[Openid-specs-mobile-profile] Issue #69: CIBA's Backchannel Authentication Endpoint definition and metadata registration (openid/mobile)
issues-reply at bitbucket.org
Thu Jul 12 18:24:23 UTC 2018
New issue 69: CIBA's Backchannel Authentication Endpoint definition and metadata registration
CIBA introduces a new endpoint sometimes called Backchannel Authentication Endpoint and sometimes called bc-authorize (also kinda implying that bc-authorize should be the actual path, which is something that shouldn't be dictated by spec). The new endpoint should be introduced/described in the spec with a consistent name and then define and register a new Authorization Server Metadata parameter for it that allows the AS to determine the endpoint URI and publish it in metadata. The OAuth 2.0 Device Flow does this with its Device Authorization Endpoint (in https://tools.ietf.org/html/draft-ietf-oauth-device-flow-10#section-2 and https://tools.ietf.org/html/draft-ietf-oauth-device-flow-10#section-4 and https://tools.ietf.org/html/draft-ietf-oauth-device-flow-10#section-7.3) which is similar in many respects to CIBA's new endpoint and is a good pattern to follow.
More information about the Openid-specs-mobile-profile