<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi all,<div class=""><br class=""></div><div class="">On the last call we talked about how the OpenBanking UK spec ( <a href="https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA" class="">https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA</a> ) uses the login_hint_token in CIBA.</div><div class=""><br class=""></div><div class="">Dave raised a ticket that’s quite related ( <a href="https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent" class="">https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent</a> ).</div><div class=""><br class=""></div><div class="">I thought it would be useful to people’s comprehension to draw out a sequence diagram of the OB CIBA flow, in particular the one that uses the login_hint_token to communicate intent, and uses a QR code to replace the login_hint_token as a way to identify the user, as I didn’t understand how this worked when I first read the spec.</div><div class=""><br class=""></div><div class="">Image of the flow is attached below. Note that it assumes the user has already setup the bank’s mobile banking app on their phone and linked it to their account.</div><div class=""><br class=""></div><div class="">This I believe relates to ‘2.3.3 model C’ on page 40 of <a href="https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf" class="">https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf</a> - this has some pictures showing the flow from the viewpoint of the user.</div><div class=""><br class=""></div><div class="">(I believe this is right, but If anyone from OB can confirm/deny I’m happy to make corrections. I’ve included both the image and the source plantuml)</div><div class=""><br class=""></div><div class="">Thanks</div><div class=""><br class=""></div><div class="">Joseph</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><img apple-inline="yes" id="A6D935F9-0891-476C-A7F6-EAF27A8738F1" src="cid:952D1408-C6C2-4F6E-AEBB-E22AB9B73566" class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><pre style="background-color: rgb(255, 255, 255); font-family: Menlo; font-size: 9pt;" class=""><span style="color:#808000;" class="">@startuml<br class=""></span><span style="color:#808000;" class=""><br class=""></span><span style="color:#000080;font-weight:bold;" class="">title</span> Standard CIBA<br class=""><span style="color:#000080;font-weight:bold;" class="">autonumber</span> "<b>Step #: "<br class=""><br class=""><span style="color:#000080;font-weight:bold;" class="">box</span> "User Interactions" #LightBlue<br class=""><span style="font-weight:bold;" class="">participant</span> Relying_Party as RP<br class=""><span style="font-weight:bold;" class="">participant</span> Authentication_Device as AD<br class="">endbox<br class=""><br class=""><span style="color:#000080;font-weight:bold;" class="">box</span> "Bank" #LightGray<br class=""><span style="font-weight:bold;" class="">participant</span> Authorization_Server as AS<br class=""><span style="font-weight:bold;" class="">participant</span> Resource_Server as RS<br class="">endbox<br class=""><br class="">RP->RP: User launches process<br class=""><span style="color:#808080;font-style:italic;" class="">'RP->AS: client_credentials grant<br class=""></span><span style="color:#808080;font-style:italic;" class="">'AS->RP: access_token_client<br class=""></span><span style="color:#808080;font-style:italic;" class="">'RP->RS: Register intent using access_token_client<br class=""></span><span style="color:#808080;font-style:italic;" class="">'RS->RP: indent_id</span><br class="">RP->AS: CIBA request<br class="">RP<-AS: auth_req_id<br class="">AS->AD: request user authenticates<br class="">...wait for user to approve...<br class="">AS<-AD: authentication approved<br class="">RP<-AS: CIBA ping notification<br class="">RP->AS: token request<br class="">RP<-AS: access_token<br class="">RP->RS: access transaction data using access_token<br class=""><br class=""><span style="color:#000080;font-weight:bold;" class="">autonumber</span> 1<br class=""><span style="color:#000080;font-weight:bold;" class="">newpage</span> OpenBanking UK version<br class=""><span style="color:#808080;font-style:italic;" class="">' <a href="https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA" class="">https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA</a></span><br class="">RP->RP: User launches process<br class=""><span style="color:#000080;font-weight:bold;" class="">group</span> OB Intent creation<br class="">RP->AS: client_credentials grant<br class="">AS->RP: access_token_client<br class="">RP->RS: Register intent using access_token_client<br class="">RS->RP: indent_id<br class="">RP->RP: <span style="color:#000080;font-weight:bold;" class="">create</span> login_hint_token: \n"IID", intent_id<br class=""><span style="color:#000080;font-weight:bold;" class="">end</span><br class="">RP->AS: CIBA request: login_hint_token<br class=""><span style="color:#000080;font-weight:bold;" class="">note right</span>: nothing in here identifies the user<br class="">RP<-AS: auth_req_id<br class=""><span style="color:#000080;font-weight:bold;" class="">group</span> OB <span style="color:#000080;font-weight:bold;" class="">link</span> user to request<br class="">RP->RP: display QR code containing\nintent_id, auth_req_id<br class="">AD->AD: user opens bank's mobile app<br class="">RP->AD: user scans QR code<br class="">AD<->AS: fetch authorisation details: auth_req_id, intent_id<br class=""><span style="color:#000080;font-weight:bold;" class="">note right</span>: Only here does AS know what\nuser it is authenticating<br class=""><span style="color:#000080;font-weight:bold;" class="">end</span><br class="">...wait for user to approve...<br class="">AS<-AD: authentication approved<br class="">RP<-AS: CIBA ping notification<br class="">RP->AS: token request<br class="">RP<-AS: access_token<br class="">RP->RS: access transaction data using access_token<br class=""><br class=""><span style="color:#808000;" class="">@enduml<br class=""></span></pre><div class=""><br class=""></div></div><div class=""><br class=""></div><div class=""><br class=""></div></body></html>