[Openid-specs-mobile-profile] [User Questioning (a.k.a Transaction Authorization)] Second draft

nicolas.aillery at orange.com nicolas.aillery at orange.com
Mon Sep 19 16:03:44 UTC 2016


Hello Torsten, hello Sebastian,

   Here is an update of our draft.
   We tried to take your comments into account.
   We still have an issue with the ‘verification_code_flow’, because the enabled user interactions are required for Orange business and we cannot find a way to get it out of this specification,

Nicolas

De : Torsten.Lodderstedt at telekom.de [mailto:Torsten.Lodderstedt at telekom.de]
Envoyé : lundi 12 septembre 2016 10:27
À : AILLERY Nicolas IMT/OLPS; openid-specs-mobile-profile at lists.openid.net
Cc : philippe.clement.ft at gmail.com
Objet : AW: [Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft

Hi Nicolas,

comments inline …

best regards,
Torsten.

Von: nicolas.aillery at orange.com<mailto:nicolas.aillery at orange.com> [mailto:nicolas.aillery at orange.com]
Gesendet: Montag, 12. September 2016 09:20
An: Lodderstedt, Torsten; openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Cc: philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>
Betreff: RE: [Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft

Hello Torsten,


·         About the Verification code:

o   In France, most banks use SMS OTP for 3D Secure. In brief: when I pay on a web site, I enter my credit card number then I’m redirected on my bank website. I receive a SMS containing an OTP on my mobile, and I must enter this code on my bank website to validate the payment. It’s a split terminal use case, as the consuming device is different from the authenticating device, that works even with basic phones.

o   With the ‘user questioning’ specification, Orange would like to address this use case. The bank website would be a Client.

o   We agree that the “Terminated-By-Client flow” add complexity so we are interested to your ideas to enable the use case without the specific “Terminated-By-Client flow”.

I understand the use case. The question is whether we need to find a way to implement it the same way as before. And what would be the benefit? Implementing OOB user consent using SMS is a reasonable approach, but the feedback channel could be different. The SMS sent to the user could contain a link pointing to a website hosted by the OP. The user could consent by either just clicking the link or by accepting the transaction on the web site by clicking on a button. This way, the client could receive the answer in both pull and push style model.


·         About the User Questioning Object:

o   We designed a RESTful API, but we agree that this approach is not the most efficient (large object, redundancy of information, …).

o   We agree to work on a simplified API.

Looking forward for the refined proposal

Regards,

Nicolas


De : Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] De la part de Torsten.Lodderstedt at telekom.de<mailto:Torsten.Lodderstedt at telekom.de>
Envoyé : mercredi 7 septembre 2016 17:51
À : openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Cc : philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>
Objet : Re: [Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft

Hi all,

thank you for producing this first draft for user questioning (formerly known as transaction authorization).

Here are some comments:

Verification code: the document defines three different flows how a client can obtain the user’s answer. What is the use case for the “terminated by client” flow? From the discussion in our WG call I understood you want to support SMS-based OTP mechanisms for getting the user’s answer. I personally think this does not require user to (somehow) give the code to the client which in turn uses it as a credential to obtain the answer from the user questioning endpoint. Integration of SMS could be achieved (encapsulated within the OP) by adding a confirmation URL to the SMS pointing to a suitable (internal) endpoint at the OP. This way even SMS can be used in conjunction with the other modes.

User Questioning Object: What is the benefit of using always the same object type in all requests and responses from/to the user questioning API? I think ordinary request/response parameters would do the job. For example, why do I need to respond to the client user id and type given I sent this data to the OP in the request?

best regards,
Torsten.

Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] Im Auftrag von Philippe Clément
Gesendet: Donnerstag, 1. September 2016 14:45
An: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Betreff: [Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft

Dear all,

please find below the first draft of Orange participation in the User Questionning API (aka transaction authorization). Do not hesitate to feedback Nicolas or Charles on the list

regards,
Philippe

---------- Forwarded message ----------
From: <philippe.clement at orange.com<mailto:philippe.clement at orange.com>>
Date: 2016-09-01 14:40 GMT+02:00
Subject: TR: [User Questioning (a.k.a Transaction Authorization)] First draft
To: Openid-specs-mobile-profile <openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>>
Cc: "philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>" <philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>>


De : AILLERY Nicolas IMT/OLPS
Envoyé : mercredi 31 août 2016 11:35
À : openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Cc : John Bradley; Torsten.Lodderstedt at telekom.de<mailto:Torsten.Lodderstedt at telekom.de>; CLEMENT Philippe IMT TECHNO; VASSELET Mickaël IMT/OLN; MARAIS Charles IMT/OLPS
Objet : [User Questioning (a.k.a Transaction Authorization)] First draft

Hi all,

   Please find in attachment a first draft for the API enabling transaction authorization.
   We chose to name this API ‘User Questioning’ to avoid possible misunderstanding with ‘oauth authorization’.

Best regards,

Nicolas

_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.


_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160919/f1b2fe86/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: draft-user-questioning-api-02.pdf
Type: application/pdf
Size: 51855 bytes
Desc: draft-user-questioning-api-02.pdf
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160919/f1b2fe86/attachment-0002.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: draft-user-questioning-api-02.xml
Type: application/xml
Size: 63235 bytes
Desc: draft-user-questioning-api-02.xml
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160919/f1b2fe86/attachment-0001.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: draft-user-questioning-api-02.html.pdf
Type: application/pdf
Size: 229027 bytes
Desc: draft-user-questioning-api-02.html.pdf
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160919/f1b2fe86/attachment-0003.pdf>


More information about the Openid-specs-mobile-profile mailing list