use Cases for CIBA ?

- On a security point of view, we think that we missed something. With the current specification, it seems to be possible to register a bad client interested by the polling mode with a legitimate client's sector_identifier_uri and even redirect_uri. In this way, the bad client will receive a sub dedicated for the legitimate client.

- GSMA is already working on an evolution of CIBA allowing synchronous responses. In their mind (GSMA), they want to address use cases in which the OP doesn't authenticate the user. It could maybe be relevant to include this evolution in the current specification.

Thanks for your opinions on these aspects,

Br,

The Orange Team.

--
[cid:image001.gif at 01D2C1D8.DF699120]

MARAIS Charles
Orange Labs Lannion
Tel : +33 (0)2 96 07 24 18
charles.marais at orange.com<mailto:charles.marais at orange.com>
Orange Labs Lannion
2, avenue Pierre Marzin
22307 LANNION Cedex - France

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170430/55bcdd1e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1264 bytes
Desc: image001.gif
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170430/55bcdd1e/attachment-0001.gif>