[Openid-specs-fapi] Discovery doc changes to support multiple authorization endpoints

Joseph Heenan joseph at authlete.com
Wed Jun 10 15:50:53 UTC 2020

Hi Chris, Freddi, Glyn,

Below is the rough example on idea we evolved on the IETF OAuth WG to deal with multiple authorization endpoints for a single AS/issuer.

As a reminder of the background; my understanding is many banks, including the CMA9, are asking TPPs to manually override authorization endpoints in the cases where they have multiple mobile apps (e.g. business vs personal on a single issuer), which will prevent them achieving FAPI certification for those apps.

There are other banks that have multiple authorization endpoints and are publishing multiple discovery documents (one per authorization endpoint) but using a single issuer, which fails the security check for the match between issuer & discovery document location. The ability to specify multiple authorization endpoints in a single discovery endpoint may help them, or may not.

It would be great to get some feedback from within OB and/or the UK banks and/or some UK TPPs on this proposal.

 “issuer”: “https://somebank.example.com/“,
 “authorization_endpoint” : "https://somebank.example.com/auth”,
 "alternative_authorization_endpoints": {
   “business": {
     "authorization_endpoint":  "https://somebank.example.com/auth/business",
     "description": “somebank business banking customers",
     "logo_uri": "https://somebank.example.com/auth/business/logo.png"
   "personal": {
     "authorization_endpoint": "https://somebank.example.com/auth/consumer",
     "description": “somebank personal customers",
     "logo_uri": "https://somebank.example.com/auth/consumer/logo.png"



More information about the Openid-specs-fapi mailing list