[Openid-specs-mobile-profile] Issue #73: CIBA client authentication to the Backchannel Authentication Endpoint inconsistent/contradictory (openid/mobile)
issues-reply at bitbucket.org
Thu Jul 12 18:35:12 UTC 2018
New issue 73: CIBA client authentication to the Backchannel Authentication Endpoint inconsistent/contradictory
The CIBA draft in bitbucket in sec 7.1 (quoted below with similar bits from §7.2) says that the client authenticates to the Backchannel Authentication Endpoint using the authentication method registered for its client_id. This, of course, is also the same client authentication method used at the token endpoint. That's sensible and consistent with how client authentication has been done at other extension endpoints that the client makes direct requests to.
The text then goes on to say that the recommended authentication method is with an Signed Request Object. However, there is no OAuth client authentication method corresponding to a Signed Request Object or any signed request style client authentication method defined. So the text leaves the reader/implementer with a somewhat inconsistent and unworkable recommendation.
I'd argue that having the client authenticate to the Backchannel Authentication Endpoint using the authentication method registered for its client_id (and not just those defined by OpenID Core) is the appropriate thing for CIBA to specify. And that any requirements or options for signing the request payload (perhaps for non-repudiation) be treated as separate from general client authentication. Any such requirements or capabilities might also benefit from client and/or server metadata parameters defined for them.
The Client MUST authenticate to the Backchannel Authentication Endpoint
using the authentication method registered for its client_id.
The RECOMMENDED method to authenticate the Client is using an
OpenID Connect Signed Request Object as described in OpenID.Core.
If a Signed Request Object is not used for authentication then one of
the authentication methods of Section 9 of [OpenID.Core] should be used.
And from §7.2
Authenticate the Client.
The client SHOULD use a OpenID Connect Signed Request Object as
defined in Section 6.3.2 of [OpenID.Core]. Then that signature MUST be
validated and the Authentication Request MUST fail if the signature is
not valid. If the value of the signature's "alg" parameter is "none" then
another method of Client authentication MUST be used as described
in Section 9 on [OpenID.Core]. CIBA is allowing the same Client
authentication methods for the Authorization Endpoint that OpenID.Core
uses for the Token Endpoint.
More information about the Openid-specs-mobile-profile