CIBA Binding Messages
From Freddi:
binding_message - could we do some work on improving this. There are a number of types of bindings that would be useful and we could investigate: - two way binding - where the AD and CD are both bound to each other for a short period of time - binding through NFC/scanned bar code rather than relying on a human
Comments (7)
-
reporter -
If it is difficult to list up all the possible use cases of
binding_message
at this moment and/or if we want to avoid preventing someone from inventing fantastic ways for binding in the future, it might be worth considering to separatebinding_message
into two parameters,binding_type
andbinding_value
. For example, likebinding_type=message
andbinding_value=Hello
.Even after this style is adopted, it is possible to keep
binding_message={value}
(if it is desired) as an alias of the combination ofbinding_type=message
andbinding_value={value}
. -
reporter So we should probably have the binding_type discussion in the mobile issue tracker, but I'd probably be against it. I think that the login_hint_token is the generic container that we have that can help with this sort of thing.
In situations where we can have a way of passing tokens between the AD and the CD I think it makes sense to use the login_hint_token at the beginning of the flow rather than the binding message part way through the flow.
-
reporter Currently I'm unsure of what we can add around this. I propose that any implementation considerations around the binding message be added to the new document rather than to the FAPI CIBA profile
-
-
assigned issue to
-
assigned issue to
-
- changed status to open
-
reporter - changed status to on hold
Putting on hold - as I don't think this should be added the current CIBA doc
- Log in to comment
At the moment I'm not sure what text we can add around this. There is also a crossover between binding messages and login_hint_tokens.
In the privacy considerations of the core draft we have this section: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#privacy_considerations which talks about the using a "Single-use user identifier, transferred from the AD to the CD"