[Openid-specs-mobile-profile] Return the token immediately in CIBA request

John Bradley ve7jtb at ve7jtb.com
Fri May 18 13:21:58 UTC 2018


I think that is a bad idea for CIBA.  It blurs the line with
authentication.  At that point there is no authentication.  That should
just be the client credentials flow so it is clear there is no
authentication.

John B.

On Mon, Apr 23, 2018, 11:58 AM GONZALO FERNANDEZ RODRIGUEZ <
gonzalo.fernandezrodriguez at telefonica.com> wrote:

> Hi guys,
>
>
>
> Some of my colleagues say that it would be great to add an additional
> amend to the “push notification” mechanism of the CIBA spec to allow it to
> return the response with the tokens directly in case of there is no need to
> interact with the user. I am referring to those cases where the OID
> provider generates an access_token tied to the user but there is no need to
> interact with the user because the permission has already grabbed by the
> Service Provider, it should be something like a client_credentials but
> binding the access_token to an specific user.
>
>
>
> The idea should be to return immediately the response with the tokens, of
> course the Service Provider would authenticate the token using mutual TLS
> or private_key_jwt, that way a roundtrip request would be saved and it
> would perform better in these specific cases.
>
>
>
> Do you want there would be any security problem or other kind of problem?
>
>
>
> Best,
>
> Gonza.
>
> ------------------------------
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180518/201422ed/attachment.html>


More information about the Openid-specs-mobile-profile mailing list