[Openid-specs-mobile-profile] Issue #210: Use of eKYC-IDA spec with CIBA/FAPI-CIBA (openid/mobile)
Bjorn Hjelm
issues-reply at bitbucket.org
Wed Oct 26 18:50:16 UTC 2022
New issue 210: Use of eKYC-IDA spec with CIBA/FAPI-CIBA
https://bitbucket.org/openid/mobile/issues/210/use-of-ekyc-ida-spec-with-ciba-fapi-ciba
Bjorn Hjelm:
This is a replica of eKYC-IDA issue #[1321](https://bitbucket.org/openid/ekyc-ida/issues/1321/use-of-ekyc-ida-spec-with-ciba-fapi-ciba) as part of transitioning the issue to the MODRNA WG.
The [CIBA spec](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html) & [identity assurance specs](https://openid.bitbucket.io/ekyc/openid-connect-4-identity-assurance.html) don’t currently work together - the identity assurance defines extra members for the ‘claims’ request parameter defined in OpenID Connect Core, but CIBA doesn’t have the `claims` request parameter so there’s currently no way to request `verified_claims` using CIBA. There probably should be. \[Technically requesting verified claims via scopes as per [https://openid.bitbucket.io/ekyc/openid-connect-4-identity-assurance.html#section-6.6](https://openid.bitbucket.io/ekyc/openid-connect-4-identity-assurance.html#section-6.6) still works, but you lose the full expressivity of the ida requests.\]
Nat initially suggested to my colleagues that this could perhaps be solved somehow in the FAPI-CIBA spec, but when it was raised with the FAPI WG \( [https://bitbucket.org/openid/fapi/issues/540/use-of-ekyc-ida-spec-with-ciba-fapi-ciba](https://bitbucket.org/openid/fapi/issues/540/use-of-ekyc-ida-spec-with-ciba-fapi-ciba) \) it was suggested it was looked at by the ekyc working group instead.
Note that the same problem likely affects using the “advanced syntax for claims” spec with CIBA too.
Responsible: Dave Tonge
More information about the Openid-specs-mobile-profile
mailing list