[Openid-specs-mobile-profile] Issue #197: Clearer Binding Message Verification (openid/mobile)
ritou
issues-reply at bitbucket.org
Mon Dec 28 03:26:21 UTC 2020
New issue 197: Clearer Binding Message Verification
https://bitbucket.org/openid/mobile/issues/197/clearer-binding-message-verification
Ryo Ito:
The current specification does not define how much the OP will do the validation when the Client specifies the binding\_message.
The requirements will change depending on the use case, such as user-verified or system-verified.
I also think that user selection of Binding Message, which is used by MicroSoft and Google, is worth including in the CIBA specification.
I propose a few parameters to make binding message validation mandatory.
* **binding\_message\_verification\_required**
* OPTIONAL. Specify true if the Client requires the OP to validate the binding\_message. If it is not, it is up to the OP to validate the binding\_message or not.
* **candidate\_binding\_messages**
* OPTIONAL. A list of “binding\_message” to be used for User Selection. This list must contain the value specified in “binding\_message”. “binding\_message\_verification\_required” is true and the OP must perform User Selection if this value is specified.
Details : [https://ritou.medium.com/binding-message-verification-and-candidate-list-parameter-in-oidc-ciba-90ffcefa6665](https://ritou.medium.com/binding-message-verification-and-candidate-list-parameter-in-oidc-ciba-90ffcefa6665)
More information about the Openid-specs-mobile-profile
mailing list