[Openid-specs-mobile-profile] CIBA error response from the Backchannel Authentication Endpoint
Brian Campbell
bcampbell at pingidentity.com
Mon Jul 9 19:10:51 UTC 2018
In two places in the Authentication Request Validation section of CIBA,
there is text that says the OpenID Provider MUST return error response per
Section 3.1.2.6 of [OpenID.Core]. However, Section 3.1.2.6 of OpenID.Core
<http://openid.net/specs/openid-connect-core-1_0.html#AuthError> defines
returning errors to the client by redirecting the browser to the client's
redirect_uri. When read literally (and that happens with specs!) the MUST
there is rather nonsensical because the CIBA Authentication Request is a
direct HTTP POST from the client to the OP/AS.
Those two occurrences should probably be updated to point to the
Authentication Error Response section in CIBA (§11
<https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/585e168fcc5d89bbb0e0908ecf2d7498982aac9f/draft-mobile-client-initiated-backchannel-authentication.xml#auth_error_response>
in bitbucket / §6.5
<http://openid.net/specs/openid-connect-modrna-client-initiated-backchannel-authentication-1_0.html#auth_error_response>
in the published version) that better defines errors from the Backchannel
Authentication Endpoint. I rather suspect that's the intent of the draft
and the problematic MUSTs are just an oversight.
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180709/f1bd01cd/attachment.html>
More information about the Openid-specs-mobile-profile
mailing list