[Openid-specs-fapi] Other PSD2 APIs

nat nat at sakimura.org
Tue Mar 26 20:10:52 UTC 2019

Just a very brief scan on the Polish API:

* Uses two modes: Authorization code and Decoupled.
* For Authorization code, it is using RFC6749.
     * No mention of exact match on redirect_uri
     * No mention of unique redirect_uri per AS requirement
          * Probalby vulnerable to Mix-up attack.
* For Decoupled, they are using custome API with API Keys.
* Authorization revocation happens through TPP (<== does not make sense 
to me but...)
* For non-repudiation purpose, they use POST request with JWS. (Section 
5.8, 6.6)
     * Signature is to be provided in  X-JWS-SIGNATURE HTTP header.
     * Separate certs needs to be used for TLS and signature.


Nat Sakimura

On 2019-03-25 17:38, Dave Tonge via Openid-specs-fapi wrote:
> Hi all
> As discussed on one of the previous calls, here are some of the other
> PSD2 API standards:
> https://polishapi.org/en/#docs
> https://www.czech-ba.cz/cs/aktivity/standardy/cesky-standard-pro-open-banking
> They both use OAuth 2, but I haven't had a chance to check if they
> initiate payments based on an access token yet.
> If anyone has the opportunity to review these specs and feedback to
> the group, I'd be grateful.
> Thanks
> --
> Dave Tonge
>  [1]
> Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1
> 6FLt: +44 (0)117 280 5120
> Moneyhub Enterprise is a trading style of Moneyhub Financial
> Technology Limited which is authorised and regulated by the Financial
> Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on
> the Financial Services Register (FRN 809360) at fca.org.uk/register
> [2]. Moneyhub Financial Technology is registered in England & Wales,
> company registration number  06909772 .
> Moneyhub Financial Technology Limited 2018 ©
> DISCLAIMER: This email (including any attachments) is subject to
> copyright, and the information in it is confidential. Use of this
> email or of any information in it other than by the addressee is
> unauthorised and unlawful. Whilst reasonable efforts are made to
> ensure that any attachments are virus-free, it is the recipient's sole
> responsibility to scan all attachments for viruses. All calls and
> emails to and from this company may be monitored and recorded for
> legitimate purposes relating to this company's business. Any opinions
> expressed in this email (or in any attachments) are those of the
> author and do not necessarily represent the opinions of Moneyhub
> Financial Technology Limited or of any other group company.
> Links:
> ------
> [1]
> http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A
> [2] http://fca.org.uk/register
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

More information about the Openid-specs-fapi mailing list