[Openid-specs-fapi] PSD2 - FAPI Client Registration
ralph.bragg at raidiam.com
Fri Jul 31 06:07:05 UTC 2020
See here for the OBIE DCR Spec.
It supports both a federation provider issued Software Statement Assertion and a Self Signed Software Statement Assertion and is an example of a DCR request sent as a JWT to bind both the SSA and the Request together.
The same approach can be achieved by using standard DCR (JSON) with ecosystem defined ‘initial access token’ as a JWT provided the request is sent over a tamper resistant transport channel such as an Mutually Authenticated TLS channel where both parties are using QWACs to identify each other.
From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Ralph Bragg via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Reply to: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Date: Friday, 31 July 2020 at 06:03
To: Financial API Working Group List <openid-specs-fapi at lists.openid.net>
Cc: Ralph Bragg <ralph.bragg at raidiam.com>, Francis Pouatcha <fpo at adorsys.de>
Subject: Re: [Openid-specs-fapi] PSD2 - FAPI Client Registration
There are two approaches. 1. Sign the entire registration request. Look a the obie dynamic client registration approach for an example of how this is performed.
2. Craft and define an “initial access token” which can be defined as a jwt that a tpp can use as part of registration. I have examples of both approaches if you drop me a line.
The obie is publishing a list of trusted qtsp certificates issuing and I believe the root authorities as well they is created by processing the EU list of trust listed. banks should have no excuses for not being able to determine the set of issuing authorities to trust up front.
From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Francis Pouatcha via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: Friday, July 31, 2020 3:09:15 AM
To: Openid-specs Fapi <openid-specs-fapi at lists.openid.net>
Cc: Francis Pouatcha <fpo at adorsys.de>
Subject: [Openid-specs-fapi] PSD2 - FAPI Client Registration
In our attempt to use FAPI to implement the NextGenPSD2 oAuth approach, we are facing the following problem.
The PSD2 trust framework assumes each ASPSP maintains the list of legitimated certification authorities (rootCAs). This is, regulators expect ASPSP to accept requests from any licensed TPP that present a valid QWAC/QSealC certificate.
We have been looking for a way to use dynamic client registration to allow the TPP to register with ASPSP's OP/AS prior to sending their first requests.
OP can get access to TPP's authenticated information:
- If TPP uses mTLS (QWAC) at the OP interface.
- If TPP uses QSealC to sign the client registration request, seems to be the best approach, as it also provides non repudiation.
Alt-1: I prefer signing the whole http request (see https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/). Not sure if this is covered by FAPI.
Alt-2: QSealC could be used to produce a private_key_jwt that will be included to the registration request. QSealC can be added to the token, to avoid pre-registration. Digest of the request body could be added to the private_key_jwt to provide for non repudiation.
What am I missing? Are we still in the scope of OIDC/FAPI or getting out of bound?
Thanks in advance for feedback.
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi