[Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft
Torsten.Lodderstedt at telekom.de
Torsten.Lodderstedt at telekom.de
Wed Sep 7 15:51:29 UTC 2016
thank you for producing this first draft for user questioning (formerly known as transaction authorization).
Here are some comments:
Verification code: the document defines three different flows how a client can obtain the user’s answer. What is the use case for the “terminated by client” flow? From the discussion in our WG call I understood you want to support SMS-based OTP mechanisms for getting the user’s answer. I personally think this does not require user to (somehow) give the code to the client which in turn uses it as a credential to obtain the answer from the user questioning endpoint. Integration of SMS could be achieved (encapsulated within the OP) by adding a confirmation URL to the SMS pointing to a suitable (internal) endpoint at the OP. This way even SMS can be used in conjunction with the other modes.
User Questioning Object: What is the benefit of using always the same object type in all requests and responses from/to the user questioning API? I think ordinary request/response parameters would do the job. For example, why do I need to respond to the client user id and type given I sent this data to the OP in the request?
Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] Im Auftrag von Philippe Clément
Gesendet: Donnerstag, 1. September 2016 14:45
An: openid-specs-mobile-profile at lists.openid.net
Betreff: [Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft
please find below the first draft of Orange participation in the User Questionning API (aka transaction authorization). Do not hesitate to feedback Nicolas or Charles on the list
---------- Forwarded message ----------
From: <philippe.clement at orange.com<mailto:philippe.clement at orange.com>>
Date: 2016-09-01 14:40 GMT+02:00
Subject: TR: [User Questioning (a.k.a Transaction Authorization)] First draft
To: Openid-specs-mobile-profile <openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>>
Cc: "philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>" <philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>>
De : AILLERY Nicolas IMT/OLPS
Envoyé : mercredi 31 août 2016 11:35
À : openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Cc : John Bradley; Torsten.Lodderstedt at telekom.de<mailto:Torsten.Lodderstedt at telekom.de>; CLEMENT Philippe IMT TECHNO; VASSELET Mickaël IMT/OLN; MARAIS Charles IMT/OLPS
Objet : [User Questioning (a.k.a Transaction Authorization)] First draft
Please find in attachment a first draft for the API enabling transaction authorization.
We chose to name this API ‘User Questioning’ to avoid possible misunderstanding with ‘oauth authorization’.
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile