[Openid-specs-mobile-profile] CIBA error response from the Backchannel Authentication Endpoint

Brian Campbell bcampbell at pingidentity.com
Mon Jul 9 19:10:51 UTC 2018

In two places in the Authentication Request Validation section of CIBA,
there is text that says the OpenID Provider MUST return error response per
Section of [OpenID.Core].  However, Section of OpenID.Core
<http://openid.net/specs/openid-connect-core-1_0.html#AuthError> defines
returning errors to the client by redirecting the browser to the client's
redirect_uri. When read literally (and that happens with specs!) the MUST
there is rather  nonsensical because the CIBA Authentication Request is a
direct HTTP POST from the client to the OP/AS.

Those two occurrences should probably be updated to point to the
Authentication Error Response section in CIBA (§11
in bitbucket / §6.5
in the published version) that better defines errors from the Backchannel
Authentication Endpoint. I rather suspect that's the intent of the draft
and the problematic MUSTs are just an oversight.

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180709/f1bd01cd/attachment.html>

More information about the Openid-specs-mobile-profile mailing list