[Openid-specs-mobile-profile] Issue #68: CIBA error response inconsistent from the Backchannel Authentication Endpoint (openid/mobile)
issues-reply at bitbucket.org
Thu Jul 12 18:22:39 UTC 2018
New issue 68: CIBA error response inconsistent from the Backchannel Authentication Endpoint
In two places in the Authentication Request Validation section of CIBA, there is text that says the OpenID Provider MUST return error response per Section 220.127.116.11 of [OpenID.Core]. However, Section 18.104.22.168 of OpenID.Core defines returning errors to the client by redirecting the browser to the client's redirect_uri. When one reads this literally (and that happens with specs!) the MUST there is rather nonsensical because the CIBA Authentication Request is a direct HTTP POST from the client to the OP/AS.
Those two occurrences should probably be updated to point to the Authentication Error Response section in CIBA (§11 in bitbucket / §6.5 in the published version) that better defines errors from the Backchannel Authentication Endpoint. I rather suspect that's the intent of the draft and the problematic MUSTs are just an oversight.
More information about the Openid-specs-mobile-profile