[Openid-specs-fapi] Issue #295: Possible support for "embedded" SCA mode (openid/fapi)
anders.rundgren.net at gmail.com
Thu Jun 4 12:28:09 UTC 2020
On 2020-06-04 12:02, Joseph Heenan wrote:
>> On 4 Jun 2020, at 10:21, Anders Rundgren <anders.rundgren.net at gmail.com> wrote:
>> On 2020-06-04 11:01, Joseph Heenan wrote:
>>> Hi Anders,
>>> Can you describe with a few lines of text (without referring to Saturn :-) ) how a protocol could address the EMV use case within FAPI or one of the other mechanisms we’re discussing please?
>>> ( https://cyberphone.github.io/doc/payments/open-banking-direct-mode.pdf seems mostly to be rehashing OpenID’s “sub” and OAuth2’s refresh token, and I can’t see where the result differs from using those two?)
>> The document you are referring to is the best description I have so I can only repeat myself :)
>> The technical core of the idea is keeping payment applications like EMV, Saturn, FIDO, etc out of the Open Banking API.
>> The commercial aspect is that such applications would preferably be provided by the respective system owner.
>> The applications (services rather) may or may not be PSD2 compatible.
>> The scheme builds on using OAuth2 as binding system between these services (additional APIs) and the core API, where the former thus works like TPPs.
>> The only really new thing is that the applications are running with higher privileges than existing applications since they are supposed to do SCA on their own.
>> Making Open Banking APIs [technically] usable for any consumer payment may not be such a bad idea.
> So if I understand correctly, the problem is with the limitations surrounding PSD2 functional APIs?
I wouldn't express it like that. This is primarily a software engineering and standardization issue.
> The various mechanisms FAPI supports, including CIBA and the embedded proposal under discussion, are all suitable for the initial user onboarding/binding of the user and (by using refresh tokens) for creating persistent sessions from the TPP to the bank for that user,
Right, this indeed what the Saturn PoC uses although the NextGenPSD2 "authorize" doesn't provide the necessary identity component. Maybe FAPI does?
> and that no changes are necessary to the “security” protocols to enable the EMV use case supporting functional APIs you’re describing?
Almost, this scheme builds on the assumption that a "TPP" (which in most cases would be entirely local to the bank) dealing with EMV transactions, would not be bothered by SCA or consents beyond the initial (one-time) bootstrap.
Anyway, this is just a proposal, albeit pretty extensively tested. If you or somebody else have any better idea on how get EMV into Open Banking, I and hordes of other people are all ears!
Personally, I still believe that our mutual competences could result in something really useful.
More information about the Openid-specs-fapi