[Openid-specs-mobile-profile] Comments about CIBA Draft

charles.marais at orange.com charles.marais at orange.com
Wed Apr 19 08:49:21 UTC 2017


Hi,

We would like to share with you some of our concerns about CIBA as it 
may be soon accepted at the end of the current implementer's draft period :

- The end-to-end use cases addressed by CIBA are still unclear for us. 
We do understand the necessity to have a specification allowing the 
retrieval of an OAuth 2.0 access_token in a back channel mode but we 
don't have in mind end-to-end use cases that require the delivery of an 
id_token in pure back channel mode. @John,Joerg : Did you have time to 
think about Use Cases for CIBA ?

- On a security point of view, we think that we missed something. With 
the current specification, it seems to be possible to register a bad 
client interested by the polling mode with a legitimate client's 
sector_identifier_uri and even redirect_uri. In this way, the bad client 
will receive a sub dedicated for the legitimate client.

- GSMA is already working on an evolution of CIBA allowing synchronous 
responses. In their mind (GSMA), they want to address use cases in which 
the OP doesn't authenticate the user. It could maybe be relevant to 
include this evolution in the current specification.

Thanks for your opinions on these aspects,

Br,

The Orange Team.


-- 

*MARAIS Charles *
*Orange Labs Lannion*
Tel : +33 (0)2 96 07 24 18
charles.marais at orange.com <mailto:charles.marais at orange.com>
Orange Labs Lannion
2, avenue Pierre Marzin
22307 LANNION Cedex - France



_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170419/97e1fc46/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: orange_logo.gif
Type: image/gif
Size: 1264 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170419/97e1fc46/attachment.gif>


More information about the Openid-specs-mobile-profile mailing list