[Openid-specs-mobile-profile] Issue #73: CIBA client authentication to the Backchannel Authentication Endpoint inconsistent/contradictory (openid/mobile)

Brian Campbell issues-reply at bitbucket.org
Thu Jul 12 18:35:12 UTC 2018


New issue 73: CIBA client authentication to the Backchannel Authentication Endpoint inconsistent/contradictory
https://bitbucket.org/openid/mobile/issues/73/ciba-client-authentication-to-the

Brian Campbell:

The CIBA draft in bitbucket in sec 7.1 (quoted below with similar bits from §7.2) says that the client authenticates to the Backchannel Authentication Endpoint using the authentication method registered for its client_id. This, of course, is also the same client authentication method used at the token endpoint. That's sensible and consistent with how client authentication has been done at other extension endpoints that the client makes direct requests to.

The text then goes on to say that the recommended authentication method is with an Signed Request Object. However, there is no OAuth client authentication method corresponding to a Signed Request Object or any signed request style client authentication method defined. So the text leaves the reader/implementer with a somewhat inconsistent and unworkable recommendation.

I'd argue that having the client authenticate to the Backchannel Authentication Endpoint using the authentication method registered for its client_id (and not just those defined by OpenID Core) is the appropriate thing for CIBA to specify. And that any requirements or options for signing the request payload (perhaps for non-repudiation) be treated as separate from general client authentication. Any such requirements or capabilities might also benefit from client and/or server metadata parameters defined for them.


>From §7.1:


```
#!text

    The Client MUST authenticate to the Backchannel Authentication Endpoint 
using the authentication method registered for its client_id. 
The RECOMMENDED method to authenticate the Client is using an
 OpenID Connect Signed Request Object as described in OpenID.Core. 
If a Signed Request Object is not used for authentication then one of
 the authentication methods of Section 9 of [OpenID.Core] should be used.

```



And from §7.2

  
```
#!text

  Authenticate the Client.
    The client SHOULD use a OpenID Connect Signed Request Object as
 defined in Section 6.3.2 of [OpenID.Core]. Then that signature MUST be
 validated and the Authentication Request MUST fail if the signature is
not valid. If the value of the signature's "alg" parameter is "none" then
 another method of Client authentication MUST be used as described
 in Section 9 on [OpenID.Core]. CIBA is allowing the same Client
 authentication methods for the Authorization Endpoint that OpenID.Core
 uses for the Token Endpoint.
```



http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20180709/001194.html
http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20180709/001199.html




More information about the Openid-specs-mobile-profile mailing list