[Openid-specs-mobile-profile] Issue #63: CIBA new synchronous flow (openid/mobile)
issues-reply at bitbucket.org
Tue Apr 24 16:04:31 UTC 2018
New issue 63: CIBA new synchronous flow
In the current CIBA draft, the flow is assumed to be always asynchronous, due to the user interaction required. However, that interaction might not always be needed:
* The OP could rely on the authentication and consent already captured by a trusted RP via out-of-band mechanisms.
* The OP could decide that it is no required to get explicit user approval to grant access to a specific resource, in accordance with the regulations it abides by and its own access policies.
In those cases, user interaction would not be required, but it would still be good to have an access token per user, as CIBA provides, because that allows the subsequent revocation of a token upon user request, for example.
And, in those cases, the asynchronous flow is not efficient, and might even cause race conditions in notification mode: the notification might reach the RP before the response to the authorize request.
So it seems that a new synchronous flow would be the best approach when the OP does not require interaction with the user. It would be a kind of shortcut to provide the final result already in the response to the authentication request (bc-authorize endpoint).
More information about the Openid-specs-mobile-profile