[Openid-specs-fapi] PSD2 - FAPI Client Registration

Ralph Bragg ralph.bragg at raidiam.com
Fri Jul 31 05:02:48 UTC 2020

Hi Francis,

There are two approaches. 1. Sign the entire registration request. Look a the obie dynamic client registration approach for an example of how this is performed.

2. Craft and define an “initial access token” which can be defined as a jwt that a tpp can use as part of registration. I have examples of both approaches if you drop me a line.

The obie is publishing a list of trusted qtsp certificates issuing and I believe the root authorities as well they is created by processing the EU list of trust listed.  banks should have no excuses for not being able to determine the set of issuing authorities to trust up front.

Kind Regards,

From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Francis Pouatcha via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: Friday, July 31, 2020 3:09:15 AM
To: Openid-specs Fapi <openid-specs-fapi at lists.openid.net>
Cc: Francis Pouatcha <fpo at adorsys.de>
Subject: [Openid-specs-fapi] PSD2 - FAPI Client Registration

In our attempt to use FAPI to implement the NextGenPSD2 oAuth approach, we are facing the following problem.

The PSD2 trust framework assumes each ASPSP maintains the list of legitimated certification authorities (rootCAs). This is, regulators expect ASPSP to accept requests from any licensed TPP that present a valid QWAC/QSealC certificate.

We have been looking for a way to use dynamic client registration to allow the TPP to register with ASPSP's OP/AS prior to sending their first requests.

OP can get access to TPP's authenticated information:
- If TPP uses mTLS (QWAC) at the OP interface.
- If TPP uses QSealC to sign the client registration request, seems to be the best approach, as it also provides non repudiation.

Request Signature:
Alt-1: I prefer signing the whole http request (see https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/). Not sure if this is covered by FAPI.
Alt-2: QSealC could be used to produce a private_key_jwt that will be included to the registration request. QSealC can be added to the token, to avoid pre-registration. Digest of the request body could be added to the private_key_jwt to provide for non repudiation.

What am I missing? Are we still in the scope of OIDC/FAPI or getting out of bound?

Thanks in advance for feedback.
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200731/1347c513/attachment.html>

More information about the Openid-specs-fapi mailing list