[Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token

Chris Michael Chris.Michael at openbanking.org.uk
Mon Jun 17 07:14:43 UTC 2019

Thanks @Ralph

@Joseph, please can we make sure the spec supports all 4 models/flows as per https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf

While one of these does potentially allow a phishing vector, my preference would be to allow this but clearly call out the risk, as there are some use cases where the OP may chose to implement this.

Chris Michael

Head of Technology

+44 7767 372277


2 Thomas More Square, London E1W 1YN

Twitter<https://twitter.com/UKOpenBanking> | Facebook<https://www.facebook.com/UKOpenBanking> | LinkedIn<https://www.linkedin.com/company/openbanking/>

From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Ralph Bragg via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: 17 June 2019 07:48
To: Financial API Working Group List
Cc: Ralph Bragg
Subject: Re: [Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token

Jospeh, yes sort of. The login hint token is meant to contain a user identified, either a previously used request/intent ID, a static user ID that’s pairwise bound to the client or worst case a static ID for the user.

This would facilitate a push (in the first two cases) and potentially a phishing Vector in the third.

If there’s no “hint” then yes, a CIBA flow can be used in the way that you described however the QR code / thing to convey to the customer just needs to be a long / nonce intentid, the customer already knows the bank that they selected and all of the information should have been staged with the CIBA request this is sufficient to allow a customer to come and claim the CIBA initiated request. This flow is useful when you’re performing authN/authZ on two different devices. Mobile to mobile a redirect is much better.

From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Joseph Heenan via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: Monday, June 17, 2019 7:22:55 AM
To: Openid-specs-fapi
Cc: Joseph Heenan
Subject: [Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token

Hi all,

On the last call we talked about how the OpenBanking UK spec ( https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA ) uses the login_hint_token in CIBA.

Dave raised a ticket that’s quite related ( https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent ).

I thought it would be useful to people’s comprehension to draw out a sequence diagram of the OB CIBA flow, in particular the one that uses the login_hint_token to communicate intent, and uses a QR code to replace the login_hint_token as a way to identify the user, as I didn’t understand how this worked when I first read the spec.

Image of the flow is attached below. Note that it assumes the user has already setup the bank’s mobile banking app on their phone and linked it to their account.

This I believe relates to ‘2.3.3 model C’ on page 40 of https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf - this has some pictures showing the flow from the viewpoint of the user.

(I believe this is right, but If anyone from OB can confirm/deny I’m happy to make corrections. I’ve included both the image and the source plantuml)





title Standard CIBA
autonumber "<b>Step #: "

box "User Interactions" #LightBlue
participant Relying_Party as RP
participant Authentication_Device as AD

box "Bank" #LightGray
participant Authorization_Server as AS
participant Resource_Server as RS

RP->RP: User launches process
'RP->AS: client_credentials grant
'AS->RP: access_token_client
'RP->RS: Register intent using access_token_client
'RS->RP: indent_id
RP->AS: CIBA request
RP<-AS: auth_req_id
AS->AD: request user authenticates
...wait for user to approve...
AS<-AD: authentication approved
RP<-AS: CIBA ping notification
RP->AS: token request
RP<-AS: access_token
RP->RS: access transaction data using access_token

autonumber 1
newpage OpenBanking UK version
' https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA
RP->RP: User launches process
group OB Intent creation
RP->AS: client_credentials grant
AS->RP: access_token_client
RP->RS: Register intent using access_token_client
RS->RP: indent_id
RP->RP: create login_hint_token: \n"IID", intent_id
RP->AS: CIBA request: login_hint_token
note right: nothing in here identifies the user
RP<-AS: auth_req_id
group OB link user to request
RP->RP: display QR code containing\nintent_id, auth_req_id
AD->AD: user opens bank's mobile app
RP->AD: user scans QR code
AD<->AS: fetch authorisation details: auth_req_id, intent_id
note right: Only here does AS know what\nuser it is authenticating
...wait for user to approve...
AS<-AD: authentication approved
RP<-AS: CIBA ping notification
RP->AS: token request
RP<-AS: access_token
RP->RS: access transaction data using access_token


Please consider the environment before printing this email.

This email is from Open Banking Limited, Company Number 10440081.  Our registered and postal address is 2 Thomas More Square, London, E1W 1YN.  Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.  

This email and any attachments are confidential and are intended for the above named only.  They may also be legally privileged or covered by other legal rights and rules.  Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal.  If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (https://www.openbanking.org.uk/privacy-policy).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190617/26349771/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openbanking_ciba.png
Type: image/png
Size: 197970 bytes
Desc: openbanking_ciba.png
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190617/26349771/attachment-0001.png>

More information about the Openid-specs-fapi mailing list