[Openid-specs-mobile-profile] [E] Re: Feedback on CIBA
Hjelm, Bjorn
Bjorn.Hjelm at VerizonWireless.com
Wed Jun 6 21:40:26 UTC 2018
Adding MODRNA list and John.
-----Original Message-----
From: Mike Schwartz [mailto:mike at gluu.org]
Sent: Wednesday, June 06, 2018 2:25 PM
To: Hjelm, Bjorn
Cc: gonzalo.fernandezrodriguez at telefonica.com; F.Walter at telekom.de; axel.nennker at telekom.de
Subject: [E] Re: Feedback on CIBA
Bjorn,
Here are a few comments, which you might have discussed already in the
workgroup:
1. You are introducing new client and OP metadata, for example
"client_notification_endpoint", which is kind of buried in the details.
The OpenID Connect federation spec by Roland also adds both client and
OP metadata. He defines it, and then incorporate it explicitly. For
example:
https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dconnect-2Dfederation-2D1-5F0.html-23rfc.section.5.1&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=FmiMPRzYvjiiArMoizti3Y-697eQpf9BnyUn0qqgIlM&e=
2. In section 6.4. "Token Error Response", There is no way for the user
to fix the error if the back channel communication fails. Although you
are kicking off the authentication via backchannel, if the user can
switch to front channel, she may be able to resolve a problem. For this
reason, I would suggest you define a "claims_gathering_endpoint" which
can be returned to the client, and in which the user could then interact
with the AS. Your claims gathering endpoint could be like an airline
quickcode. For example, if I'm working with airline ABC, then the agent
could tell me to direct my browser to https://urldefense.proofpoint.com/v2/url?u=https-3A__abc.com_ciba_G5JQ2&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=ZxPmQ7eCVysXfQz7GVWr1iYhw9l9wdN29qvJOXW_9Uw&e= Then
you have a lot more options to fix the problem (especially if this
claims gathering endpoint is on the OP, and you could put the subject
through a multi-step authentication workflow).
I think that's it. The Gluu Server will add support for CIBA in the next
version (the one coming out towards year end).
- Mike
------------------------
Michael Schwartz
Gluu
Founder / CEO
mike at gluu.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_in_nynymike_&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=-W-SFNpUf-hE_Z0uq9fz-ESYOxTgqVpadKGj2BAhfb0&e=
On 2018-05-31 12:52, George Fletcher wrote:
> Thanks! I have a lot of spec reviewing to do in the next few days:)
> Lots happening in the OAuth group as well.
>
> On Thu, May 31, 2018 at 12:38 PM Hjelm, Bjorn
> <Bjorn.Hjelm at verizonwireless.com> wrote:
>
>> As we’re trying to finalize the CIBA [1] specification, any input
>> or concerns (security or otherwise) on the specification or open
>> issues [2] would be greatly appreciated. Issue #22 [3] (in terms of
>> authorization context) in the issue tracker may also be of interest
>> to you.
>>
>> You may also be interested in reviewing the FAPI Profile of CIBA
>> [4].
>>
>> BR,
>> Bjorn
> --
>
> Identity Standards Architect
> Identity Services Engineering, Oath Inc.
> Mobile:+1-703-462-3494 Office:+1-703-265-2544
>
> Links:
> ------
> [1]
> https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dconnect-2Dmodrna-2Dclient-2Dinitiated-2Dbackchannel-2Dauthentication-2D1-5F0.html&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=ism7rQNQHN0MbgywkFkktYpORX1A5qr9vD1TlBfpSVQ&e=
> [2]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_mobile_issues-3Fstatus-3Dnew-26amp-3Bstatus-3Dopen-26amp-3Bcomponent-3DCIBA&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=wdy2OJerTpeWbqb9fiLKYziMy4HCWTHRhJDxiFAp8C8&e=
> [3]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_mobile_issues_22_service-2Dprovider-2Dwants-2Dto-2Dget&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=xeUdWCV1_Lp1Q77DEz-7H-11LT4vParlEEGWj6nqlMw&e=
> [4]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_src_0c0a423ce1908cc68aa48a4da60665c824b04a8d_Financial-5FAPI-5FWD-5FCIBA.md-3Fat-3Dmaster-26amp-3Bfileviewer-3Dfile-2Dview-2Ddefault&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=5SEXTdAMFOnqSCcvEpdHvYkjJxHEeRUMsR8DaZQ_bZU&e=
More information about the Openid-specs-mobile-profile
mailing list