1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. mobile
  4. Issues

CIBA - OpenID Provider Metadata

Issue #148 resolved
Dave Tonge created an issue

We received this via FAPI:

Why is [OpenID Provider Metadata] required ONLY for ones supporting ping and poll ? Why not for push ?

The text in question says:

OpenID Provider Metadata OPs supporting the ping or poll modes of CIBA SHOULD include the backchannel request grant type in the grant_types_supported field of their discovery metadata and SHOULD publish the supported token delivery modes for clients using CIBA.

I think we can tidy it up to make it clearer that its only ping/poll modes that require the grant_type, but that all CIBA implementations should have metadata.

Comments (8)

  1. Takahiko Kawasaki

    An interesting thing is that OIDC Discovery says the default value of grant_types_supported is ["authorizatin_code", "implicit"] although implicit will never be used as a value of the grant_type request parameter of token requests.

    It might be better to decide and mention explicitly whether a backchannel authentication request in "push" mode should be rejected or not when "backchannel_request" is not listed in grant_types_supported.

  2. Dave Tonge reporter

    Yep this is a really interesting point. Its not just OIDD, but also https://tools.ietf.org/html/rfc8414 defines implicit to be included in this value.

    However device flow doesn't mention adjusting grant_types_supported. https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13#section-4 Even though it supports the equivalent of CIBA poll mode.

    From my perspective it would seem clearer that grant_types_supported should be metadata about the grant types supported, NOT metadata about the grant types supported at the token endpoint. However maybe there is good rationale for the current approach. @b_d_c what are your thoughts?

  3. Brian Campbell

    My thoughts are that grant_types_supported is generally about the grant types supported at the token endpoint. implicit is and always has been a bit of an odd outlier in being a grant and not being a grant at the same time - it's use in grant_types_supported for AS metadata and grant_types for client metadata is indicative of that oddness and, I think, kind of a one-off to have some representation for the flow in metadata. I think it should remain a one-off and CIBA should use the URI in grant_types[_supported] only for Ping and Poll modes. There are other metadata parameters that indicate support for CIBA in general like backchannel_token_delivery_modes_supported and backchannel_authentication_endpoint for the AS/OP and backchannel_token_delivery_mode for the client.

    The language could be tidied up some and maybe move the delivery mode stuff up front. But I don't believe any functional change is needed here.

  4. Dave Tonge reporter

    I'd go with your suggestion then Brian. I do think we can make an editorial change to the language to make it clearer though.

  9. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
CIBA
Milestone
CIBA Implementer's Draft
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!