[Openid-specs-mobile-profile] claims request in CIBA
Axel.Nennker at telekom.de
Axel.Nennker at telekom.de
Wed Nov 23 08:58:26 UTC 2016
Not sure whether adding the next parameter is the right approach.
Maybe it is simpler to allow everything from MODRNA and not mention OAuth2 at all in this section and then state that redirect_uri "of course" makes no sense so that is a MUST NOT.
It depends which explanation is clearer (and maybe shorter):
- allow all parameters from MODRNA minus redirect_uri
- list what is allowed and forbidden/useless
Honestly not sure about this. I think actually writing both versions and discuss then would help me.
Regarding implementation: I think that OPs might use the same code like in MODRNA but where currently only GET is allowed they allow POST too and then do the CIBA handling in the POST case - e.g. ignore redirect_uri or error on it.
Maybe it makes sense to look at implementations and check which parameters make sense in both cases and which do not.
From: GONZALO FERNANDEZ RODRIGUEZ [mailto:gonzalo.fernandezrodriguez at telefonica.com]
Sent: Wednesday, November 23, 2016 8:37 AM
To: Torsten Lodderstedt; Nennker, Axel
Cc: Walter, Florian; openid-specs-mobile-profile at lists.openid.net
Subject: Re: [Openid-specs-mobile-profile] claims request in CIBA
If nobody disagree I will add it.
On 23/11/16 08:25, "Openid-specs-mobile-profile on behalf of Torsten Lodderstedt" <openid-specs-mobile-profile-bounces at lists.openid.net on behalf of torsten at lodderstedt.net> wrote:
>I think that should be possible. In my opinion, any function/parameter not directly bound to managing/securing the OIDC front channel communication should be allowed/supported in/by SIBA.
>> Am 22.11.2016 um 18:28 schrieb <Axel.Nennker at telekom.de> <Axel.Nennker at telekom.de>:
>> Can the Client ask for "claims" in "OpenID Connect MODRNA Client initiated Backchannel Authentication Flow 1.0"?
>> This sentence seems to prohibit this:
>> "Authentication Requests are made using the MODRNA profile. Only the following parameters are taken into consideration in the Client initiated Backchannel Authentication flow. The rest of the request parameters defined in OAuth 2.0 [RFC6749] MUST be ignored by the Authorization Server. "
>> "the following parameters" are
>> scope, client_req_id, client_notification_endpoint, acr_values,
>> login_hint_token, id_token_hint, login_hint and context
>> Can the Client ask e.g. for "claims" in CIBA?
>> MODRNA adds these parameters to the authentication request of OpenID.core.
>> acr_values, login_hint and binding_message
>> OpenID.core parameters allows/requires the following parameters:
>> scope, response_type, client_id, redirect_uri, state, response_mode,
>> nonce, display, prompt, max_age, ui_locales, id_token_hint, login_hint, acr_values and a bunch more like "claims".
>> Openid-specs-mobile-profile mailing list
>> Openid-specs-mobile-profile at lists.openid.net
>Openid-specs-mobile-profile mailing list
>Openid-specs-mobile-profile at lists.openid.net
More information about the Openid-specs-mobile-profile