[Openid-specs-fapi] Issue #295: Possible support for "embedded" SCA mode (openid/fapi)

dgtonge issues-reply at bitbucket.org
Wed Jun 3 14:22:44 UTC 2020

New issue 295: Possible support for "embedded" SCA mode

Dave Tonge:

There is currently a legislative requirement for some banks in the EU to allow TPPs to use an “embedded' mode where the TPP collects the user’s credentials and passes them through to the bank.

While this is not our recommended approach, maybe we should consider a way of supporting it. This would help with harmonisation efforts so that we can try and get FAPI adopted more widely.

This is how the Berlin Group support this type of interaction:

It is important to note that there is a requirement for the TPP to receive back a challenge to present to a user.

One idea for how to implement this would be to use CIBA as it already has the concept of an “authorization session” via the auth\_req\_id.

The flow could be:

* RP → AS: /bc-authorize Create authorization request with a parameter indicating that embedded auth is preferred
* AS → RP: Ask the user for username/password
* RP → AS /token \{auth\_req\_id, auth\_params: \{user, password\}\}
* AS → RP: Ask the user for OTP
* RP → AS /token \{auth\_req\_id, auth\_params: \{OTP\}\}
* AS → RP Token

No new endpoints would be needed. We would need extensions to the backchannel authentication endpoint and the token endpoint.





Responsible: Dave Tonge

More information about the Openid-specs-fapi mailing list