[Openid-specs-mobile-profile] Issue #44: Transaction Authorization API (openid/mobile)
issues-reply at bitbucket.org
Fri May 27 08:44:13 UTC 2016
New issue 44: Transaction Authorization API
We reached consensus that the standard OpenID Connect flow for authentication is not suitable for transaction authorization. Therefore the mechanism for this use case currently specified in the Mobile Connect Profile is not suitable as well. Nevertheless, a reasonable solution can be built within the OpenID framework.
The MODRNA WG will propose a reasonable mechanisms to perform transaction authorizations via OpenID. The idea is to define an additional OpenID Connect endpoint (like UserInfo) for this purpose. Access to this endpoint is protected using Access Tokens issued for a certain scope value. How the access token is obtained (client credentials, web flow, …) is out of scope. The RP uses this endpoint via server 2 server communication to initiate transaction authorization processes. Potentially, the user account to be asked for authorization must be identified via a dedicated parameter. Alternatively, it is implicitly defined by the access token.
This mechanism might be interesting for other WGs/communities as well (e.g. new Financial WG).
More information about the Openid-specs-mobile-profile