[Openid-specs-mobile-profile] Issue #197: Clearer Binding Message Verification (openid/mobile)

ritou issues-reply at bitbucket.org
Mon Dec 28 03:26:21 UTC 2020

New issue 197: Clearer Binding Message Verification

Ryo Ito:

The current specification does not define how much the OP will do the validation when the Client specifies the binding\_message.   
The requirements will change depending on the use case, such as user-verified or system-verified.  
I also think that user selection of Binding Message, which is used by MicroSoft and Google, is worth including in the CIBA specification.

I propose a few parameters to make binding message validation mandatory.

* **binding\_message\_verification\_required**

    * OPTIONAL. Specify true if the Client requires the OP to validate the binding\_message. If it is not, it is up to the OP to validate the binding\_message or not.
* **candidate\_binding\_messages**

    * OPTIONAL. A list of “binding\_message” to be used for User Selection. This list must contain the value specified in “binding\_message”. “binding\_message\_verification\_required” is true and the OP must perform User Selection if this value is specified.

Details : [https://ritou.medium.com/binding-message-verification-and-candidate-list-parameter-in-oidc-ciba-90ffcefa6665](https://ritou.medium.com/binding-message-verification-and-candidate-list-parameter-in-oidc-ciba-90ffcefa6665)


More information about the Openid-specs-mobile-profile mailing list