<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:TIMES;
panose-1:2 2 6 3 5 4 5 2 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:75250628;
mso-list-type:hybrid;
mso-list-template-ids:-1983064746 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">These two lines were mainly entered to demonstrate agreement that the use case section is needed.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The difference between the two might be that
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">the call center agents trigger the CIBA request using the MSISDN they see on their telephone. Their Backend is then using client_id/client_secret to authenticate to the OP and CIBA delivers the id_token
to the RP with further user claims.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">The Bank clerk might know some account number of their costumer which the bank backend translates into a iss/sub data (whatever) because there is an account number to iss/sub relationship that the bank
has learned from another interaction of the customer with the Bank’s system. There might be an access token from that earlier interaction that the RP (Bank) uses to authentication the CIBA request.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Certainly the use cases need to be more than one line and I would be happy if you provide your own additional use cases for CIBA.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Please provide text.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">//Axel<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces@lists.openid.net]
<b>On Behalf Of </b>charles.marais@orange.com<br>
<b>Sent:</b> Wednesday, November 30, 2016 12:45 PM<br>
<b>To:</b> openid-specs-mobile-profile@lists.openid.net; AILLERY Nicolas IMT-OLPS; VASSELET Mickael IMT-OLN; CLEMENT Philippe IMT TECHNO<br>
<b>Subject:</b> Re: [Openid-specs-mobile-profile] CIBA comments<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi All,<o:p></o:p></p>
<p>To extend James comments, some additional comments :<o:p></o:p></p>
<p>Concerning the Use Cases, <o:p></o:p></p>
<pre>A call center agent wants to authenticate a caller.<o:p></o:p></pre>
<p>A major difference between CIBA and OpenID Connect Core flows is that potentially, there is no consumption device (for the SP) in that case. In this specific case, there is an additional requirement : the SP need to previously know the couple (sub/iss) for
the user to authenticate... otherwise, in case of a new user, the federation with an existing account is not possible (because no user agent available). This points out the question of the first authentication of a specific user on that SP or reformulated
: "How the SP discover/learn, the couple sub/iss for a specific user ?".<o:p></o:p></p>
<pre>A bank wants to authenticate a customer.<o:p></o:p></pre>
<p>What is the difference between this one and the first one ?<o:p></o:p></p>
<p>BR,<o:p></o:p></p>
<p>Charles.<o:p></o:p></p>
<div>
<p class="MsoNormal">Le 30/11/2016 à 07:42, Manger, James a écrit :<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoPlainText">Comment on OpenID Connect MODRNA Client initiated Backchannel Authentication Flow 1.0 <draft-mobile-client-initiated-backchannel-authentication-01>:<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">1.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[4.1] Client authentication to the CIBA endpoint is as per the token endpoint (eg with client creds), not as per an RS such as the UserInfo endpoint (eg with an access token). Good or Bad? I’m not certain.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">2.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>The spec doesn’t indicate how the CIBA endpoint can be discovered from OP metadata.<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">Mainly editorial:<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">1.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[Abstract] The abstract is too long with too much background and the intro too short. Swap them over. The abstract would be better as 1 paragraph on what CIBA delivers, while the intro can explain the relationship of other OpenID Connect flows.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">2.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[intro] CIBA isn’t “an authentication flow of the [OIDC] Core 1.0 specification”. Perhaps describe it as an extension of OIDC.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">3.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[3.1] specifiy → specify<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">4.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[3.1] Move the “registration at the OP” sentence from 3<sup>rd</sup> paragraph to the first, deleting the poorer duplicates in the 1<sup>st</sup> para.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">5.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[3.2] The bank example doesn’t have enough (any) context. How about: “A bank teller wants to authenticate a customer in a bank branch” — so it is using CIBA for auth in a face-to-face scenario.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">6.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[4.1] Don’t say a CIBA request is an OAuth 2.0 authz request, because it is different (it doesn’t redirect the user, and uses JSON not x-www-form-urlencoded). Say it uses some of the same parameters as an OAuth 2.0 (or OIDC) auth request.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">7.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[4.1] “scope” parameter: put the “openid” scope value in quotes.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">8.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[4.1] Add a blank line between HTTP headers and the body<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">9.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[4.2] Fix grammar around “and is not expired”<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">10.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[4.3] Should the min polling interval be expressed in milliseconds, instead of seconds which is almost too coarse<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">11.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[5] Don’t start by saying “once the end-user is authenticated”. Need some words about that being done, eg "The OP authenticates the user identified by the client. How this occurs is up to the OP, and is out-of-scope of this specification."; might need
to mention acr_values.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">12.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[6.1] The example’s body syntax is wrong (strange mix of part JSON, part x-www-form-urlencoded)<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">13.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[4.3, 6.2] Drop the Pragma headers. I don’t think the Cache-Control headers help either as POSTs are not cacheable by default anyway.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">14.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[7] Mention the risk to an OP of accepting arbitrary URIs for the client notification endpoint that it will later call. At least need to check it doesn’t point “inside” the OP’s network.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">15.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[6.3.2] OAuth 2.0 uses “access_token” (& “token_type”) to deliver a bearer token that the other party then uses. Might be better to use the same names, instead of using “client_req_id” to deliver a bearer token.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt">16.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>[heading] The spec is dated “Aug 18, 2016”; should update that with each commit.<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">--<o:p></o:p></p>
<p class="MsoPlainText">James Manger<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Openid-specs-mobile-profile mailing list<o:p></o:p></pre>
<pre><a href="mailto:Openid-specs-mobile-profile@lists.openid.net">Openid-specs-mobile-profile@lists.openid.net</a><o:p></o:p></pre>
<pre><a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">--
<br>
</span><span style="font-size:10.0pt;font-family:"TIMES","serif""><img border="0" width="40" height="40" id="_x0000_i1025" src="cid:image001.gif@01D24B17.BFC0CBA0"><br>
<br>
<b>MARAIS Charles </b><br>
<b>Orange Labs Lannion</b><br>
Tel : +33 (0)2 96 07 24 18 <br>
<a href="mailto:charles.marais@orange.com">charles.marais@orange.com</a><br>
Orange Labs Lannion <br>
2, avenue Pierre Marzin <br>
22307 LANNION Cedex - France <br>
<br>
</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p></o:p></span></p>
</div>
<pre>_________________________________________________________________________________________________________________________<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc<o:p></o:p></pre>
<pre>pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler<o:p></o:p></pre>
<pre>a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,<o:p></o:p></pre>
<pre>Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>This message and its attachments may contain confidential or privileged information that may be protected by law;<o:p></o:p></pre>
<pre>they should not be distributed, used or copied without authorisation.<o:p></o:p></pre>
<pre>If you have received this email in error, please notify the sender and delete this message and its attachments.<o:p></o:p></pre>
<pre>As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.<o:p></o:p></pre>
<pre>Thank you.<o:p></o:p></pre>
</div>
</body>
</html>