<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi All,</p>
<p>To extend James comments, some additional comments :</p>
<p>Concerning the Use Cases, <br>
</p>
<pre>A call center agent wants to authenticate a caller.</pre>
<p>A major difference between CIBA and OpenID Connect Core flows is
that potentially, there is no consumption device (for the SP) in
that case. In this specific case, there is an additional
requirement : the SP need to previously know the couple (sub/iss)
for the user to authenticate... otherwise, in case of a new user,
the federation with an existing account is not possible (because
no user agent available). This points out the question of the
first authentication of a specific user on that SP or reformulated
: "How the SP discover/learn, the couple sub/iss for a specific
user ?".</p>
<pre>A bank wants to authenticate a customer.</pre>
<p>What is the difference between this one and the first one ?</p>
<p>BR,</p>
<p>Charles.</p>
<div class="moz-cite-prefix">Le 30/11/2016 à 07:42, Manger, James a
écrit :<br>
</div>
<blockquote
cite="mid:SYXPR01MB1615DC47265900D76E1DCF8FE58C0@SYXPR01MB1615.ausprd01.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:244920557;
mso-list-type:hybrid;
mso-list-template-ids:1894399374 201916431 201916441 201916443 201916431 201916441 201916443 201916431 201916441 201916443;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1113283146;
mso-list-type:hybrid;
mso-list-template-ids:707539462 201916431 201916441 201916443 201916431 201916441 201916443 201916431 201916441 201916443;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoPlainText">Comment on OpenID Connect MODRNA Client
initiated Backchannel Authentication Flow 1.0
<draft-mobile-client-initiated-backchannel-authentication-01>:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo2">
<!--[if !supportLists]--><span style="mso-list:Ignore">1.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[4.1] Client authentication to
the CIBA endpoint is as per the token endpoint (eg with client
creds), not as per an RS such as the UserInfo endpoint (eg
with an access token). Good or Bad? I’m not certain.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo2">
<!--[if !supportLists]--><span style="mso-list:Ignore">2.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->The spec doesn’t indicate how
the CIBA endpoint can be discovered from OP metadata.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Mainly editorial:<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">1.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[Abstract] The abstract is too
long with too much background and the intro too short. Swap
them over. The abstract would be better as 1 paragraph on what
CIBA delivers, while the intro can explain the relationship of
other OpenID Connect flows.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">2.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[intro] CIBA isn’t “an
authentication flow of the [OIDC] Core 1.0 specification”.
Perhaps describe it as an extension of OIDC.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">3.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[3.1] specifiy → specify<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">4.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[3.1] Move the “registration at
the OP” sentence from 3<sup>rd</sup> paragraph to the first,
deleting the poorer duplicates in the 1<sup>st</sup> para.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">5.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[3.2] The bank example doesn’t
have enough (any) context. How about: “A bank teller wants to
authenticate a customer in a bank branch” — so it is using
CIBA for auth in a face-to-face scenario.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">6.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[4.1] Don’t say a CIBA request
is an OAuth 2.0 authz request, because it is different (it
doesn’t redirect the user, and uses JSON not
x-www-form-urlencoded). Say it uses some of the same
parameters as an OAuth 2.0 (or OIDC) auth request.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">7.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[4.1] “scope” parameter: put the
“openid” scope value in quotes.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">8.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[4.1] Add a blank line between
HTTP headers and the body<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">9.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[4.2] Fix grammar around “and is
not expired”<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">10.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[4.3] Should the min polling
interval be expressed in milliseconds, instead of seconds
which is almost too coarse<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">11.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[5] Don’t start by saying “once
the end-user is authenticated”. Need some words about that
being done, eg "The OP authenticates the user identified by
the client. How this occurs is up to the OP, and is
out-of-scope of this specification."; might need to mention
acr_values.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">12.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[6.1] The example’s body syntax
is wrong (strange mix of part JSON, part
x-www-form-urlencoded)<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">13.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[4.3, 6.2] Drop the Pragma
headers. I don’t think the Cache-Control headers help either
as POSTs are not cacheable by default anyway.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">14.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[7] Mention the risk to an OP of
accepting arbitrary URIs for the client notification endpoint
that it will later call. At least need to check it doesn’t
point “inside” the OP’s network.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">15.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[6.3.2] OAuth 2.0 uses
“access_token” (& “token_type”) to deliver a bearer token
that the other party then uses. Might be better to use the
same names, instead of using “client_req_id” to deliver a
bearer token.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo1">
<!--[if !supportLists]--><span style="mso-list:Ignore">16.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->[heading] The spec is dated “Aug
18, 2016”; should update that with each commit.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">--<o:p></o:p></p>
<p class="MsoPlainText">James Manger<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-mobile-profile mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-mobile-profile@lists.openid.net">Openid-specs-mobile-profile@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<font face="TIMES"><font size="2">
<img src="cid:part1.EC0C0AA8.44E59F15@orange.com" <br="">
<font color="BLACK">
<br>
<b> MARAIS Charles </b><br>
<b> Orange Labs Lannion</b></font><br>
Tel : +33 (0)2 96 07 24 18 <br>
<a href="mailto:charles.marais@orange.com">charles.marais@orange.com</a><br>
Orange Labs Lannion <br>
2, avenue Pierre Marzin <br>
22307 LANNION Cedex - France
<br>
<br>
<br>
</font></font></div>
<PRE>_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
</PRE></body>
</html>