[Openid-specs-mobile-profile] CIBA notification mode

Brian Campbell bcampbell at pingidentity.com
Fri Jul 6 19:32:33 UTC 2018

With respect to the notification mode and the discussion at
profile/Week-of-Mon-20180611/001183.html, I agree that it would be
preferable to change the notification mode to NOT deliver the token(s), but
rather to inform the client that they can go and fetch the token(s). This
normalizes the means of the client obtaining tokens to it making a request
to the token endpoint, which is a well established pattern. And keeping
token delivery at the token endpoint simplifies things in situations where
tokens are bound to client keys (like with MTLS
<https://tools.ietf.org/html/draft-ietf-oauth-mtls> and Token Binding
<https://tools.ietf.org/html/draft-ietf-oauth-token-binding> for example).
I can't say that it's really that much more secure. But I can say that it's
not introducing a completely new mechanism of token delivery for which the
security properties likely aren't as well understood and haven't been
evaluated at by as many people.

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180706/ca2166c8/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list