[Openid-specs-mobile-profile] CIBA client authentication to the Backchannel Authentication Endpoint

Brian Campbell bcampbell at pingidentity.com
Mon Jul 9 15:39:52 UTC 2018


 The CIBA draft in bitbucket
<https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/585e168fcc5d89bbb0e0908ecf2d7498982aac9f/draft-mobile-client-initiated-backchannel-authentication.xml>
in sec 7.1 (quoted below with similar bits from §7.2) says that the client
authenticates to the Backchannel Authentication Endpoint using the
authentication method registered for its client_id. This, of course, is
also the same client authentication method used at the token endpoint.
That's sensible and consistent with how client authentication has been done
at other extension endpoints that the client makes direct requests to.

The text then goes on to say that the recommended authentication method is
with an Signed Request Object. However, there is no OAuth client
authentication method corresponding to a Signed Request Object or any
signed request style client authentication method defined. So the text
leaves the reader/implementer with a somewhat inconsistent and unworkable
recommendation.

I'd argue that having the client authenticate to the Backchannel
Authentication Endpoint using the authentication method registered for its
client_id (and not just those defined by OpenID Core) is the appropriate
thing for CIBA to specify. And that any requirements or options for signing
the request payload (perhaps for non-repudiation) be treated as separate
from general client authentication. Any such requirements or capabilities
might also benefit from client and/or server metadata parameters defined
for them.


>From §7.1:

> The Client MUST authenticate to the Backchannel Authentication Endpoint
> using the authentication method registered for its client_id. The
> RECOMMENDED method to authenticate the Client is using an OpenID Connect
> Signed Request Object
> <https://openid.net/specs/openid-connect-core-1_0.html#SignedRequestObject>
> as described in OpenID.Core. If a Signed Request Object is not used for
> authentication then one of the authentication methods of Section 9 of
> [OpenID.Core]
> <https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#OpenID.Core>
> should be used.
>


And from §7.2

> Authenticate the Client.
> The client SHOULD use a OpenID Connect Signed Request Object
> <https://openid.net/specs/openid-connect-core-1_0.html#SignedRequestObject>
> as defined in Section 6.3.2 of [OpenID.Core]
> <https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#OpenID.Core>.
> Then that signature MUST be validated and the Authentication Request MUST
> fail if the signature is not valid. If the value of the signature's "alg"
> parameter is "none" then another method of Client authentication MUST be
> used as described in Section 9 on [OpenID.Core]
> <https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#OpenID.Core>.
> CIBA is allowing the same Client authentication methods for the
> Authorization Endpoint that OpenID.Core uses for the Token Endpoint.
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180709/daa73ea3/attachment-0001.html>


More information about the Openid-specs-mobile-profile mailing list