Use of eKYC-IDA spec with CIBA/FAPI-CIBA
This is a replica of eKYC-IDA issue #1321 as part of transitioning the issue to the MODRNA WG.
The CIBA spec & identity assurance specs don’t currently work together - the identity assurance defines extra members for the ‘claims’ request parameter defined in OpenID Connect Core, but CIBA doesn’t have the claims
request parameter so there’s currently no way to request verified_claims
using CIBA. There probably should be. [Technically requesting verified claims via scopes as per https://openid.bitbucket.io/ekyc/openid-connect-4-identity-assurance.html#section-6.6 still works, but you lose the full expressivity of the ida requests.]
Nat initially suggested to my colleagues that this could perhaps be solved somehow in the FAPI-CIBA spec, but when it was raised with the FAPI WG ( https://bitbucket.org/openid/fapi/issues/540/use-of-ekyc-ida-spec-with-ciba-fapi-ciba ) it was suggested it was looked at by the ekyc working group instead.
Note that the same problem likely affects using the “advanced syntax for claims” spec with CIBA too.
Comments (6)
-
-
After conversation with an author of OAuth 2.0 Step-up Authentication Challenge Protocol, I learned that the specification intentionally avoids using the
claims
request parameter and instead recommends that authorization server implementations treat ACRs specified by theacr_values
request parameter as essential. Therefore, OAuth 2.0 Step-up Authentication Challenge Protocol does not have to be taken into consideration here in this issue. Sorry for having brought up the complex topic. -
If I remember correctly, Dima noted that an Australia ecosystem is making using of OpenID identity claims requested via the claims parameter, and are also considering adopting CIBA, which presents the same problem as using the full eKYC-IDA spec.
-
We discussed this on yesterday’s modrna call and the conclusion was for the working group to create a new spec that extends CIBA to add the claims parameter. If there’s no objections, at the next working group call we should talk about how that happens (e.g. who will actually write the spec).
-
reporter Since no objections against moving forward with extending CIBA was raised by any working group member, it was agreed on today’s MODRNA working group call to move forward with a new spec. extending CIBA.
-
reporter - changed milestone to Extension
-
assigned issue to
- Log in to comment
There is an opinion that the
claims
request parameter defined in OpenID Connect Core 1.0 Section 5.5 is too much for the purpose of realizing CIBA+IDA. I agreed on the opinion in the past, but recently, I noticed that “OAuth 2.0 Step-up Authentication Challenge Protocol” and “OpenID Connect Core Error Code unmet_authentication_requirements” also need theclaims
request parameter in order to request theacr
claim as an essential claim. Theacr_values
request parameter (OIDC Core) and thedefault_acr_values
client metadata (OIDC DynReg) can be used to specify a list of ACRs, but they cannot request theacr
claim as essential. Theclaims
request parameter is the only way to request claims as essential.That the backchannel authentication does not recognize the
claims
request parameter means that not only IDA but also Step-up Authentication & unmet_authentication_requirements won’t work with CIBA.