[Openid-specs-mobile-profile] Feedback on CIBA
mike at gluu.org
Thu Jun 7 18:11:09 UTC 2018
CIBA was discussed on the UMA WG call today. Eve has been working on a
compare/contrast analysis between UMA and CIBA. And this discussion got
me thinking a little more...
One point from Justin Richer was that you are sending tokens back to the
Client Notification Endpoint. This is risky, as you are trusting DNS.
UMA makes the client authenticate at the token endpoint to obtain the
tokens. Pushing tokens was discussed and dismissed as lacking security.
I'm surprised the Open Banking group was ok with this.
I also wonder if the response from the bc_authorize should include an
id_token--I think it should be some other signed JWT assertion (with
many of the claims present in an id_token). It seems weird to me to
return an id_token to a client when the subject is not the person
connected to the user agent.
IMHO, CIBA could be accomplished using UMA as the security mechanism,
with bc_authorize as the RS (protected endpoint on the OP). Its request
and response would be defined much as you did.
If you are starting from scratch, is it easier to implement CIBA with
UMA for security, or CIBA plus it's one-off security model? Personally,
I think UMA would be cheaper because we'd get more re-use.
If I get some time in the next week, I'll try to write up a draft of
CIBA using UMA. HEART also uses UMA, so it's not unheard of for an
OpenID WG to use it as part of a solution.
I know everyone wants to ship ASAP, so it's probably too late to bring
this stuff up.
More information about the Openid-specs-mobile-profile