[Openid-specs-fapi] Issue #295: Possible support for "embedded" SCA mode (openid/fapi)

Torsten Lodderstedt torsten at lodderstedt.net
Thu Jun 4 08:52:14 UTC 2020


There are multiple layers/options in this discussion:

(1) unbundling CIBA from OIDC requires an alternative mechanism to sign the token response. As far as I remember it uses the ID token now. We could use a simple JWT instead.

(2) HavIng another endpoint and corresponding grant type for embedded requires a new spec but would be compatible with the OAuth2 design philosophy. I mean, grant type are an extension point.

(3) An adaptive mechanism for sending the client to different flows could be implemented as extension of PAR. I’m not sure whether there is a need for this.



> Am 04.06.2020 um 10:40 schrieb Joseph Heenan <joseph at authlete.com>:
> 
> 
> 
>> On 4 Jun 2020, at 09:30, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>> 
>> Hi Joseph,
>> 
>>> 
>>> I think there’s definitely an argument for this new endpoint allowing, somehow, for multiple alternative flows (including CIBA or a redirect) to result based on AS/RP capabilities & the situation of which methods the user has available + various risk indicators.
>>> 
>>> Fully appreciate your points about OAuth2 and I’m not sure how cleanly it’s possible to do the above within the constraints of OAuth2.
>> 
>> What constraints do you have in mind?
> 
> I’m not sure, but across the existing RFC/IETF drafts/OIDF specs there are multiple ways of initiating an oauth2 flow, each of which returns it’s own kind of what is essentially a handle for the request, and I’m not sure there’s a neat way for a new endpoint to send the client down alternative paths.
> 
> For example, a pushed authentication request might/could contain all the information necessary info for the AS to give an idea of which flows to return. It would be a bit unnatural perhaps to start a flow by sending a request to the new endpoint we’ve invented in this thread, only for the AS to then say “based on that I want you to do a redirect flow, start by resending what you just send me to the pushed authentication request endpoint”. Similarly the CIBA endpoint currently receives roughly the same set of info.
> 
> Joseph
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3629 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200604/3d411850/attachment.p7s>


More information about the Openid-specs-fapi mailing list