CIBA error response inconsistent from the Backchannel Authentication Endpoint
Issue #68
resolved
In two places in the Authentication Request Validation section of CIBA, there is text that says the OpenID Provider MUST return error response per Section 3.1.2.6 of [OpenID.Core]. However, Section 3.1.2.6 of OpenID.Core defines returning errors to the client by redirecting the browser to the client's redirect_uri. When one reads this literally (and that happens with specs!) the MUST there is rather nonsensical because the CIBA Authentication Request is a direct HTTP POST from the client to the OP/AS.
Those two occurrences should probably be updated to point to the Authentication Error Response section in CIBA (§11 in bitbucket / §6.5 in the published version) that better defines errors from the Backchannel Authentication Endpoint. I rather suspect that's the intent of the draft and the problematic MUSTs are just an oversight.
http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20180709/001196.html
Comments (2)
-
reporter
-
- changed status to resolved
merged PR
- Log in to comment
Pull request attempting to address this: https://bitbucket.org/openid/mobile/pull-requests/9/