[Openid-specs-fapi] PSD2 - FAPI Client Registration

Francis Pouatcha fpo at adorsys.de
Fri Jul 31 02:09:15 UTC 2020


In our attempt to use FAPI to implement the NextGenPSD2 oAuth approach, we
are facing the following problem.

The PSD2 trust framework assumes each ASPSP maintains the list of
legitimated certification authorities (rootCAs). This is, regulators expect
ASPSP to accept requests from any licensed TPP that present a valid
QWAC/QSealC certificate.

We have been looking for a way to use dynamic client registration to allow
the TPP to register with ASPSP's OP/AS prior to sending their first
requests.

OP can get access to TPP's authenticated information:
- If TPP uses mTLS (QWAC) at the OP interface.
- If TPP uses QSealC to sign the client registration request, seems to be
the best approach, as it also provides non repudiation.

Request Signature:
Alt-1: I prefer signing the whole http request (see
https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/).
Not sure if this is covered by FAPI.
Alt-2: QSealC could be used to produce a private_key_jwt that will be
included to the registration request. QSealC can be added to the token, to
avoid pre-registration. Digest of the request body could be added to the
private_key_jwt to provide for non repudiation.

What am I missing? Are we still in the scope of OIDC/FAPI or getting out of
bound?

Thanks in advance for feedback.
-- 
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
https://adorsys-platform.de/solutions/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200730/76247c4c/attachment.html>


More information about the Openid-specs-fapi mailing list