search

camaraproject / IdentityAndConsentManagement

Repository to describe, develop, document and test the Identity And Consent Management for CAMARA APIs
Apache License 2.0
18 stars 30 forks source link

OIDC guidance (what needs to be adhered to?) #90

Closed ECORMAC closed 1 month ago

ECORMAC commented 7 months ago

Problem description In Number Verification we have adhered to the use of OIDC security scheme as per commonalities guidelines. However OIDC as per standard would also entail the use / delivery of identity tokens. In our case (Number Verification) we don't see the need for identity tokens (but see the need for Authorization code grant). Having checked with commonalities for some recommendation / principle that could be used to both adhere to OIDC but not use / implement identity tokens, they indicated that IdentityAndConsentManagement should be able to provide some guidance (that Number Verification and commonalities) can use.

Expected action Clarification on the directive to adhere to OIDC - what parts are mandatory, if all parts are not mandatory is for example a compliance statement necessary in each workgroup?

Additional context

jpengar commented 7 months ago

This issue is another good example of implementation topics being raised in different tracks (not only CAMARA, but also GSMA and others) that are not fully defined/closed. Like issue https://github.com/camaraproject/IdentityAndConsentManagement/issues/78 for example.

It points to the need (not yet met) for an Open Gateway profile/binding documenting what are the mandatory parameters in authorisation requests for Opengateway, what are the error codes and error scenarios, what is the supported client authentication, what are the supported login hint methods for CIBA, etc.

As discussed in the last WG call (29/11), CAMARA participants tend to agree that there should be an Open Gateway OIDC profile where these developer-oriented implementation details are written down in black and white. This profile is still undocumented, and it is still undecided where to place it (proposal is to place it at GSMA, considering this profile as an Opengateway profile, since CAMARA could be used outside the GSMA Opengateway context). But the information should be available for everyone to review and contribute.

And your contribution to this is more than welcome.

shilpa-padgaonkar commented 6 months ago

@ECORMAC : OIDF colleagues will be giving a presentation on 20th Dec (our next planned id-consent subproject call) to present how such conformance profiles were created in the context of FAPI. Please feel free to join the call.

jpengar commented 5 months ago

As discussed in 17/01/2024 WG meeting call, as the way forward agreed, Telefónica will contribute to CAMARA with a first draft of the OIDC profile.

ECORMAC commented 5 months ago

Thanks. Will the draft be published in this workgroup library?

jpengar commented 5 months ago

Thanks. Will the draft be published in this workgroup library?

Yes, it will.

garciasolero commented 5 months ago

Added PR with a first draft of OIDC profile.