[Openid-specs-mobile-profile] [E] CIBA - Backchannel Authentication Endpoint and OIDC request object endpoint

John Bradley ve7jtb at ve7jtb.com
Fri May 12 06:06:50 UTC 2017

The CEBA spec requires client authentication at the token endpoint.   That could include JWT authentication.

There is a alternate proposal using a signed JWT to the token endpoint in the JWT assertion flow.

It may be that the OAuth JAR is a compromise between the two.

We have the question of why HTTP basic authentication is bad and should asymmetric authentication more in line with FAPI’s requirements for banks authentication of clients be required.

If in the discussion today there is agreement that the request should be a signed JWT, then the finer points of what endpoint it is posted to and what is returned can be considered.

Performance is a concern.

I think the goal is to have one POST by the client that returns a artifact for polling, or triggers a post back.

Fitting request by JAR into that may not be a perfect fit for flow as it currently requires a redirect of the user to the authorization endpoint with the artifact.   In the backchannel the extra call wont have any value.

A possibility is to have a new backchannel authorization endpoint like the device flow, but require the authorization request to be a JAR, and skip the separate client authentication.    It would then return a artifact for polling or the IdP postback.

Lets see how the conversation goes today.

John B.

Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10

From: Hjelm, Bjorn<mailto:Bjorn.Hjelm at VerizonWireless.com>
Sent: May 12, 2017 7:53 AM
To: Nat Sakimura<mailto:n-sakimura at nri.co.jp>
Cc: Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>; John Bradley<mailto:ve7jtb at ve7jtb.com>
Subject: Re: [E] [Openid-specs-mobile-profile] CIBA - Backchannel Authentication Endpoint and OIDC request object endpoint

I don't see a reason why we wouldn't address this in MODRNA WG but I'll let John and authors of the CIBA specification share their view as well.


On May 12, 2017, at 7:41 AM, Nat Sakimura <n-sakimura at nri.co.jp<mailto:n-sakimura at nri.co.jp>> wrote:

OIDC core defines request_uri. It does not define a particular way of setting up the endpoint that receives request object but just says that it needs to save the request object.

CIBA’s Backchannel Authentication Endpoint is very close to it except that it is not accepting the signed JWS.
FAPI Part 2 defined an endpoint at the AS that saves the request object.
See https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md?at=master&fileviewer=file-view-default#markdown-header-7-request-object-endpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_src_master_Financial-5FAPI-5FWD-5F002.md-3Fat-3Dmaster-26fileviewer-3Dfile-2Dview-2Ddefault-23markdown-2Dheader-2D7-2Drequest-2Dobject-2Dendpoint&d=DwMFAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=qocRaYy7s_jOV6AWy-D-mHLe3ExW_NILg6DnwYCSDAU&s=XHdzArxfIyPbLTVdoRDeFlnm6SBhs-rw124VyB0ig3w&e=>
I and John were talking of propagating it to OAuth JAR as well.

I kind of feel that these can be harmonized. Is there any appetite to do so in Modrna WG?

PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.

Openid-specs-mobile-profile mailing list
Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170512/7ba69d66/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4383 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170512/7ba69d66/attachment.p7s>

More information about the Openid-specs-mobile-profile mailing list