Server-initiated Authentication

Issue #45 resolved
Torsten Lodderstedt created an issue

The MODRNA WG will propose a reasonable mechanisms to perform authentication in cases, where no user agent is available and the authentication process needs to initiated via server 2 server communication. Use cases are for example user authentication in the context of a call center call. The idea is to introduce an extension to the token endpoint (TBD: new grant type or JWT bearer assertion), which is used in conjunction with the standard scope value “openid” and potentially other OIDC scope values and parameters to initiate the authentication. The authentication process is conducted out of band using the same mechanisms the ID gateway uses for the standard Mobile Connect/OpenID Connect authentication flow via browser redirect. To be considered: * callback/polling needed * RP potentially knows MSISDN or PPID and wants to enforce it (2nd factor authentication via Mobile Connect)

Comments (7)

  1. Torsten Lodderstedt reporter

    Gonzalo volunteered to lead the topic. Florian agreed to work on the topic as well.

    Goal: draft by end of July

  2. Log in to comment