[Openid-specs-fapi] Issue #295: Possible support for "embedded" SCA mode (openid/fapi)
torsten at lodderstedt.net
Thu Jun 4 08:52:14 UTC 2020
There are multiple layers/options in this discussion:
(1) unbundling CIBA from OIDC requires an alternative mechanism to sign the token response. As far as I remember it uses the ID token now. We could use a simple JWT instead.
(2) HavIng another endpoint and corresponding grant type for embedded requires a new spec but would be compatible with the OAuth2 design philosophy. I mean, grant type are an extension point.
(3) An adaptive mechanism for sending the client to different flows could be implemented as extension of PAR. I’m not sure whether there is a need for this.
> Am 04.06.2020 um 10:40 schrieb Joseph Heenan <joseph at authlete.com>:
>> On 4 Jun 2020, at 09:30, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>> Hi Joseph,
>>> I think there’s definitely an argument for this new endpoint allowing, somehow, for multiple alternative flows (including CIBA or a redirect) to result based on AS/RP capabilities & the situation of which methods the user has available + various risk indicators.
>>> Fully appreciate your points about OAuth2 and I’m not sure how cleanly it’s possible to do the above within the constraints of OAuth2.
>> What constraints do you have in mind?
> I’m not sure, but across the existing RFC/IETF drafts/OIDF specs there are multiple ways of initiating an oauth2 flow, each of which returns it’s own kind of what is essentially a handle for the request, and I’m not sure there’s a neat way for a new endpoint to send the client down alternative paths.
> For example, a pushed authentication request might/could contain all the information necessary info for the AS to give an idea of which flows to return. It would be a bit unnatural perhaps to start a flow by sending a request to the new endpoint we’ve invented in this thread, only for the AS to then say “based on that I want you to do a redirect flow, start by resending what you just send me to the pushed authentication request endpoint”. Similarly the CIBA endpoint currently receives roughly the same set of info.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3629 bytes
Desc: not available
More information about the Openid-specs-fapi