[Openid-specs-mobile-profile] CIBA client authentication to the Backchannel Authentication Endpoint

Dave Tonge dave.tonge at momentumft.co.uk
Tue Jul 10 10:16:46 UTC 2018

I'd agree with this - I think the general point as you've made in other
emails is that while the "Backchannel Authentication Endpoint"  replaces
the front channel  "Authorization Endpoint" in a normal front channel flow
- from an implementation perspective it should be treated in a similar
manner to the token endpoint, i.e. using the same client authentication and
with the requests formatted for server to server communication.

On Mon, 9 Jul 2018 at 22:49, Brian Campbell via Openid-specs-mobile-profile
<openid-specs-mobile-profile at lists.openid.net> wrote:

> The CIBA draft in bitbucket
> <https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/585e168fcc5d89bbb0e0908ecf2d7498982aac9f/draft-mobile-client-initiated-backchannel-authentication.xml>
> in sec 7.1 (quoted below with similar bits from §7.2) says that the client
> authenticates to the Backchannel Authentication Endpoint using the
> authentication method registered for its client_id. This, of course, is
> also the same client authentication method used at the token endpoint.
> That's sensible and consistent with how client authentication has been done
> at other extension endpoints that the client makes direct requests to.
> The text then goes on to say that the recommended authentication method is
> with an Signed Request Object. However, there is no OAuth client
> authentication method corresponding to a Signed Request Object or any
> signed request style client authentication method defined. So the text
> leaves the reader/implementer with a somewhat inconsistent and unworkable
> recommendation.
> I'd argue that having the client authenticate to the Backchannel
> Authentication Endpoint using the authentication method registered for its
> client_id (and not just those defined by OpenID Core) is the appropriate
> thing for CIBA to specify. And that any requirements or options for signing
> the request payload (perhaps for non-repudiation) be treated as separate
> from general client authentication. Any such requirements or capabilities
> might also benefit from client and/or server metadata parameters defined
> for them.
> From §7.1:
>> The Client MUST authenticate to the Backchannel Authentication Endpoint
>> using the authentication method registered for its client_id. The
>> RECOMMENDED method to authenticate the Client is using an OpenID Connect
>> Signed Request Object
>> <https://openid.net/specs/openid-connect-core-1_0.html#SignedRequestObject>
>> as described in OpenID.Core. If a Signed Request Object is not used for
>> authentication then one of the authentication methods of Section 9 of
>> [OpenID.Core]
>> <https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#OpenID.Core>
>> should be used.
> And from §7.2
>> Authenticate the Client.
>> The client SHOULD use a OpenID Connect Signed Request Object
>> <https://openid.net/specs/openid-connect-core-1_0.html#SignedRequestObject>
>> as defined in Section 6.3.2 of [OpenID.Core]
>> <https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#OpenID.Core>.
>> Then that signature MUST be validated and the Authentication Request MUST
>> fail if the signature is not valid. If the value of the signature's "alg"
>> parameter is "none" then another method of Client authentication MUST be
>> used as described in Section 9 on [OpenID.Core]
>> <https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#OpenID.Core>.
>> CIBA is allowing the same Client authentication methods for the
>> Authorization Endpoint that OpenID.Core uses for the Token Endpoint.
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile

Dave Tonge
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180710/38e087fc/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list