[Openid-specs-fapi] CIBA: client notification endpoint authentication methods
Tom Jones
thomasclinganjones at gmail.com
Thu Jul 20 15:33:35 UTC 2017
This is a small part of the larger problem I addressed in issue 104. It
will be a little while before I can get to writing a full solution, but I
do believe two things at this time.
1 the problem should be addressed at a higher level
2 the connect document has some unacceptable requirements
..tom
thx ..Tom (mobile)
On Jul 20, 2017 3:41 AM, "Nat Sakimura via Openid-specs-fapi" <
openid-specs-fapi at lists.openid.net> wrote:
> Has there been any feedback on this?
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
>
>
>
> On Tue, Jul 11, 2017 at 11:16 PM +0200, "Axel Nennker via
> Openid-specs-fapi" <openid-specs-fapi at lists.openid.net> wrote:
>
> Hi,
>>
>>
>>
>> In Client Initiated Backchannel Authentication there are two modes how
>> the results are transferred back to the client.
>>
>> Polling and notification.
>>
>>
>>
>> When the mode is notification then the OP posts the authentication result
>> (the tokens) back to the client.
>>
>> https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?
>> Submit=Submit&format=ascii&mode=html&type=ascii&url=
>> https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-
>> client-initiated-backchannel-authentication.xml?at=default#
>> rfc.section.3.5.3
>>
>>
>>
>> Obviously not everybody on the Internet should be able to post to that
>> client endpoint.
>>
>> So when the Client sends an CIBA Authentication Request that request
>> contains a bearer token and when the user has authenticated and the OP
>> notifies the Client this token is used to authenticate the OP to the Client.
>>
>>
>>
>> Currently there is no other way to authenticate the OP when notifications
>> are posted.
>>
>>
>>
>> Should we make CIBA more flexible here?
>>
>> Does FAPI require better authentication?
>>
>>
>>
>> Kind regards
>>
>> Axel
>>
>>
>>
>> In the example from CIBA this “Authorization: Bearer 8d67dc78-7faa-4d41-aabd-67707b374255” is the bearer token which is provided by the client in the Authentication request "client_notification_token": "8d67dc78-7faa-4d41-aabd-67707b374255".
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *DEUTSCHE TELEKOM AG*
>> T-Labs (Research & Innovation)
>> Axel Nennker
>> Winterfeldtstr. 21, 10781 Berlin
>> +491702275312 <+49%20170%202275312> (Tel.)
>>
>> E-Mail: axel.nennker at telekom.de
>>
>>
>>
>>
>>
>>
>>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170720/6f9ede14/attachment.html>
More information about the Openid-specs-fapi
mailing list