Use of eKYC-IDA spec with CIBA/FAPI-CIBA

[bitbucket-import-issues]

Originally submitted by Bjorn Hjelm (Bjorn Hjelm) on 2022-10-26

This is a replica of eKYC-IDA issue #1321 as part of transitioning the issue to the MODRNA WG.

The CIBA spec & identity assurance specs don’t currently work together - the identity assurance defines extra members for the ‘claims’ request parameter defined in OpenID Connect Core, but CIBA doesn’t have the claims request parameter so there’s currently no way to request verified_claims using CIBA. There probably should be. [Technically requesting verified claims via scopes as per https://openid.bitbucket.io/ekyc/openid-connect-4-identity-assurance.html#section-6.6 still works, but you lose the full expressivity of the ida requests.]

Nat initially suggested to my colleagues that this could perhaps be solved somehow in the FAPI-CIBA spec, but when it was raised with the FAPI WG ( https://bitbucket.org/openid/fapi/issues/540/use-of-ekyc-ida-spec-with-ciba-fapi-ciba ) it was suggested it was looked at by the ekyc working group instead.

Note that the same problem likely affects using the “advanced syntax for claims” spec with CIBA too.

---

Bitbucket status: new

Bitbucket origin: issue 210

[bitbucket-import-issues]

Originally submitted by Takahiko Kawasaki (Takahiko Kawasaki) on 2022-11-02

There is an opinion that the claims request parameter defined in OpenID Connect Core 1.0 Section 5.5 is too much for the purpose of realizing CIBA+IDA. I agreed on the opinion in the past, but recently, I noticed that “OAuth 2.0 Step-up Authentication Challenge Protocol” and “OpenID Connect Core Error Code unmet_authentication_requirements” also need the claims request parameter in order to request the acr claim as an essential claim. The acr_values request parameter (OIDC Core) and the default_acr_values client metadata (OIDC DynReg) can be used to specify a list of ACRs, but they cannot request the acr claim as essential. The claims request parameter is the only way to request claims as essential.

That the backchannel authentication does not recognize the claims request parameter means that not only IDA but also Step-up Authentication & unmet_authentication_requirements won’t work with CIBA.

[bitbucket-import-issues]

Originally submitted by Takahiko Kawasaki (Takahiko Kawasaki) on 2022-11-09

After conversation with an author of OAuth 2.0 Step-up Authentication Challenge Protocol, I learned that the specification intentionally avoids using the claims request parameter and instead recommends that authorization server implementations treat ACRs specified by the acr_values request parameter as essential. Therefore, OAuth 2.0 Step-up Authentication Challenge Protocol does not have to be taken into consideration here in this issue. Sorry for having brought up the complex topic.

[bitbucket-import-issues]

Originally submitted by josephheenan (Joseph Heenan) on 2023-01-17

If I remember correctly, Dima noted that an Australia ecosystem is making using of OpenID identity claims requested via the claims parameter, and are also considering adopting CIBA, which presents the same problem as using the full eKYC-IDA spec.

[bitbucket-import-issues]

Originally submitted by josephheenan (Joseph Heenan) on 2023-02-01

We discussed this on yesterday’s modrna call and the conclusion was for the working group to create a new spec that extends CIBA to add the claims parameter. If there’s no objections, at the next working group call we should talk about how that happens (e.g. who will actually write the spec).

[bitbucket-import-issues]

Originally submitted by Bjorn Hjelm (Bjorn Hjelm) on 2023-02-14

Since no objections against moving forward with extending CIBA was raised by any working group member, it was agreed on today’s MODRNA working group call to move forward with a new spec. extending CIBA.

[bitbucket-import-issues]

Originally submitted by Dima Postnikov (Dima Postnikov) on 2025-11-11

Hi @{5c59d434adc28b6e6e970268} has there been any progress on this extension? Or we still need to create the spec?