[Openid-specs-mobile-profile] Issue #163: CIBA - is AS required to issue an access token? (openid/mobile)
issues-reply at bitbucket.org
Thu Sep 5 12:04:13 UTC 2019
New issue 163: CIBA - is AS required to issue an access token?
The CIBA spec [https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1\_0-02.html#rfc.section.10.1.1](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-02.html#rfc.section.10.1.1) currently says:
> After receiving and validating a valid and authorized Token Request from the Client and when the end-user associated with the supplied auth\_req\_id has been authenticated and has authorized the request, the OpenID Provider returns a successful response as specified in Section 188.8.131.52 of [\[OpenID.Core\]](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-02.html#OpenID.Core).
> After receiving and validating a valid and authorized Token Request from the Client, the Authorization Server returns a successful response that includes an ID Token and an Access Token
So as written, CIBA appears to require an access token to be returned. \(I’m unsure if this is deliberate.\)
Discussion with Petteri revealed they have a use case where only the id\_token is required, so they don’t return an access token. It would be good to clarify if this is permitted \(my main interest as usual is what checks the conformance suite should be making\).
More information about the Openid-specs-mobile-profile