[Openid-specs-ab] Idea: client issue token themselves

Joseph Heenan joseph at authlete.com
Tue Nov 20 11:43:58 UTC 2018

Hi Tom,

> On 19 Nov 2018, at 16:52, Tom Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> I know that the Brexit deal is not done, but my understanding of its current status is that the UK agrees to be bound by the decisions of the EU and that would apply to cross border funds transfers.

That’s definitely a possible outcome, at least in the short term.
> Also looking at the UK OB UX specs it seems that it will be fine for the payment initiator to install an app on the user’s phone that will talk to an app from the user’s bank on the same phone with no user controlled user agent to perform the authentication and consent operations. Calling this UX indictive of user informed consent seems overly optimistic.

The authentication and consent will be performed in the banking app in this case.

I don’t see why a trusted native app from your own bank, which you also use to interact with the bank, is a worse place to perform authentication and consent than a web browser. In fact if anything the trusted app is significantly better as it can follow a much easier authentication journey for the user (ie. using the same biometrics I use to authenticate to the bank’s mobile app, instead of having to deal with entering user names, passwords and secrets.) The use of the bank’s mobile app is not compulsory and it automatically falls back to a web based flow if the app isn’t installed.

I can’t see anything here that involves anything happening without the user’s explicit agreement.

[There may be some confusion due to differing use of terminology - consent and authorisation may have different meanings than you are use to. Rest assured that the flows used in the UK are normal oauth flows where the bank’s authorisation server, or a trusted app from the bank acting as a proxy for the authorisation server, display to the user a summary of what access the user is granting to the third party, which the user must approve.]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20181120/67645087/attachment.html>

More information about the Openid-specs-ab mailing list