CIBA - Signature for succesful token notification

Issue #117 resolved
Dave Tonge created an issue

In the CIBA spec, the AS sends a payload similar to the Succesful Token Response in OIDC. The connection is authenticated using a bearer token provided by the client.

The CIBA spec is a profile of OIDC and therefore requires an ID Token to be sent in this payload.

Should this ID Token contain an at_hash claim so that the client can be assured of the payload integrity?

If an at_hash claim is included, should there also be an rt_hash?

The current draft requires an at_hash.

Comments (8)

  1. Dave Tonge reporter

    We discussed that this requirement would be good to go into the main CIBA spec - I'll send an email to both working groups about this.

  2. Joseph Heenan

    As far as I can see this got added to the CIBA core spec before the implementers draft vote, says, for push mode:

    In order to bind together the ID Token, the Access Token and the auth_req_id, the OP MUST include the hash value of the Access Token and the auth_req_id within the ID Token using the at_hash and urn:openid:params:jwt:claim:auth_req_id claims respectively. In case a Refresh Token is sent to the Client, the hash value of it MUST also be added to the ID token using the urn:openid:params:jwt:claim:rt_hash claim.

    Checking the current FAPI-CIBA draft, it correctly doesn’t mention anything in this area, as the core spec covers everything that is needed.

    Assuming I've not missed anything, I believe this ticket can just be closed.

  3. Log in to comment