CIBA - Signature for succesful token notification
In the CIBA spec, the AS sends a payload similar to the Succesful Token Response
in OIDC. The connection is authenticated using a bearer token provided by the client.
The CIBA spec is a profile of OIDC and therefore requires an ID Token to be sent in this payload.
Should this ID Token contain an at_hash
claim so that the client can be assured of the payload integrity?
If an at_hash
claim is included, should there also be an rt_hash
?
The current draft requires an at_hash
.
Comments (8)
-
-
reporter Current FAPI profile of CIBA: https://bitbucket.org/openid/fapi/src/89566993040c941cb1102ccddbac8de1adb8faed/Financial_API_WD_CIBA.md?at=master&fileviewer=file-view-default
In clause 5.2.2.10 we currently have this:
when sending a successful token notification shall include the access token hash, at_hash, in the ID Token;
-
reporter We discussed that this requirement would be good to go into the main CIBA spec - I'll send an email to both working groups about this.
-
- changed component to CIBA
-
- changed status to open
-
As far as I can see this got added to the CIBA core spec before the implementers draft vote, https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-02.html#rfc.section.10.3.1 says, for push mode:
In order to bind together the ID Token, the Access Token and the auth_req_id, the OP MUST include the hash value of the Access Token and the auth_req_id within the ID Token using the at_hash and urn:openid:params:jwt:claim:auth_req_id claims respectively. In case a Refresh Token is sent to the Client, the hash value of it MUST also be added to the ID token using the urn:openid:params:jwt:claim:rt_hash claim.
Checking the current FAPI-CIBA draft, it correctly doesn’t mention anything in this area, as the core spec covers everything that is needed.
Assuming I've not missed anything, I believe this ticket can just be closed.
-
reporter Yes this can be closed.
Further we don’t support push mode anyway.
-
- changed status to resolved
Closing; thanks Dave!
- Log in to comment
Could you please add a link to the "current draft"?