error in FAPI-CIBA certification tests: ping notifications for expired authorization requests
This isn’t really a bug, but it turned out that I appear to have misinterpreted the CIBA spec when creating the certification tests.
There is a test that asks the user not to authenticate, waits for the ping notification to arrive when the request expires, then calls the token endpoint and checks it gets an expired_token
error back.
The spec says:
If the Client is registered in Ping mode, the OpenID Provider will send an HTTP POST Request
to the backchannel_client_notification_endpoint after a successful or
failed end-user authentication.
I’d read this (I now believe incorrectly) to mean that ‘failed end-user authentication’ included requests that expired because the user didn’t react, but given the spec has this wording for push notifications I think I was incorrect:
expired_token
The auth_req_id has expired. The Client will need to make a new Authentication Request.
OpenID Providers are not required to send this error, but Clients SHOULD support receiving
this error.
So mostly this is just to let the working group know that these tests were wrong and may have misled implementors into believing they were required to send ping notifications in this case. The certification team intends to update the tests to allow, but not require, a ping notification in this case - unless anyone from the working group disagrees with that interpretation.
I don’t know if it’s potentially worth adding a sentence to the spec that makes it clear that some cases don’t require a ping notification.
Comments (6)
-
-
I agree with the interpretation that a ping/push is allowed but not required in the case of the
auth_req_id
having expired. So (pedantically) this would be a clarification rather than an actual change to the protocol. -
Thank you @Brian Campbell , I agree this is more a clarification than a change.
-
PR #15 is an awkward attempt at a sentence to clarify
-
-
assigned issue to
-
assigned issue to
-
- changed status to resolved
PR merged
- Log in to comment
I support this change.
Mostly because the client does not need to be pinged to know the request has expired, it has the
expires_in
value to know that already.Similar language to what’s in push mode should be applied to ping mode as well to make this clear to implementers.