- edited description
CIBA - authentication methods and proof of possession
The FAPI CIBA profile should require Signed Request Object
for authentication to the backchannel authentication endpoint (it is recommended in the main CIBA spec).
The draft should be adjusted to reflect this.
Where MTLS
is used to provide proof of possession semantics for tokens, a note should be added requiring that the signed request object is sent over a mutual TLS connection. This is not for the purpose of authenticating the client, but for the purpose of giving the AS the attributes it needs to issue sender-constrained tokens.
Comments (7)
-
reporter -
No change to CIBA required, right?
-
- changed status to open
-
- changed component to CIBA
-
reporter No changes to CIBA. We discussed that the guidance around this should probably be added to the https://tools.ietf.org/html/draft-ietf-oauth-token-binding-05 spec
In the meantime, I'll update the FAPI CIBA draft.
-
reporter I've updated the spec, it would be good to get feedback on the new wording
-
reporter - changed status to resolved
This issue is out of date and no longer relevant
- Log in to comment