MODRNA Group, CIBA was discussed on the UMA WG call today. Eve has been working on a compare/contrast analysis between UMA and CIBA. And this discussion got me thinking a little more... One point from Justin Richer was that you are sending tokens back to the Client Notification Endpoint. This is risky, as you are trusting DNS. UMA makes the client authenticate at the token endpoint to obtain the tokens. Pushing tokens was discussed and dismissed as lacking security. I'm surprised the Open Banking group was ok with this. I also wonder if the response from the bc_authorize should include an id_token--I think it should be some other signed JWT assertion (with many of the claims present in an id_token). It seems weird to me to return an id_token to a client when the subject is not the person connected to the user agent. IMHO, CIBA could be accomplished using UMA as the security mechanism, with bc_authorize as the RS (protected endpoint on the OP). Its request and response would be defined much as you did. If you are starting from scratch, is it easier to implement CIBA with UMA for security, or CIBA plus it's one-off security model? Personally, I think UMA would be cheaper because we'd get more re-use. If I get some time in the next week, I'll try to write up a draft of CIBA using UMA. HEART also uses UMA, so it's not unheard of for an OpenID WG to use it as part of a solution. I know everyone wants to ship ASAP, so it's probably too late to bring this stuff up. - Mike