Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Controlling User Interaction #228

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Controlling User Interaction #228

wants to merge 7 commits into from

Conversation

AxelNennker
Copy link
Collaborator

@AxelNennker AxelNennker commented Nov 14, 2024
edited
Loading

What type of PR is this?

Add one of the following kinds:

  • documentation

What this PR does / why we need it:

This PR repeats the CIBA and OIDC standards thus clarifying e.g. that prompt=none should be used if the API Consumer does not want user interaction.
User Interaction is controlled in OIDC by the authentication request parameter prompt which is mandatory to implement.

Update: removed fixes
This PR was created to clarify part of the sub-topics discussed in #215

Update: Please see #229

jpengar
jpengar requested changes Nov 14, 2024
View reviewed changes
Copy link
Collaborator

@jpengar jpengar left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO the PR content is not aligned with our conclusion proposal in #215 (comment).

  • It is up to the operator to make a decision when consent collection is needed or not,
    • based on the scope(s)/purpose declared by the API client and aligned with local legislation, ensuring that all operators under the same regulatory framework adopt a consistent approach.
  • Currently, CAMARA only considers network-based authentication in the Authorization Code Flow. Therefore, access tokens are issued for the network authenticated identifier.
  • CAMARA does not prevent the telco/MNO/API producer from using additional authentication methods as part of the in-band consent capture process when consent is needed.

I miss the second and third bullets. The information in the PR is fair, but generic, so I don't see how it fixes #215, which specifically refers to the authentication method in the auth code flow.

@AxelNennker
Copy link
Collaborator Author

This a two part PR please see #228 that hopefully leads to a consistent approach.

@AxelNennker AxelNennker mentioned this pull request Nov 14, 2024
Open
@jpengar
Copy link
Collaborator

jpengar commented Nov 14, 2024

This a two part PR please see #228 that hopefully leads to a consistent approach.

Sorry, I provided my review to this PR before PR #229 was created. At that time, there was no indication that it would be a two-part PR.

@jpengar
Copy link
Collaborator

jpengar commented Nov 15, 2024

While I am generally in agreement with the information provided in this PR, I believe that this particular data does not address the issue raised in #215 or clarify the core problem being discussed in that thread. This provides additional clarification on user consent capture and prompt parameters usage. We may agree to include this clarification with specific wording in this PR, but I believe PR #229 is the most suitable for providing the required clarification on the Auth code flow and auth method for CAMARA, including the suggested conclusion in the profile document.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eric-murray eric-murray eric-murray left review comments

@jpengar jpengar jpengar requested changes

@sebdewet sebdewet Awaiting requested review from sebdewet sebdewet is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AxelNennker @jpengar @eric-murray