CIBA: initiating a CIBA flow without a hint for identifying the user

Issue #237 resolved
Joseph Heenan created an issue

The UK OB CIBA spec allows an RP to initiate a CIBA flow without providing any information to identify the user. (I’ve attached a sequence diagram showing how this works; the user is identified by the OP / on the AD.)

The CIBA spec does not currently provide a way to do this; it is mandatory to pass one of login_hint, login_hint_token or id_token_hint. (It works in the current OB spec because OB currently use login_hint_token to pass intent.)

It may be desirable to define a standard way to do this.

Comments (5)

  1. Joseph Heenan reporter

    As Dave very sensibly pointed out on the mailing list, in almost all use cases where QR codes are involved it looks the UX would be improved by doing the ‘decoupling’ on the TPP side and using a normal (non-CIBA) redirect flow on the “authentication device”:

  2. Dave Tonge

    So I still think this is a potentially valid use case, but not sure that we should say anything about it in the FAPI CIBA spec. If OB want to define a login_hint which just conveys the fact that the user will be identified later, then they can do that.

  3. Dave Tonge

    We discussed on the call and agreed that we don’t need to add anything about this to the FAPI CIBA profile for the moment.

  4. Log in to comment