Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Controlling User Interaction #228

Open
wants to merge 9 commits into
base: main
Choose a base branch
from

Conversation

AxelNennker
Copy link
Collaborator

@AxelNennker AxelNennker commented Nov 14, 2024

What type of PR is this?

Add one of the following kinds:

  • documentation

What this PR does / why we need it:

This PR repeats the CIBA and OIDC standards thus clarifying e.g. that prompt=none should be used if the API Consumer does not want user interaction.
User Interaction is controlled in OIDC by the authentication request parameter prompt which is mandatory to implement.

Update: removed fixes
This PR was created to clarify part of the sub-topics discussed in #215

Update: Please see #229

Copy link
Collaborator

@jpengar jpengar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO the PR content is not aligned with our conclusion proposal in #215 (comment).

  • It is up to the operator to make a decision when consent collection is needed or not,
    • based on the scope(s)/purpose declared by the API client and aligned with local legislation, ensuring that all operators under the same regulatory framework adopt a consistent approach.
  • Currently, CAMARA only considers network-based authentication in the Authorization Code Flow. Therefore, access tokens are issued for the network authenticated identifier.
  • CAMARA does not prevent the telco/MNO/API producer from using additional authentication methods as part of the in-band consent capture process when consent is needed.

I miss the second and third bullets. The information in the PR is fair, but generic, so I don't see how it fixes #215, which specifically refers to the authentication method in the auth code flow.

@AxelNennker
Copy link
Collaborator Author

This a two part PR please see #228 that hopefully leads to a consistent approach.

@jpengar
Copy link
Collaborator

jpengar commented Nov 14, 2024

This a two part PR please see #228 that hopefully leads to a consistent approach.

Sorry, I provided my review to this PR before PR #229 was created. At that time, there was no indication that it would be a two-part PR.

@jpengar
Copy link
Collaborator

jpengar commented Nov 15, 2024

While I am generally in agreement with the information provided in this PR, I believe that this particular data does not address the issue raised in #215 or clarify the core problem being discussed in that thread. This provides additional clarification on user consent capture and prompt parameters usage. We may agree to include this clarification with specific wording in this PR, but I believe PR #229 is the most suitable for providing the required clarification on the Auth code flow and auth method for CAMARA, including the suggested conclusion in the profile document.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants