Add reference to CIBA protocol in user confirmation section#137
Conversation
Clarify the use of CIBA protocol for user confirmation in OAuth authorization.
Included reference to CIBA and updated co-author information.
|
|
||
| ## Human in the Loop | ||
| An OAuth authorization server MAY conclude that the level of access requested by an Agent requires explicit user confirmation. In such cases the authorization server SHOULD either decline the request or obtain additional authorization from the User. An Agent, acting as an OAuth client, may use the OpenID Client Initiated Backchannel Authentication (CIBA) protocol. This triggers an out-of-band interaction allowing the user to approve or deny the requested operation without exposing credentials to the agent (for example a push notification requesting the user to approve a request through an authenticator application on their mobile device). | ||
| An OAuth authorization server MAY conclude that the level of access requested by an Agent requires explicit user confirmation. In such cases the authorization server SHOULD either decline the request or obtain additional authorization from the User. An Agent, acting as an OAuth client, may use the OpenID Client Initiated Backchannel Authentication (CIBA) protocol ({{OpenIDConnect.CIBA}}). This triggers an out-of-band interaction allowing the user to approve or deny the requested operation without exposing credentials to the agent (for example a push notification requesting the user to approve a request through an authenticator application on their mobile device). |
There was a problem hiding this comment.
An Agent, acting as an OAuth client, may use the OpenID Client Initiated Backchannel Authentication (CIBA) protocol
should be MAY
There was a problem hiding this comment.
one small edit @PieterKas not related to this change but should be handled by this change
There was a problem hiding this comment.
@identitymonk I am not sure we need a normative MAY here. Captialised MAYs are useful when there is optionality, and if the optionality becomes a conformance requirement. By using a capitalised MAY I don't think we change interoperability (it is still optional) and we don't change how you would implement CIBA (CIBA is filled with its own normative requirements). Givent he large number of proposals to use something other than CIBA, I am also unsure if we are in a position to mandate its use yet. I changed the langugage from may to can, in part to avoid misleading readers in the future into thinking the may could be interpreted as a MAY.
Clarify the use of CIBA protocol for user confirmation in OAuth authorization. See isssue #131