[Openid-specs-fapi] Berlin Group Specs

Chris Michael Chris.Michael at openbanking.org.uk
Tue Oct 3 14:06:48 UTC 2017

?Yes Dave - some worrying stuff.

I am coordinating a response from OB.

Would probably also add weight if you could do a separate FAPI response too.

Chris Michael

Head of Technology

Open Banking

+44 7767 372277


From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Dave Tonge via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: 03 October 2017 14:46
To: Openid-specs Fapi; Torsten Lodderstedt; John Bradley; Nat Sakimura
Subject: [Openid-specs-fapi] Berlin Group Specs

Hi all

The Berlin Group have started their consultation on their API specs for PSD2:


There are several worrying sections, for example:

When using OAuth2, the API calls will work with an access token instead of using the PSU credentials. The only admitted versions of the token grant step is the "user password grant" or the "authorization flow" of OAuth2.

There are several sections where the end-user enters their banking credentials on the third party site...

OAuth 2 and OAuth are mentioned on many occasions but without reference to any security profile.

I think FAPI should respond.

Dave Tonge
[Moneyhub Enterprise]<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Momentum Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Momentum Financial Technology is entered on the Financial Services Register (FRN 561538) at fca.org.uk/register<http://fca.org.uk/register>. Momentum Financial Technology is registered in England & Wales, company registration number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Momentum Financial Technology Limited or of any other group company.

Please consider the environment before printing this email.

This email is from Open Banking Limited, Company Number 10440081.  Our registered and postal address is 2 Thomas More Square, London, E1W 1YN.  Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.  

This email and any attachments are confidential and are intended for the above named only.  They may also be legally privileged or covered by other legal rights and rules.  Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal.  If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20171003/46dcf826/attachment-0001.html>

More information about the Openid-specs-fapi mailing list