[Openid-specs-ab] App2app authorization/authentication

nov matake nov at matake.jp
Thu Oct 3 08:25:43 UTC 2019


Are you standardizing the communication between Bank’s Mobile App and AuthZ Server to obtain authorization code?
Or is the part using vendor specific protocol?

iPadから送信

> 2019/10/03 2:20、Joseph Heenan via Openid-specs-ab <openid-specs-ab at lists.openid.net>のメール:
> 
> Hi all,
> 
> I wrote a blog post a little while ago about app2app authorization/authentication in the OAuth2/OpenID Connect space; I think I omitted to share it here at the time and believe it could be of interest to the group.
> 
> For those that haven’t come across it, app2app is where a pre-existing mobile app (e.g. a mobile banking application) essentially claims the Authorization Endpoint using the mobile OS's deep/universal link mechanism, allowing a relying party to perform the OAuth2/openid connect dance but the user is authenticated using their normal biometric method, which massively improves the success rate as (aside from it being a lot faster/easier) a large percentage of users that regularly use biometrics have long forgotten the underlying credentials.
> 
> The post includes a video of a user granting an account aggregator app access to a bank account which may be easier to understand.
> 
> Note that this requires no changes at all to the oauth2/openid connect protocols, and it’s also fully compatible with the OIDF’s FAPI work - and is already in wide use in UK Openbanking.
> 
> The article is here:
> 
> https://josephheenan.blogspot.com/2019/08/implementing-app-to-app-authorisation.html
> 
> If I’ve missed any alternative and recommended ways to implement this I’d be very interested to hear about them.
> 
> Thanks
> 
> Joseph Heenan
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list