error in FAPI-CIBA certification tests: ping notifications for expired authorization requests

This isn’t really a bug, but it turned out that I appear to have misinterpreted the CIBA spec when creating the certification tests.

There is a test that asks the user not to authenticate, waits for the ping notification to arrive when the request expires, then calls the token endpoint and checks it gets an expired_token error back.

The spec says:

If the Client is registered in Ping mode, the OpenID Provider will send an HTTP POST Request
to the backchannel_client_notification_endpoint after a successful or
failed end-user authentication.

I’d read this (I now believe incorrectly) to mean that ‘failed end-user authentication’ included requests that expired because the user didn’t react, but given the spec has this wording for push notifications I think I was incorrect:

expired_token

The auth_req_id has expired. The Client will need to make a new Authentication Request.
OpenID Providers are not required to send this error, but Clients SHOULD support receiving
this error.

So mostly this is just to let the working group know that these tests were wrong and may have misled implementors into believing they were required to send ping notifications in this case. The certification team intends to update the tests to allow, but not require, a ping notification in this case - unless anyone from the working group disagrees with that interpretation.

I don’t know if it’s potentially worth adding a sentence to the spec that makes it clear that some cases don’t require a ping notification.

Comments (6)