[Openid-specs-fapi] OAuth2 Considered Harmful (for payments)

Anders Rundgren anders.rundgren.net at gmail.com
Sun Apr 5 04:04:56 UTC 2020

Pardon the somewhat strong subject line but as far as I can tell OAuth2 was designed to enable third-party, user-mediated access to user-related resources at service providers.  In such scenarios there are three parties.

However, using the PISP model, users (PSUs) are confronted with yet another party which does not only introduce fuzz, but also a fairly dubious trust model where users suddenly have to give consents to PISPs which they in most cases have no direct relation to or even have heard about.  Well, it works if the PISP industry becomes an oligopoly like VISA/MasterCard but that was probably not the intention.

One-page overview: https://cyberphone.github.io/doc/payments/openbanking-security-actors-interaction.pdf

One might claim that the fairly common outsourced "Secure Payment Pages" is more or less the same thing.  This is correct but the mere existence of such services is only due to the lack of a secure on-line payment system comparable to EMV-cards + PCI-certified payment terminals.  Nowadays, there are a lot of such systems including Apple Pay.

Anyway, PISPs fulfill the regulators' requirements which is great! If you on top of that add the minuscule enhancement I have earlier proposed, 95% of the code base for a typical Open Banking implementation would remain intact while enabling payment systems that in all aspects can compete with Apple Pay et al.  This information (if correct) from a  Berlin Group spokesman indicates that the banking community is not overly concerned about Open Banking APIs:

    "as I understand you would like to connect the usage of client
     authentication by virtual cards together with push payments. This is
     discussed within the banking communities within the context of card
     schemes. The Berlin Group has no mandate to follow on this idea"


More information about the Openid-specs-fapi mailing list