[Openid-specs-mobile-profile] MODRNA WG call on Oct 2nd 2018 preliminary minutes

philippe.clement at orange.com philippe.clement at orange.com
Wed Oct 3 16:02:41 UTC 2018

Dear all,
Please find enclosed the minutes of our call on Tuesday 2nd of October 2018.
Let me know of any error or misunderstanding

Roll Call (extract from GotoMeeting dashboard)
John Bradley
Philippe Clement (Orange)
Bjorn Hjelm (Verizon)
Brian Campbell
Charles Marais (Orange)
Dave.Tonge (Moneyhub)
Frank-Michael Kamm
Geoff Graham
Martin Hoffmann
Petteri (Ubisecure)
Michael Engan
Hubert Mariotte

Adoption of the Agenda [Bjorn/John]
Agenda agreed

External Organizations

GSMA [Siva]
CPAS Update [Siva]
Not addressed

CIBA without user interaction [Charles/Orange]
Charles and Gonzalo relay a topic discussed in the CPAS, about how to deliver a token (AT) needed by an RP to access resources, without any authentication of the user (no user interaction). In another way, does CIBA usage without user authentication make sense ?
The CPAS group decided to get the opinion of MODRNA.

Discussions about the fact to include Id_token in the case where no authentication occurs.
In the case where a user already consented or due to a specific arrangement, JWT assertion protocol has to be used, preferred to the use of CIBA with no authentication.
In the case where the user already authenticated and a RT exists, the AT can be retrieved with the RT.
Discussions about using the client credentials: If no need to bind the AT to a particular user, usage of client credentials makes sense. However, Client Credentials should be chosen carefully as ATs cover large perimeter.
Anyway, it's not recommended to use the same protocol in the 2 cases, user is authenticated or the user is not. In the case the user has to be authenticated, usage of CIBA is ok. In the other case, usage of JWT assertion is recommended.
Discussions about using specific error codes in CIBA mentioning the preferred usage of JWT assertion: question remains open.

OIX (Martin Hoffmann)
*       Presentation of the LIGHTest project (http://oixuk.org/lightest-project/<https://urldefense.proofpoint.com/v2/url?u=http-3A__oixuk.org_lightest-2Dproject_&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=RVgJNCiVIGmoS69D4YWxmEwGYBjSgl5PEucA6PIVZug&s=7AEeMJ44WLR6zHnJpy9ysS4zHXcRkNNQeU6zXN3bp2U&e=>, https://www.lightest-community.org<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.lightest-2Dcommunity.org&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=RVgJNCiVIGmoS69D4YWxmEwGYBjSgl5PEucA6PIVZug&s=XvWhBwZoTiicKpxAZ0rCNu_CURvolxw6pTNHAmq8pyE&e=>)
*       Establishing trust domains taking into account trust schemes, trust services, LOAs and authentication means (FIDO, Mobile Connect...). Trust schemes are published throughout the world.
*       All documents accessible through DNS service.
*       This project has activities in different groups like FIDO, GSMA, ETSI, OIX, IETF...

Issue Tracker
#93: use Public Claim Names for CIBA JWT claims<https://bitbucket.org/openid/mobile/issues/93/use-public-claim-names-for-ciba-jwt-claims>
   Brian's proposal was to use public collision resistant names, no objection append on the call.

#81: CIBA: Authentication Error Responses can't all be returned from the Backchannel Authentication Endpoint<https://bitbucket.org/openid/mobile/issues/81/ciba-authentication-error-responses-cant>
   The idea is to reuse error codes of the device flow.
   A login_hint_token is expired ? we want to continue to support this use case.
==>     From now to next Tuesday call: Dave to come on with a list of issues to review for people, and cleanup most of the issues.
   Implementers draft is envisioned by the end of October.
Until the next call, look for emails on the list for the CIBA issues.

Best regards,


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20181003/06036df2/attachment.html>

More information about the Openid-specs-mobile-profile mailing list