CIBA - Signature for error token notification
The current MODRNA CIBA spec is not clear on how errors are sent to the clients notification endpoint.
In the FAPI CIBA profile I've required the AS to include two additional parameters when sending an error to the notification endpoint:
auth_req_id
id_token
: with anauth_req_id
claim
I think that these two parameters are necessary to enable the client to associate the error with the auth_req_id received from the backchannel authentication endpoint, and to be assured of the source authentication and integrity of the payload.
It would be good to get feedback on whether this is a sensible approach? Also perhaps this adjustment could go into the MODRNA CIBA spec?
Comments (5)
-
-
reporter Yes, although I think the spec could be improved by having a specific section on errors sent to the notification endpoint
-
reporter We discussed that there isn't a need for the errors to be signed, I'll adjust the draft to reflect this.
-
reporter I've adjusted the draft, I believe this can be closed
-
- changed status to closed
- Log in to comment
We are talking about this section of CIBA, right? https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#token_error_response
Looks like CIBA would benefit from this.