FAPI-CIBA: Is request_context a claim or a request parameter?
It's ambiguous whether request_context
is a claim in a signed authentication request (CIBA Core 7.1.1) or a request parameter (CIBA Core 7.1).
The following are excerpts from the FAPI-CIBA profile that mention request_context
.
FAPI-CIBA profile, 5.2.2 Authorization Server
10. may require clients to provide a
request_context
claim as defined in section 5.3 of this profile; and
FAPI-CIBA profile, 5.3 Extensions to CIBA authentication request
This profile defines the following extensions to the authentication request defined in CIBA section 7.1.
1.
request_context
: OPTIONAL. a JSON object (the contents of which are not defined by this specification) containing information to inform fraud and threat decisions. For example, an ecosystem may require relying parties to provide geolocation for the consumption device.
"CIBA section 7.1" referred to in the first paragraph of FAPI-CIBA 5.3 lists request parameters, not claims. If "CIBA section 7.1.1" were referred to instead of "CIBA section 7.1", there would be no ambiguity and readers would think that request_context
is a claim in a signed authentication request.
If request_context
is a request parameter like client_notification_token
, it should be written explicitly.
Comments (5)
-
-
Agree that we should add an example
-
- changed status to open
-
-
assigned issue to
-
assigned issue to
-
- changed status to closed
FAPI-CIBA: Add example signed request object
Should help to resolve some uncertainty as to the meaning of various spec clauses.
closes
#243→ <<cset d72397507c23>>
- Log in to comment
It’s worded in that way as there was some last minute discussion about whether signed requests would be required or not.
As per https://openid.net/specs/openid-financial-api-ciba.html#authorization-server :
this requires that request_context must be passed only inside the signed request object to comply with the FAPI-CIBA spec.
It’d probably be worthwhile us adding an example.