Open mhfoo opened 1 day ago
Expected action Clarification from @jpengar @AxelNennker
@mhfoo This is a working group, I think the expected action shouldn't be "Clarification from @jpengar @AxelNennker" 😅
The signed request object is part of the OpenID Connect specifications, under section 6 Passing Request Parameters as JWTs and operators have the option to implement signed request object for the authorization code flow, as part of their security posture requirement.
In the CAMARA Fall24 meta-release, ICM r0.2.0, there are no explicit statements that mention signed request object are not allowed for the authorization code flow.
This issue you report is related to https://github.com/camaraproject/IdentityAndConsentManagement/issues/194, which discusses pretty much the same thing. Please take a look there (Auth code is also mentioned in the discussion, not just CIBA). If https://github.com/camaraproject/IdentityAndConsentManagement/issues/194 is enough, I would suggest not to have more than one issue for the same topic, or to have parallel discussions in more than one issue. Maybe we can close this one and finish the discussion of this signed request topic there.
Problem description
Referring to ICM Issue 128 and 2024-06-19 ICM Minutes
The agreement was not to make signed request object as a mandatory requirement for CAMARA Fall24 meta-release, for the authorization code flow.
The signed request object is part of the OpenID Connect specifications, under section 6 Passing Request Parameters as JWTs and operators have the option to implement signed request object for the authorization code flow, as part of their security posture requirement.
In the CAMARA Fall24 meta-release, ICM r0.2.0, there are no explicit statements that mention signed request object are not allowed for the authorization code flow.
Context: For number verification in the fraud prevention and detection use case, we do not prompt the end customer (of the mobile service) for consent when auth code flow is initiated; consent is obtained prior. Hence it is "silent authentication" using network authentication.
I would like to clarify that the above understanding is correct. Please advise.
Expected action Clarification from @jpengar @AxelNennker
Additional context To clarify certification by GSMA for the auth code flows.