The current MODRNA CIBA spec is not clear on how errors are sent to the clients notification endpoint.
In the FAPI CIBA profile I've required the AS to include two additional parameters when sending an error to the notification endpoint:
id_token: with an
I think that these two parameters are necessary to enable the client to associate the error with the auth_req_id received from the backchannel authentication endpoint, and to be assured of the source authentication and integrity of the payload.
It would be good to get feedback on whether this is a sensible approach? Also perhaps this adjustment could go into the MODRNA CIBA spec?