[Openid-specs-mobile-profile] [E] Re: Feedback on CIBA

Hjelm, Bjorn Bjorn.Hjelm at VerizonWireless.com
Wed Jun 6 21:40:26 UTC 2018


Adding MODRNA list and John.

-----Original Message-----
From: Mike Schwartz [mailto:mike at gluu.org] 
Sent: Wednesday, June 06, 2018 2:25 PM
To: Hjelm, Bjorn
Cc: gonzalo.fernandezrodriguez at telefonica.com; F.Walter at telekom.de; axel.nennker at telekom.de
Subject: [E] Re: Feedback on CIBA

Bjorn,

Here are a few comments, which you might have discussed already in the 
workgroup:

1. You are introducing new client and OP metadata, for example 
"client_notification_endpoint", which is kind of buried in the details. 
The OpenID Connect federation spec by Roland also adds both client and 
OP metadata. He defines it, and then incorporate it explicitly. For 
example:
https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dconnect-2Dfederation-2D1-5F0.html-23rfc.section.5.1&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=FmiMPRzYvjiiArMoizti3Y-697eQpf9BnyUn0qqgIlM&e=

2. In section 6.4. "Token Error Response", There is no way for the user 
to fix the error if the back channel communication fails. Although you 
are kicking off the authentication via backchannel, if the user can 
switch to front channel, she may be able to resolve a problem. For this 
reason, I would suggest you define a "claims_gathering_endpoint" which 
can be returned to the client, and in which the user could then interact 
with the AS. Your claims gathering endpoint could be like an airline 
quickcode. For example, if I'm working with airline ABC, then the agent 
could tell me to direct my browser to https://urldefense.proofpoint.com/v2/url?u=https-3A__abc.com_ciba_G5JQ2&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=ZxPmQ7eCVysXfQz7GVWr1iYhw9l9wdN29qvJOXW_9Uw&e= Then 
you have a lot more options to fix the problem (especially if this 
claims gathering endpoint is on the OP, and you could put the subject 
through a multi-step authentication workflow).

I think that's it. The Gluu Server will add support for CIBA in the next 
version (the one coming out towards year end).

- Mike


------------------------
Michael Schwartz
Gluu
Founder / CEO
mike at gluu.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_in_nynymike_&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=-W-SFNpUf-hE_Z0uq9fz-ESYOxTgqVpadKGj2BAhfb0&e=

On 2018-05-31 12:52, George Fletcher wrote:
> Thanks! I have a lot of spec reviewing to do in the next few days:)
> Lots happening in the OAuth group as well.
> 
> On Thu, May 31, 2018 at 12:38 PM Hjelm, Bjorn
> <Bjorn.Hjelm at verizonwireless.com> wrote:
> 
>> As we’re trying to finalize the CIBA [1] specification, any input
>> or concerns (security or otherwise) on the specification or open
>> issues [2] would be greatly appreciated. Issue #22 [3] (in terms of
>> authorization context) in the issue tracker may also be of interest
>> to you.
>> 
>> You may also be interested in reviewing the FAPI Profile of CIBA
>> [4].
>> 
>> BR,
>> Bjorn
>  --
> 
> Identity Standards Architect
> Identity Services Engineering, Oath Inc.
> Mobile:+1-703-462-3494  Office:+1-703-265-2544
> 
> Links:
> ------
> [1]
> https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dconnect-2Dmodrna-2Dclient-2Dinitiated-2Dbackchannel-2Dauthentication-2D1-5F0.html&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=ism7rQNQHN0MbgywkFkktYpORX1A5qr9vD1TlBfpSVQ&e=
> [2]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_mobile_issues-3Fstatus-3Dnew-26amp-3Bstatus-3Dopen-26amp-3Bcomponent-3DCIBA&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=wdy2OJerTpeWbqb9fiLKYziMy4HCWTHRhJDxiFAp8C8&e=
> [3] 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_mobile_issues_22_service-2Dprovider-2Dwants-2Dto-2Dget&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=xeUdWCV1_Lp1Q77DEz-7H-11LT4vParlEEGWj6nqlMw&e=
> [4]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_src_0c0a423ce1908cc68aa48a4da60665c824b04a8d_Financial-5FAPI-5FWD-5FCIBA.md-3Fat-3Dmaster-26amp-3Bfileviewer-3Dfile-2Dview-2Ddefault&d=DwIDaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=m0F8c5fl3NC9MSDYHnk8zUwJh_2Xi2xG-QlxeirIRG0&s=5SEXTdAMFOnqSCcvEpdHvYkjJxHEeRUMsR8DaZQ_bZU&e=


More information about the Openid-specs-mobile-profile mailing list