Final paragraph in introduction is confusing

Issue #130 resolved
Joseph Heenan created an issue

I'm struggling to make any sense of this paragraph:

As the user has no consumption device through which the user is interacting with the Client, this flow will not cause any user credentials to go through the RP. So it should be highlighted that traditional username/password authentication could not be used because only out-of-band mechanisms will work in conjunction with this flow.

As far as I can tell from the other definition, the consumption device is, by definition, the device the user is using to interact with the client.

I also do not see how CIBA rules out a "traditional username/password authentication"; surely the idp is at liberty to use a username & password as authentication if it wants.

Is this paragraph trying to say something along the lines of "As the user is directly interacting with the IdP through the authentication device, no user credentials pass through the RP and the IdP is free to perform authentication using any method it picks, without the RP having any knowledge of the authentication method used"?

If the my suggestion is on the right lines I can try to refine it.

Comments (6)

  1. Dave Tonge

    Yeah I also wasn't 100% happy with that wording.

    I think what its actually trying to say is that only idps that can communicate with the user out of band can use CIBA. Its not possible to do if it is a simple idp that only has a record of a username/password for a user and no out-of-band methods of authenticating.

  2. Dave Tonge

    Actually my statement above "no out-of-band methods of authenticating" is wrong. All the idp needs to do is to be able to contact or notify the user out of band. This could be through a simple email when the user clicks on a link and then logs in with username and password.

  3. Brian Campbell

    I must admit that I've kind of ignored a lot of the intro or explanatory text as I'm not always sure what it's trying to say and am thus somewhat hesitant to make changes. But that paragraph could certainly stand some improvement. I think you are both right or could be right. Although with acr and acr_values the RP may have some knowledge or say of how authentication is done. I guess I think Dave's on the right track.

  4. Brian Campbell

    Here's a sleep deprived attempt at some replacement text:

    As the user does not provide authentication credentials directly to the consumption device, supporting this flow requires that the OP have some mechanism of initiating user authentication out-of-band from the interaction with the consumption device.

    But I'm more than happy to consider alternative text or improvements to that text from any of the fine folks following this issue.

    One other alternative solution is to simply remove the paragraph in question.

  5. Log in to comment