[Openid-specs-mobile-profile] Feedback on CIBA

[Mike Schwartz]

MODRNA Group,

CIBA was discussed on the UMA WG call today. Eve has been working on a 
compare/contrast analysis between UMA and CIBA. And this discussion got 
me thinking a little more...

One point from Justin Richer was that you are sending tokens back to the 
Client Notification Endpoint. This is risky, as you are trusting DNS. 
UMA makes the client authenticate at the token endpoint to obtain the 
tokens. Pushing tokens was discussed and dismissed as lacking security. 
I'm surprised the Open Banking group was ok with this.

I also wonder if the response from the bc_authorize should include an 
id_token--I think it should be some other signed JWT assertion (with 
many of the claims present in an id_token). It seems weird to me to 
return an id_token to a client when the subject is not the person 
connected to the user agent.

IMHO, CIBA could be accomplished using UMA as the security mechanism, 
with bc_authorize as the RS (protected endpoint on the OP). Its request 
and response would be defined much as you did.

If you are starting from scratch, is it easier to implement CIBA with 
UMA for security, or CIBA plus it's one-off security model? Personally, 
I think UMA would be cheaper because we'd get more re-use.

If I get some time in the next week, I'll try to write up a draft of 
CIBA using UMA. HEART also uses UMA, so it's not unheard of for an 
OpenID WG to use it as part of a solution.

I know everyone wants to ship ASAP, so it's probably too late to bring 
this stuff up.

- Mike