[Openid-specs-mobile-profile] Issue #68: CIBA error response inconsistent from the Backchannel Authentication Endpoint (openid/mobile)
Brian Campbell
issues-reply at bitbucket.org
Thu Jul 12 18:22:39 UTC 2018
New issue 68: CIBA error response inconsistent from the Backchannel Authentication Endpoint
https://bitbucket.org/openid/mobile/issues/68/ciba-error-response-inconsistent-from-the
Brian Campbell:
In two places in the Authentication Request Validation section of CIBA, there is text that says the OpenID Provider MUST return error response per Section 3.1.2.6 of [OpenID.Core]. However, Section 3.1.2.6 of OpenID.Core defines returning errors to the client by redirecting the browser to the client's redirect_uri. When one reads this literally (and that happens with specs!) the MUST there is rather nonsensical because the CIBA Authentication Request is a direct HTTP POST from the client to the OP/AS.
Those two occurrences should probably be updated to point to the Authentication Error Response section in CIBA (§11 in bitbucket / §6.5 in the published version) that better defines errors from the Backchannel Authentication Endpoint. I rather suspect that's the intent of the draft and the problematic MUSTs are just an oversight.
http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20180709/001196.html
More information about the Openid-specs-mobile-profile
mailing list