[Openid-specs-fapi] BG/Embedded SCA - Clinically free from OAuth

Anders Rundgren anders.rundgren.net at gmail.com
Sun Jul 26 04:11:46 UTC 2020

OAuth was designed for three parties: Client (TPP), User, and AS/SP.
Commerce introduces a forth, semi-trusted party: the Merchant.
Although working, the unwanted side effects of this "overloading" are plenty and well documented.

The BG Embedded SCA proposal does therefore not build on OAuth.  The client is assumed to have a static and (per scheme) standardized payment credential, like in Apple Pay.  In fact, you could actually use Apple Pay.  This takes Open Banking to the PoS terminal.

Now you may think that I'm advocating the adoption of this scheme by FAPI/OBIE?  Actually I'm not because the BG proposal have pretty serious downsides from a Standardization, Implementation, and Innovation point of view.


More information about the Openid-specs-fapi mailing list