clarify the "credentials" notion in CIBA workflow authentication #78
Comments
|
Hi @sebdewet, If it is not clear, we can agree to add further clarification in the documentation, no problem. I understand you are referring to the part of the flow highlighted in red below: 
"Credentials" refers to the client_id and secret of the final application requesting access to the data. These credentials are those created on the Operator side when the corresponding application is onboarded. As stated in https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.7.1 -> "The Client MUST authenticate to the Backchannel Authentication Endpoint using the authentication method registered for its client_id, such as the authentication methods from Section 9 of [OpenID.Core] or authentication methods defined by extension in other specifications." And HTTP Basic Authentication is one of the options documented for Client Authentication in OpenID Core specification: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication The CIBA flow explanation in the CAMARA documentation also explains the following, but if it is not clear enough, we can improve the documentation: 
Please note the "final application" remark, because in the case of Open Gateway for example, if there is an aggregator in between, the aggregator will use the application credentials to obtain the access_token. |
|
@sebdewet Just to clarify, in the end the flow is OpenId standard and for example |
|
Hi, I agree with the fact that "The Client MUST authenticate to the Backchannel Authentication Endpoint using the authentication method registered for its client_id" I just want to know if we allow several methods, like client_id/client_secret or for example use a mutual TLS with only the client_id, or a jwt containing the client_id ? That's what I want to clarify. another point I wanted to talk about, is if we allow only the usage of login_hint, or if it's possible to use login_hint_token or sorry for the delay. regards. |
|
CIBA is requesting that the client is authenticated and that the authentication is the one that is defined for it. If we/Camara think this is too open, then I see no problem in specifying a binding in Camara e.g. that client_secret_basic and client_secret_jwt MUST be implemented by all, and that client_secret_jwt is recommended, and that "none" MUST not be used. There SHOULD be only one authentication method for one client. If e.g. client_secret_basic is configured for that client, then if a client_secret_jwt is received it MUST be rejected and the receiver MUST not even try to validate HMAC SHA-256. |
|
We could also look at the OIDF FAPI CIBA certification program and recommend Camara OPs be certified |
|
As per last WG call (29/11) discussion, CAMARA participants tend to agree that there should be an OIDC profile where these developer-oriented implementation details are written down in black and white. But it is still not resolved where to put it. This is also related to issue #82. |
|
As discussed in 17/01/2024 WG meeting call, as the way forward agreed, Telefónica will contribute to CAMARA with a first draft of the OIDC profile. |
|
Added PR with a first draft of OIDC profile. |
Problem description
the value "credentials" in the CIBA workflow authentication isn't clear
Expected action
Define clearly what is expected in the notion "credentials" (basic auth, client_id, token etc.)
Additional context
in the openid standard documentation, credentials are defined with the notion of client_notification_token.
In the Orange implementation, only client_id is used.
The text was updated successfully, but these errors were encountered: