[Openid-specs-mobile-profile] CIBA Client Authenticaiton Amsterdam

GONZALO FERNANDEZ RODRIGUEZ gonzalo.fernandezrodriguez at telefonica.com
Mon May 15 08:45:47 UTC 2017


Hi Axel,

I have just read it and I think that it was what we agreed, only pointing out that in the sentence “If the value of the signatures’s “alg” parameter is “none” then another method of Client authentication MUST be used as described in Section 9…. I think we should add the case where the Request object is not used as well, in order to clarify that not only requests using the “Request Objetc” must be authenticated but also those using query parameters.

More or less, something like this…
 If the value of the signature’s “alg” parameter is “none” or the Request object is not used. then another method of Client authentication MUST be used as described in Section 9 on [OpenID.Core]<https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#OpenID.Core>. CIBA is allowing the same Client authentication methods for the Authorization Endpoint that OpenID.Core uses for the Token Endpoint.

What do you reckon?

Best,
Gonza.

From: Openid-specs-mobile-profile <openid-specs-mobile-profile-bounces at lists.openid.net<mailto:openid-specs-mobile-profile-bounces at lists.openid.net>> on behalf of "Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>" <Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>>
Date: viernes, 12 de mayo de 2017, 13:24
To: "Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>" <Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>>
Subject: [Openid-specs-mobile-profile] CIBA Client Authenticaiton Amsterdam

Hi all,

I added clarification to CIBA regarding Client Authentication

1)            The Client MUST be authenticated
2)            The Client SHOULD use a signed OpenID Connect Request object (alg != none)
3)            The OP MUST support signed OpenID Connect Requests objects and if the validation of the signature fails the request MUST fail.
If alg == none another method of Client authentication MUST be used as per 1)

The commit is here: https://bitbucket.org/openid/mobile/commits/84bbedb432fe511fa6cc38bbeae2eb56c9d40727

The latest version as always is here:
https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default

WDYT?

Cheers
Axel


Deutsche Telekom AG
T-Labs (Research & Innovation)
Dipl.-Inform. Axel Nennker
Winterfeldtstr. 21, 10781 Berlin
+491702275312 (Mobile)
E-Mail: axel.nennker at telekom.de<mailto:axel.nennker at telekom.de>


________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170515/bc48909d/attachment.html>


More information about the Openid-specs-mobile-profile mailing list