[Openid-specs-mobile-profile] Issue #163: CIBA - is AS required to issue an access token? (openid/mobile)

josephheenan issues-reply at bitbucket.org
Thu Sep 5 12:04:13 UTC 2019


New issue 163: CIBA - is AS required to issue an access token?
https://bitbucket.org/openid/mobile/issues/163/ciba-is-as-required-to-issue-an-access

Joseph Heenan:

The CIBA spec [https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1\_0-02.html#rfc.section.10.1.1](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-02.html#rfc.section.10.1.1) currently says:

> After receiving and validating a valid and authorized Token Request from the Client and when the end-user associated with the supplied auth\_req\_id has been authenticated and has authorized the request, the OpenID Provider returns a successful response as specified in Section 3.1.3.3 of [\[OpenID.Core\]](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-02.html#OpenID.Core).

[https://openid.net/specs/openid-connect-core-1\_0.html#TokenResponse](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse) states:

> After receiving and validating a valid and authorized Token Request from the Client, the Authorization Server returns a successful response that includes an ID Token and an Access Token

So as written, CIBA appears to require an access token to be returned. \(I’m unsure if this is deliberate.\)

Discussion with Petteri revealed they have a use case where only the id\_token is required, so they don’t return an access token. It would be good to clarify if this is permitted \(my main interest as usual is what checks the conformance suite should be making\).




More information about the Openid-specs-mobile-profile mailing list