Skip to content

Add reference to CIBA protocol in user confirmation section#137

Merged
PieterKas merged 4 commits into
mainfrom
PieterKas-patch-22
Jul 6, 2026
Merged

Add reference to CIBA protocol in user confirmation section#137
PieterKas merged 4 commits into
mainfrom
PieterKas-patch-22

Conversation

@PieterKas

Copy link
Copy Markdown
Owner

Clarify the use of CIBA protocol for user confirmation in OAuth authorization. See isssue #131

PieterKas added 3 commits June 5, 2026 18:18
Clarify the use of CIBA protocol for user confirmation in OAuth authorization.
Included reference to CIBA and updated co-author information.
@PieterKas PieterKas requested a review from bc-pi June 5, 2026 17:45
@PieterKas PieterKas requested a review from identitymonk June 29, 2026 11:28
Comment thread draft-klrc-aiagent-auth.md Outdated

## Human in the Loop
An OAuth authorization server MAY conclude that the level of access requested by an Agent requires explicit user confirmation. In such cases the authorization server SHOULD either decline the request or obtain additional authorization from the User. An Agent, acting as an OAuth client, may use the OpenID Client Initiated Backchannel Authentication (CIBA) protocol. This triggers an out-of-band interaction allowing the user to approve or deny the requested operation without exposing credentials to the agent (for example a push notification requesting the user to approve a request through an authenticator application on their mobile device).
An OAuth authorization server MAY conclude that the level of access requested by an Agent requires explicit user confirmation. In such cases the authorization server SHOULD either decline the request or obtain additional authorization from the User. An Agent, acting as an OAuth client, may use the OpenID Client Initiated Backchannel Authentication (CIBA) protocol ({{OpenIDConnect.CIBA}}). This triggers an out-of-band interaction allowing the user to approve or deny the requested operation without exposing credentials to the agent (for example a push notification requesting the user to approve a request through an authenticator application on their mobile device).

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An Agent, acting as an OAuth client, may use the OpenID Client Initiated Backchannel Authentication (CIBA) protocol

should be MAY

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one small edit @PieterKas not related to this change but should be handled by this change

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@identitymonk I am not sure we need a normative MAY here. Captialised MAYs are useful when there is optionality, and if the optionality becomes a conformance requirement. By using a capitalised MAY I don't think we change interoperability (it is still optional) and we don't change how you would implement CIBA (CIBA is filled with its own normative requirements). Givent he large number of proposals to use something other than CIBA, I am also unsure if we are in a position to mandate its use yet. I changed the langugage from may to can, in part to avoid misleading readers in the future into thinking the may could be interpreted as a MAY.

Comment thread draft-klrc-aiagent-auth.md Outdated
@PieterKas PieterKas merged commit 56ffb18 into main Jul 6, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants