[Openid-specs-mobile-profile] Mobile Profile WG Call preliminary notes of March 8th 2017

philippe.clement at orange.com philippe.clement at orange.com
Thu Mar 9 10:52:26 UTC 2017

Dear all,

Please find below the preliminary notes of our call on March 8th 2017
Any error or misunderstanding, please let me know.

John, Philippe, Nicolas, Charles, Siva, Bjorn, Nat, Gonzalo, Alex Chong, Hubert Mariotte

*       Brief summary of discussions with FAPI WG. [John]
*       Continue discussion on asynchronous/synchronous modes and user consent/authentication for token retrieval. [All]
*       AOB

*       Brief summary of discussions with FAPI WG. [John]
UK case described by John about Open Banking group and API(s), that evolve and work towards transaction processing mechanisms. In this case, banks have authenticated their customer by their own and outside of OpenID Connect. At payment time, user is requested to provide a consent on the transaction, potentially on a second channel. Summarizing the case, looks similar to a server to server exchange, going through the MNO to get the user statement.
Potential usage of a signed request object is mentioned, that could convey transaction details. Potential usage of User Questioning API is also addressed to get and provide back the user response.

==>     John to provide information on how the banks are working in UK case.

==>     Orange volunteers to sketchup some flows describing the correlation of the UK Open Banking case to things addressed in MODRNA (or OAuth), like using the request object, the JWT assertion specs, using front or back channel, conveying the context of transaction and usage of a non-consumption device (2nd channel).

*       Continue discussion on asynchronous/synchronous modes and user consent/authentication for token retrieval. [All]
CPAS feedback (Siva) : decision to go ahead with 2 specs, in asynchronous and synchronous modes.
A suggestion is made to use JWT assertions in both modes, But attention to keep on authentication (not allowed, but not forbidden by JWT assertion), and also for access token and primary consent retrieval.
An asynchronous mode is considered as useful (also by FAPI)  for long delay responses.
==>     Proposal made to put ideas on the table (Orange has presented some) and see where it's worth to work on. To be part of the agenda for the next call

Kind regards,

-----Rendez-vous d'origine-----
De : Hjelm, Bjorn [mailto:Bjorn.Hjelm at VerizonWireless.com]
Envoyé : mardi 7 mars 2017 13:47
À : Hjelm, Bjorn; openid-specs-mobile-profile at lists.openid.net
Objet : [Openid-specs-mobile-profile] Mobile Profile WG Call
Date : mercredi 8 mars 2017 16:00-17:00 Europe/Berlin.
Où : https://global.gotomeeting.com/join/927253461

1.  Agenda

*       Brief summary of discussions with FAPI WG. [John]
*       Continue discussion on asynchronous/synchronous modes and user consent/authentication for token retrieval. [All]
*       AOB


       Please join my meeting, Sep 24, 2015 at 10:00 AM EDT.  https://global.gotomeeting.com/join/927253461<https://global.gotomeeting.com/join/764054389>
   2.      Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.

   United States: +1 (626) 521-0013
   Australia: +61 2 8355 1034
   Austria: +43 (0) 7 2088 1036
   Belgium: +32 (0) 28 08 9460
   Canada: +1 (647) 497-9376
   Denmark: +45 (0) 89 88 03 61
   Finland: +358 (0) 942 45 0382
   France: +33 (0) 170 950 586
   Germany: +49 (0) 811 8899 6931
   Ireland: +353 (0) 15 255 598
   Italy: +39 0 694 80 31 28
   Netherlands: +31 (0) 208 084 055
   New Zealand: +64 (0) 9 887 3469
   Norway: +47 23 96 01 18
   Spain: +34 932 20 0506
   Sweden: +46 (0) 840 839 467
   Switzerland: +41 (0) 435 0824 78
   United Kingdom: +44 (0) 330 221 0098

   Access Code: 764-054-389
   Audio PIN: Shown after joining the meeting

   Meeting ID: 927-253-461
   Online Meetings Made Easy®

   Not at your computer? Click the link to join this meeting from your iPhone®, iPad®, Android® or Windows Phone® device via the GoToMeeting app.

     << Fichier: ATT00001.txt >>


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170309/defe84cb/attachment.html>

More information about the Openid-specs-mobile-profile mailing list