search

camaraproject / IdentityAndConsentManagement

Repository to describe, develop, document and test the Identity And Consent Management for CAMARA APIs
Apache License 2.0
18 stars 30 forks source link

Clarify on the need of optional claims in CIBA Client Authentication request. #132

Closed shilpa-padgaonkar closed 1 month ago

shilpa-padgaonkar commented 4 months ago

Problem description The client authentication request section in CIBA specs documents alongside the "REQUIRED" claims also certain "OPTIONAL" claims. It would be useful to get an agreement in Camara if we need to make any of these optional claims mandatory and extend this information in PR#121. Based on current requirements, if we don't need to use any of these optional claims, we could also document this agreement (as we have done currently for acr_values)

Expected action Agree whether we need to support any of the below said optional claims for the CIBA authentication request and document the agreement in the profile doc.

Additional context

AxelNennker commented 3 months ago

Please review https://github.com/camaraproject/IdentityAndConsentManagement/pull/121/commits/4184e241e53195b393e06f5a773835af118da84a

shilpa-padgaonkar commented 3 months ago

text LGTM

garciasolero commented 3 months ago

@AxelNennker,

We think this is not the best strategy for optional parameters in the standard and Camara does not mandate their implementation. Returning invalid_request errors conflicts with existing solutions that fully implement the CIBA standard and coexist with contexts other than Camara's. If an operator does not support these parameters, it should ignore them according to CIBA specification, rather than forcing authservers that do support them to return an error.

OpenID Providers MUST ignore unrecognized request parameters.

This approach would be consistent with what is already defined in the proposed profile, where it is suggested that the acr_values parameter should be ignored.

Another consideration is that when a client sends these parameters, the behaviour of the flow is unspecified, it will depend on whether it is implemented or not by the operator.

AxelNennker commented 3 months ago

I am OK with ignoring them. Should we even mention them? Somebody (@eric-murray ?) asked that we clarify the behaviour for optional parameters and somebody (else) said that these three are not implemented in the "current" implementations.

Mention the ignoring, or remove that section again?

shilpa-padgaonkar commented 3 months ago

@AxelNennker IMHO we could mention the ignoring. This will be then consistent with the acr_values parameter text.

AxelNennker commented 3 months ago

Changed the text to SHOULD ignore