Closed shilpa-padgaonkar closed 1 month ago
text LGTM
@AxelNennker,
We think this is not the best strategy for optional parameters in the standard and Camara does not mandate their implementation. Returning invalid_request
errors conflicts with existing solutions that fully implement the CIBA standard and coexist with contexts other than Camara's. If an operator does not support these parameters, it should ignore them according to CIBA specification, rather than forcing authservers that do support them to return an error.
OpenID Providers MUST ignore unrecognized request parameters.
This approach would be consistent with what is already defined in the proposed profile, where it is suggested that the acr_values
parameter should be ignored.
Another consideration is that when a client sends these parameters, the behaviour of the flow is unspecified, it will depend on whether it is implemented or not by the operator.
I am OK with ignoring them. Should we even mention them? Somebody (@eric-murray ?) asked that we clarify the behaviour for optional parameters and somebody (else) said that these three are not implemented in the "current" implementations.
Mention the ignoring, or remove that section again?
@AxelNennker IMHO we could mention the ignoring. This will be then consistent with the acr_values parameter text.
Changed the text to SHOULD ignore
Problem description The client authentication request section in CIBA specs documents alongside the "REQUIRED" claims also certain "OPTIONAL" claims. It would be useful to get an agreement in Camara if we need to make any of these optional claims mandatory and extend this information in PR#121. Based on current requirements, if we don't need to use any of these optional claims, we could also document this agreement (as we have done currently for acr_values)
Expected action Agree whether we need to support any of the below said optional claims for the CIBA authentication request and document the agreement in the profile doc.
Additional context