[Openid-specs-mobile-profile] Issue #130: Final paragraph in introduction is confusing (openid/mobile)

Joseph Heenan issues-reply at bitbucket.org
Thu Dec 13 14:25:48 UTC 2018


New issue 130: Final paragraph in introduction is confusing
https://bitbucket.org/openid/mobile/issues/130/final-paragraph-in-introduction-is

Joseph Heenan:

I'm struggling to make any sense of this paragraph:

> As the user has no consumption device through which the user is interacting with the Client,  this flow will not cause any user credentials to go through the RP. So it should be highlighted that traditional username/password authentication could not be used because only out-of-band mechanisms will work in conjunction with this flow.

As far as I can tell from the other definition, the consumption device is, by definition, the device the user is using to interact with the client.

I also do not see how CIBA rules out a "traditional username/password authentication"; surely the idp is at liberty to use a username & password as authentication if it wants.

Is this paragraph trying to say something along the lines of "As the user is directly interacting with the IdP through the authentication device, no user credentials pass through the RP and the IdP is free to perform authentication using any method it picks, without the RP having any knowledge of the authentication method used"?

If the my suggestion is on the right lines I can try to refine it.




More information about the Openid-specs-mobile-profile mailing list