[Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token

Mon Jun 17 07:21:59 UTC 2019

Thanks Ralph! The flows where the login_hint_token actually contains a login hint are a bit boring by comparison (other than that they also pass the new intent id via the login_hint_token), hence why I drew out the QR Code based one :-)

On "however the QR code / thing to convey to the customer just needs to be a long / nonce intentid” - the OB 3.1.2 spec seems to be pretty explicit on this point, to quote:

"In order to initiate authentication, the TPP must lodge a bc_authorize request and then displaying the resulting auth_req_id and intent_id as a QR code which the user would scan using their banking app. The ASPSP would then link the user (who is authenticated in their banking app) with the authentication request.”

Is there are later spec I should be looking at? To be honest I find it a bit strange - as you say the bank has to be known up front, so the presented QR code could instead contain a deep link into the mobile banking app so the user would also have the option to just scan the QR code with the mobile device's camera app.

Thanks

Joseph

> On 17 Jun 2019, at 15:48, Ralph Bragg <ralph.bragg at raidiam.com> wrote:
> 
> Jospeh, yes sort of. The login hint token is meant to contain a user identified, either a previously used request/intent ID, a static user ID that’s pairwise bound to the client or worst case a static ID for the user.
> 
> This would facilitate a push (in the first two cases) and potentially a phishing Vector in the third.
> 
> If there’s no “hint” then yes, a CIBA flow can be used in the way that you described however the QR code / thing to convey to the customer just needs to be a long / nonce intentid, the customer already knows the bank that they selected and all of the information should have been staged with the CIBA request this is sufficient to allow a customer to come and claim the CIBA initiated request. This flow is useful when you’re performing authN/authZ on two different devices. Mobile to mobile a redirect is much better.
> 
> From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Joseph Heenan via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
> Sent: Monday, June 17, 2019 7:22:55 AM
> To: Openid-specs-fapi
> Cc: Joseph Heenan
> Subject: [Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token
>  
> Hi all,
> 
> On the last call we talked about how the OpenBanking UK spec ( https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA <https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA> ) uses the login_hint_token in CIBA.
> 
> Dave raised a ticket that’s quite related ( https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent <https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent> ).
> 
> I thought it would be useful to people’s comprehension to draw out a sequence diagram of the OB CIBA flow, in particular the one that uses the login_hint_token to communicate intent, and uses a QR code to replace the login_hint_token as a way to identify the user, as I didn’t understand how this worked when I first read the spec.
> 
> Image of the flow is attached below. Note that it assumes the user has already setup the bank’s mobile banking app on their phone and linked it to their account.
> 
> This I believe relates to ‘2.3.3 model C’ on page 40 of https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf <https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf> - this has some pictures showing the flow from the viewpoint of the user.
> 
> (I believe this is right, but If anyone from OB can confirm/deny I’m happy to make corrections. I’ve included both the image and the source plantuml)
> 
> Thanks
> 
> Joseph
> 
> 
> 
> 
> <openbanking_ciba.png>
> 
> 
> 
> @startuml
> 
> title Standard CIBA
> autonumber "<b>Step #: "
> 
> box "User Interactions" #LightBlue
> participant Relying_Party as RP
> participant Authentication_Device as AD
> endbox
> 
> box "Bank" #LightGray
> participant Authorization_Server as AS
> participant Resource_Server as RS
> endbox
> 
> RP->RP: User launches process
> 'RP->AS: client_credentials grant
> 'AS->RP: access_token_client
> 'RP->RS: Register intent using access_token_client
> 'RS->RP: indent_id
> RP->AS: CIBA request
> RP<-AS: auth_req_id
> AS->AD: request user authenticates
> ...wait for user to approve...
> AS<-AD: authentication approved
> RP<-AS: CIBA ping notification
> RP->AS: token request
> RP<-AS: access_token
> RP->RS: access transaction data using access_token
> 
> autonumber 1
> newpage OpenBanking UK version
> ' https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA <https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA>
> RP->RP: User launches process
> group OB Intent creation
> RP->AS: client_credentials grant
> AS->RP: access_token_client
> RP->RS: Register intent using access_token_client
> RS->RP: indent_id
> RP->RP: create login_hint_token: \n"IID", intent_id
> end
> RP->AS: CIBA request: login_hint_token
> note right: nothing in here identifies the user
> RP<-AS: auth_req_id
> group OB link user to request
> RP->RP: display QR code containing\nintent_id, auth_req_id
> AD->AD: user opens bank's mobile app
> RP->AD: user scans QR code
> AD<->AS: fetch authorisation details: auth_req_id, intent_id
> note right: Only here does AS know what\nuser it is authenticating
> end
> ...wait for user to approve...
> AS<-AD: authentication approved
> RP<-AS: CIBA ping notification
> RP->AS: token request
> RP<-AS: access_token
> RP->RS: access transaction data using access_token
> 
> @enduml
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190617/baab2bcc/attachment.html>