[Openid-specs-fapi] Issue #118: CIBA - Signature for error token notification (openid/fapi)

Dave Tonge issues-reply at bitbucket.org
Mon Jul 17 10:25:20 UTC 2017


New issue 118: CIBA - Signature for error token notification
https://bitbucket.org/openid/fapi/issues/118/ciba-signature-for-error-token

Dave Tonge:

The current MODRNA CIBA spec is not clear on how errors are sent to the clients notification endpoint.

In the FAPI CIBA profile I've required the AS to include two additional parameters when sending an error to the notification endpoint:

 - `auth_req_id`
 - `id_token`: with an `auth_req_id` claim

I think that these two parameters are necessary to enable the client to associate the error with the auth_req_id received from the backchannel authentication endpoint, and to be assured of the source authentication and integrity of the payload. 

It would be good to get feedback on whether this is a sensible approach?
Also perhaps this adjustment could go into the MODRNA CIBA spec?

Responsible: dgtonge


More information about the Openid-specs-fapi mailing list