[Openid-specs-ab] App2app authorization/authentication

Joseph Heenan joseph at authlete.com
Wed Oct 2 17:20:03 UTC 2019

Hi all,

I wrote a blog post a little while ago about app2app authorization/authentication in the OAuth2/OpenID Connect space; I think I omitted to share it here at the time and believe it could be of interest to the group.

For those that haven’t come across it, app2app is where a pre-existing mobile app (e.g. a mobile banking application) essentially claims the Authorization Endpoint using the mobile OS's deep/universal link mechanism, allowing a relying party to perform the OAuth2/openid connect dance but the user is authenticated using their normal biometric method, which massively improves the success rate as (aside from it being a lot faster/easier) a large percentage of users that regularly use biometrics have long forgotten the underlying credentials.

The post includes a video of a user granting an account aggregator app access to a bank account which may be easier to understand.

Note that this requires no changes at all to the oauth2/openid connect protocols, and it’s also fully compatible with the OIDF’s FAPI work - and is already in wide use in UK Openbanking.

The article is here:


If I’ve missed any alternative and recommended ways to implement this I’d be very interested to hear about them.


Joseph Heenan

More information about the Openid-specs-ab mailing list