[Openid-specs-mobile-profile] [E] CIBA - Backchannel Authentication Endpoint and OIDC request object endpoint

n-sakimura at nri.co.jp n-sakimura at nri.co.jp
Fri May 12 08:07:29 UTC 2017


Have a good meeting! 

--
PLEASE READ This e-mail is confidential and intended for the named recipient only. If you are not an intended recipient, please notify the sender and delete this e-mail. 

----Original Message----
From: John Bradley <ve7jtb at ve7jtb.com>
To: "Hjelm, Bjorn" <Bjorn.Hjelm at VerizonWireless.com>, Nat Sakimura <n-sakimura at nri.co.jp>
CC: Openid-specs-mobile-profile at lists.openid.net <Openid-specs-mobile-profile at lists.openid.net>
Date: Fri May 12 15:06:50 JST 2017
Sub: RE: [E] [Openid-specs-mobile-profile] CIBA - Backchannel Authentication	Endpoint and OIDC request object endpoint

> The CEBA spec requires client authentication at the token endpoint.   That could include JWT authentication.
> 
> There is a alternate proposal using a signed JWT to the token endpoint in the JWT assertion flow.
> 
> It may be that the OAuth JAR is a compromise between the two.
> 
> We have the question of why HTTP basic authentication is bad and should asymmetric authentication more in line with FAPI’s requirements for banks authentication of clients be required.
> 
> If in the discussion today there is agreement that the request should be a signed JWT, then the finer points of what endpoint it is posted to and what is returned can be considered.
> 
> Performance is a concern.
> 
> I think the goal is to have one POST by the client that returns a artifact for polling, or triggers a post back.
> 
> Fitting request by JAR into that may not be a perfect fit for flow as it currently requires a redirect of the user to the authorization endpoint with the artifact.   In the backchannel the extra call wont have any value.
> 
> A possibility is to have a new backchannel authorization endpoint like the device flow, but require the authorization request to be a JAR, and skip the separate client authentication.    It would then return a artifact for polling or the IdP postback.
> 
> Lets see how the conversation goes today.
> 
> John B.
> 
> 
> 
> Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
> 
> From: Hjelm, Bjorn<mailto:Bjorn.Hjelm at VerizonWireless.com>
> Sent: May 12, 2017 7:53 AM
> To: Nat Sakimura<mailto:n-sakimura at nri.co.jp>
> Cc: Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>; John Bradley<mailto:ve7jtb at ve7jtb.com>
> Subject: Re: [E] [Openid-specs-mobile-profile] CIBA - Backchannel Authentication Endpoint and OIDC request object endpoint
> 
> Nat,
> I don't see a reason why we wouldn't address this in MODRNA WG but I'll let John and authors of the CIBA specification share their view as well.
> 
> BR
> Bjorn
> 
> On May 12, 2017, at 7:41 AM, Nat Sakimura <n-sakimura at nri.co.jp<mailto:n-sakimura at nri.co.jp>> wrote:
> Hi
> 
> OIDC core defines request_uri. It does not define a particular way of setting up the endpoint that receives request object but just says that it needs to save the request object.
> 
> CIBA’s Backchannel Authentication Endpoint is very close to it except that it is not accepting the signed JWS.
> FAPI Part 2 defined an endpoint at the AS that saves the request object.
> See https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md?at=master&fileviewer=file-view-default#markdown-header-7-request-object-endpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_src_master_Financial-5FAPI-5FWD-5F002.md-3Fat-3Dmaster-26fileviewer-3Dfile-2Dview-2Ddefault-23markdown-2Dheader-2D7-2Drequest-2Dobject-2Dendpoint&d=DwMFAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=qocRaYy7s_jOV6AWy-D-mHLe3ExW_NILg6DnwYCSDAU&s=XHdzArxfIyPbLTVdoRDeFlnm6SBhs-rw124VyB0ig3w&e=>
> I and John were talking of propagating it to OAuth JAR as well.
> 
> I kind of feel that these can be harmonized. Is there any appetite to do so in Modrna WG?
> 
> 
> --
> PLEASE READ :This e-mail is confidential and intended for the
> named recipient only. If you are not an intended recipient,
> please notify the sender  and delete this e-mail.
> 
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dmobile-2Dprofile&d=DwICAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=qocRaYy7s_jOV6AWy-D-mHLe3ExW_NILg6DnwYCSDAU&s=PRjxSYL4lHzNjfUse2HZvysonuDQeR8YFQn9XzWio-4&e=
> 


More information about the Openid-specs-mobile-profile mailing list