[Openid-specs-mobile-profile] Source authentication on client notification endpoint

[Dave Tonge]

Dear FAPI & MODRNA Working Groups

We discussed in the face to face meeting today about supporting source
authentication (and message integrity) on the client notification endpoint.

Currently in the CIBA spec this endpoint is only protected by a bearer
token - the `client_notification_token`.

The token response sent to this endpoint has an id_token. We suggested that
this id_token should include an `at_hash`. This will give the client
greater assurance that the token response is from the OpenID Provider and
of the integrity of the payload.

If a refresh token is in the payload, then the id token should contain an
`rt_hash`.

In the meeting we felt that this change should go into the main CIBA spec
rather than the FAPI profile.

It would be good to hear from the working groups any thoughts on this.

The relevant issue in FAPI is:
https://bitbucket.org/openid/fapi/issues/117/ciba-signature-for-succesful-token

The relevant clause in the CIBA spec is here:
https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#issuing_successful_token

Thanks

-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
Financial Technology is registered in England & Wales, company registration
number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER:
This email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20171106/26fbbcf3/attachment.html>