[Openid-specs-fapi] Other PSD2 APIs
nat at sakimura.org
Tue Mar 26 20:10:52 UTC 2019
Just a very brief scan on the Polish API:
* Uses two modes: Authorization code and Decoupled.
* For Authorization code, it is using RFC6749.
* No mention of exact match on redirect_uri
* No mention of unique redirect_uri per AS requirement
* Probalby vulnerable to Mix-up attack.
* For Decoupled, they are using custome API with API Keys.
* Authorization revocation happens through TPP (<== does not make sense
to me but...)
* For non-repudiation purpose, they use POST request with JWS. (Section
* Signature is to be provided in X-JWS-SIGNATURE HTTP header.
* Separate certs needs to be used for TLS and signature.
On 2019-03-25 17:38, Dave Tonge via Openid-specs-fapi wrote:
> Hi all
> As discussed on one of the previous calls, here are some of the other
> PSD2 API standards:
> They both use OAuth 2, but I haven't had a chance to check if they
> initiate payments based on an access token yet.
> If anyone has the opportunity to review these specs and feedback to
> the group, I'd be grateful.
> Dave Tonge
> Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1
> 6FLt: +44 (0)117 280 5120
> Moneyhub Enterprise is a trading style of Moneyhub Financial
> Technology Limited which is authorised and regulated by the Financial
> Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on
> the Financial Services Register (FRN 809360) at fca.org.uk/register
> . Moneyhub Financial Technology is registered in England & Wales,
> company registration number 06909772 .
> Moneyhub Financial Technology Limited 2018 ©
> DISCLAIMER: This email (including any attachments) is subject to
> copyright, and the information in it is confidential. Use of this
> email or of any information in it other than by the addressee is
> unauthorised and unlawful. Whilst reasonable efforts are made to
> ensure that any attachments are virus-free, it is the recipient's sole
> responsibility to scan all attachments for viruses. All calls and
> emails to and from this company may be monitored and recorded for
> legitimate purposes relating to this company's business. Any opinions
> expressed in this email (or in any attachments) are those of the
> author and do not necessarily represent the opinions of Moneyhub
> Financial Technology Limited or of any other group company.
>  http://fca.org.uk/register
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
More information about the Openid-specs-fapi