Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should all login_hint formats be supported by an implementation? #227

Open
trehman-gsma opened this issue Nov 12, 2024 · 3 comments
Open

Should all login_hint formats be supported by an implementation? #227

trehman-gsma opened this issue Nov 12, 2024 · 3 comments
Labels
documentation Improvements or additions to documentation question Further information is requested

Comments

@trehman-gsma
Copy link
Collaborator

trehman-gsma commented Nov 12, 2024
edited by AxelNennker
Loading

Problem description
Seeking clarification on the extent of format support that is required within CIBA.

The Security and Interoperability Profile currently has 3 login_hint formats:

  • Is it mandatory for an API implementation to support all login_hint formats? For example, a SimSwap implementation may not find value in supporting ipport.

  • If not mandatory, what is the expected response when an unsupported login_hint is passed in?

Expected action
Clarification in documentation.
@trehman-gsma trehman-gsma added the documentation Improvements or additions to documentation label Nov 12, 2024
@eric-murray
Copy link
Collaborator

Hi @trehman-gsma

I think we have to accept that not all implementations will be able to support all login_hint options. For example, Vodafone currently do not support operator tokens, so any API consumers using login_hint="operatortoken:..." gets a guaranteed error from us. More practically, not all of our markets currently support IP/port to MSISDN look-up, so we cannot accept login_hint="ipport:..." in some countries.

As for the error, that is unknown_user_id

@garciasolero
Copy link
Contributor

I'm not sure that the unknown_user_id error is the most appropriate in this case, as it would not distinguish it from the scenario where a user does not belong to the operator, and the application could keep making requests with the same login_hint prefix indefinitely. In my opinion it would be better to return invalid_request.

@jpengar jpengar added the question Further information is requested label Nov 28, 2024
@trehman-gsma
Copy link
Collaborator Author

trehman-gsma commented Dec 4, 2024
edited
Loading

During the last ICM meeting, I explained the background context of this issue (GSMA are in comms with operators interested in deploying a CIBA-based implementation). During the discussion, there was a question about why an Operator might not support IP-port. Here is the response I received when I passed along the question:

  1. The consumer of an API may not know the IP address and port number of the mobile device as this is a CIBA flow which assumes that the Authentication Device is not the same as the client application is resident on, although it may be.
  1. Assuming the API consume does know the ip and port number, then it requires that the mobile network operator can resolve the public mobile IP address to the MSISDN of the device that has that IP address assigned. This specific feature has to be enable on the mobile gateway and is also an overhead.
  1. Using the ip address as a login hint is unique to network providers and is not generally used as a hint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@garciasolero @jpengar @eric-murray @trehman-gsma