Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update CAMARA-ICM-examples.md with CIBA examples #237

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update CAMARA-ICM-examples.md with CIBA examples #237

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions documentation/CAMARA-ICM-examples.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,59 @@ login_hint=tel%3A%2B34666666666
```


#### Successful response
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that the previous /bc-authorize request is missing the 'client_assertion_type' and 'client_assertion' fields.


See [CIBA Successful Authentication Response](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.7.3)

```
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
"auth_req_id": "3f7b2e8a-9cde-4f3b-8b12-1a2b3c4d5e6f",
"expires_in": 120,
"interval": 2
}
```
The Client MUST keep the auth_req_id in order to use when making a token request in Poll mode.
Expires_in and interval can differ
Comment on lines +110 to +111
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The Client MUST keep the auth_req_id in order to use when making a token request in Poll mode.
Expires_in and interval can differ
The Client MUST keep the `auth_req_id` in order to use it when making a token request in Poll mode.
Please note that the values for `expires_in` and `interval` may differ.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this note "Expires_in and interval can differ"? It is a strange ideas, to me, that both might be the same.
The example in CIBA means poll max for 120 seconds in a two seconds interval. What is the interpretation they are the same?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May differ from the ones in the example. I think that's what @sebdewet meant.

Copy link
Collaborator Author

@sebdewet sebdewet Dec 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly.
I can modify and specify this :

Expires_in and interval are not CAMARA Mandatory and can differ from the values above


#### Access token request

See [CIBA Token Request](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.10.1)


```
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aopenid%3Aparams%3Agrant-type%3Aciba&
auth_req_id=3f7b2e8a-9cde-4f3b-8b12-1a2b3c4d5e6f&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
client-assertion-type%3Ajwt-bearer&
client_assertion=eyJraWQiOiJzYW1wbGUxIiwibmFtZSI6IkV4YW1wbGUifQ.eyJpc3MiOiJ0ZXN0VXNlciIsInN1YiI6InRlc3RzdWJqZWN0IiwidXNlciI6Imh0dHBzOi8vYXBpLmV4YW1wbGUuY29tIiwianRpIjoiLV9wMTZqNkhjaVhvMzE3aHZaMzEyYyIsImlhdCI6MTYwMDAwMDAwMCwiZXhwIjoxNjAwMDAwNjAwfQ.abcD1234-56efG7hI8jK9lM0nPqRstUvwXYZ

```

#### Successful response

See [CIBA Successful Token Response](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.10.1.1)

```

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
"access_token": "G5kXH2wHvUra0sHlDy1iTkDJgsgUO1bN",
"token_type": "Bearer",
"refresh_token": "4bwc0ESC_IAhflf-ACC_vjD_ltc11ne-8gFPfA2Kx16",
"expires_in": 120,
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjE2NzcyNyJ9.eyJpc3MiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsInN1YiI6IjI0ODI4OTc2MTAwMiIsImF1ZCI6InM2QmhkUmtxdDMiLCJlbWFpbCI6Im1vY2tAZXhhbXBsZS5jb20iLCJleHAiOjE1Mzc4MTk4MDQsImlhdCI6MTUzNzgxOTUwNH0.bVq83mdy72ddIFVJLjlNBX-5JHbjmwK-Sn9Mir-blesfYMceIOw6u4GOrO_ZroDnnbJXNKWAg_dxVynvMHnk3uJc46feaRIL4zfHf6Anbf5_TbgMaVO8iczD16A5gNjSD7yenT5fslrrW-NU_vtmi0s1puoM4EmSaPXCR19vRJyWuStJiRHK5yc3BtBlQ2xwxH1iNP49rGAQe_LHfW1G74NY5DaPv-V23JXDNEIUTY-jT-NbbtNHAxnhNPyn8kcO2WOoeIwANO9BfLF1EFWtjGPPMj6kDVrikec47yK86HArGvsIIwk1uExynJIv_tgZGE0eZI7MtVb2UlCwDQrVlg"
}
Comment on lines +141 to +147
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe you may have overlooked the scope field. We may include an example analogous to the one in the /token response in the Auth Code Flow example for your reference.

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token": "SlAV32hkKG",
  "token_type": "Bearer",
  "refresh_token": "8xLOxBtZp8",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJSUz....",
  "scope": "dpv:FraudPreventionAndDetection sim-swap:check sim-swap:retrieve-date"
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Returning scopes is then advised if the OP sends scopes that are different to what was requested. I think otherwise the API consumer can assume that the access token covers the scopes requested.

Copy link
Collaborator Author

@sebdewet sebdewet Dec 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly, that’s why I didn’t specify the parameter "scope" in the example, but we can have two examples.

Copy link
Collaborator

@jpengar jpengar Dec 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. scope is OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED. It may be beneficial to include this in the example for illustrative purposes (we did in Auth Code Flow example). Then If you would like to clarify further, it could be done below the example. However, this is not a critical issue. We can proceed in the manner you prefer.

```