[Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft

Sebastian.Ebling at telekom.de Sebastian.Ebling at telekom.de
Fri Sep 9 10:30:07 UTC 2016

Hi all,

I also do not understand why there must be this super generic Questioning Object.

Besides that, I also found some small things while reading:
Chapter 1.4 point 1: Two fullstops after the first sentence. I would also write “Do you allow payment of x Euros to party y?” (y instead of x)
Chapter 1.4 point 4: Replace “plateform” with “platform”
Chapter 2: Missing fullstop after bracket in description.
Chapter 2.3: I suggest “VERIFICATION_CODE_REQUIRED” instead of “VERIFICATION_CODE_NEEDED”. Just for consistence to terms like login_required or interaction_required out of the OpenID spec. Btw: why are the status values uppercase?
Chapter 2.4: The abbreviation PCR is not explained in the whole document?

Best regards


Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] Im Auftrag von Lodderstedt, Torsten
Gesendet: Mittwoch, 7. September 2016 17:51
An: openid-specs-mobile-profile at lists.openid.net
Cc: philippe.clement.ft at gmail.com
Betreff: Re: [Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft

Hi all,

thank you for producing this first draft for user questioning (formerly known as transaction authorization).

Here are some comments:

Verification code: the document defines three different flows how a client can obtain the user’s answer. What is the use case for the “terminated by client” flow? From the discussion in our WG call I understood you want to support SMS-based OTP mechanisms for getting the user’s answer. I personally think this does not require user to (somehow) give the code to the client which in turn uses it as a credential to obtain the answer from the user questioning endpoint. Integration of SMS could be achieved (encapsulated within the OP) by adding a confirmation URL to the SMS pointing to a suitable (internal) endpoint at the OP. This way even SMS can be used in conjunction with the other modes.

User Questioning Object: What is the benefit of using always the same object type in all requests and responses from/to the user questioning API? I think ordinary request/response parameters would do the job. For example, why do I need to respond to the client user id and type given I sent this data to the OP in the request?

best regards,

Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] Im Auftrag von Philippe Clément
Gesendet: Donnerstag, 1. September 2016 14:45
An: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Betreff: [Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft

Dear all,

please find below the first draft of Orange participation in the User Questionning API (aka transaction authorization). Do not hesitate to feedback Nicolas or Charles on the list


---------- Forwarded message ----------
From: <philippe.clement at orange.com<mailto:philippe.clement at orange.com>>
Date: 2016-09-01 14:40 GMT+02:00
Subject: TR: [User Questioning (a.k.a Transaction Authorization)] First draft
To: Openid-specs-mobile-profile <openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>>
Cc: "philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>" <philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>>

Envoyé : mercredi 31 août 2016 11:35
À : openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Cc : John Bradley; Torsten.Lodderstedt at telekom.de<mailto:Torsten.Lodderstedt at telekom.de>; CLEMENT Philippe IMT TECHNO; VASSELET Mickaël IMT/OLN; MARAIS Charles IMT/OLPS
Objet : [User Questioning (a.k.a Transaction Authorization)] First draft

Hi all,

   Please find in attachment a first draft for the API enabling transaction authorization.
   We chose to name this API ‘User Questioning’ to avoid possible misunderstanding with ‘oauth authorization’.

Best regards,



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160909/26be803a/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list