[Openid-specs-mobile-profile] Issue #66: CIBA notification mode to be notification only (openid/mobile)
issues-reply at bitbucket.org
Thu Jul 12 17:30:19 UTC 2018
New issue 66: CIBA notification mode to be notification only
Change the CIBA notification mode to not directly deliver the token(s) but
rather to inform the client that they can go and fetch the token(s).
This normalizes the means of the client obtaining tokens in all cases to it making a request to the token endpoint, which is a well established pattern. And keeping token delivery at the token endpoint simplifies things in situations where tokens are bound to client keys (like with MTLS and Token Binding for example). I can't say that it's really that much more secure. But I can say that it's not introducing a completely new mechanism of token delivery for which the security properties likely aren't as well understood and haven't been evaluated at by as many people.
Some list discussion on the topic:
Was also discussed on the July 10th 2018 MODRNA WG call:
More information about the Openid-specs-mobile-profile