CIBA - Signature for error token notification

Issue #118 closed
Dave Tonge created an issue

The current MODRNA CIBA spec is not clear on how errors are sent to the clients notification endpoint.

In the FAPI CIBA profile I've required the AS to include two additional parameters when sending an error to the notification endpoint:

  • auth_req_id
  • id_token: with an auth_req_id claim

I think that these two parameters are necessary to enable the client to associate the error with the auth_req_id received from the backchannel authentication endpoint, and to be assured of the source authentication and integrity of the payload.

It would be good to get feedback on whether this is a sensible approach? Also perhaps this adjustment could go into the MODRNA CIBA spec?

Comments (5)

  1. Dave Tonge reporter

    Yes, although I think the spec could be improved by having a specific section on errors sent to the notification endpoint

  2. Dave Tonge reporter

    We discussed that there isn't a need for the errors to be signed, I'll adjust the draft to reflect this.

  3. Log in to comment