openid / mobile / issues / #55 - CIBA signed result objects? — Bitbucket

Issue #55 resolved

Axel Nennker created an issue 2017-05-26

Should we - at least - recommend that the OP signs the authentication result object? Here: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#successful_authentication_request_acknowdlegment

and here: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#issuing_successful_token

Comments (3)

Axel Nennker reporter
- changed component to CIBA
- 2017-06-15T09:47:39+00:00
Axel Nennker reporter
- assigned issue to
- 2017-06-15T09:48:12+00:00
Brian Campbell
- changed status to resolved
In the push mode the ID Token is signed and has the authn request id and hashes of the AT and RT that ties it all together. Other results are in HTTPS responses from the server which is server authentication TLS. ~~#127~~ has some more explanation.
- 2018-12-13T23:30:27+00:00
Log in to comment

Assignee: Axel Nennker

Type: bug

Priority: major

Status: resolved

Component: CIBA

Milestone: –

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!