unexpected language requiring clients to call token endpoint after receiving a callback
10.2. Ping Callback says:
For valid requests, the Client MUST use the received auth_req_id to make a Token Request using the Backchannel Request Grant Type to the Token Endpoint as described in Token Request Using Backchannel Request Grant Type.
To me, this says that the client MUST call the token endpoint, even if it is no longer interested in the result of the authentication. I am not sure if that was intended?
Comments (7)
-
reporter -
For your first point do you think we should change: "MUST" to "can now" as in:
For valid requests, the Client can now use the received auth_req_id
-
For your second point I don't think we need to define that behaviour. It could be supported by an implementation if required without breaking the spec. We already have this phrase:
How the OP handles HTTP error codes in the ranges of 4xx and 5xx is out-of-scope of this specification.
-
-
assigned issue to
- changed milestone to CIBA Implementer's Draft
-
assigned issue to
-
reporter Yes, that seems to resolve the first point.
-
Thanks - pushed this: https://bitbucket.org/openid/mobile/commits/3ba5eb9be76d30d796768e874252861df9cbc607
-
- changed status to resolved
Agree that 3ba5eb9 fixes the unexpected and somewhat overeager language
- Log in to comment
Slightly related; perhaps it is expected/required that the client returns HTTP 401 unauthorized if it is no longer interested in the result?