[Openid-specs-fapi] The FAPI Security Model - Under Fire

Anders Rundgren anders.rundgren.net at gmail.com
Fri Feb 23 07:53:52 UTC 2018

Hi FAPIers,

As a curious person I have always wondered how Open Banking/PISP/SCA would combine with Amazon's famous one-click checkout.

Various LinkedIn and Slack conversations have revealed the (ugly?) truth.

The intention (at least in the UK), is giving OAuth tokens "eternal life" and rather letting PISPs (Amazon is expected to be a one), deal with payer authorization.  This faithfully emulates the "card-on-file" system that powers most US based super providers.


More information about the Openid-specs-fapi mailing list