[Openid-specs-fapi] Issue #295: Possible support for "embedded" SCA mode (openid/fapi)

Anders Rundgren anders.rundgren.net at gmail.com
Wed Jun 3 16:20:55 UTC 2020 

On 2020-06-03 16:22, dgtonge via Openid-specs-fapi wrote:
> New issue 295: Possible support for "embedded" SCA mode
> https://bitbucket.org/openid/fapi/issues/295/possible-support-for-embedded-sca-mode

As far as I can see the Embedded SCA mode doesn't permit building cool systems like:
https://github.com/cyberphone/swedbank-psd2-saturn#swedbank-psd2saturn-interface

If you in the end still can't build systems that are competitive with Apple Pay, "Swish" (and their numerous "cousins"), what's the point?

Germany's TAN and OTP solutions which are way below Apple & Co standards.

Anders

> 
> Dave Tonge:
> 
> There is currently a legislative requirement for some banks in the EU to allow TPPs to use an “embedded' mode where the TPP collects the user’s credentials and passes them through to the bank.
> 
> While this is not our recommended approach, maybe we should consider a way of supporting it. This would help with harmonisation efforts so that we can try and get FAPI adopted more widely.
> 
> This is how the Berlin Group support this type of interaction:
> 
> ![](https://bitbucket.org/repo/K7gLBb/images/3573164385-Screenshot%202020-06-03%20at%2016.11.01.png)
> It is important to note that there is a requirement for the TPP to receive back a challenge to present to a user.
> 
> One idea for how to implement this would be to use CIBA as it already has the concept of an “authorization session” via the auth\_req\_id.
> 
> The flow could be:
> 
> * RP → AS: /bc-authorize Create authorization request with a parameter indicating that embedded auth is preferred
> * AS → RP: Ask the user for username/password
> * RP → AS /token \{auth\_req\_id, auth\_params: \{user, password\}\}
> * AS → RP: Ask the user for OTP
> * RP → AS /token \{auth\_req\_id, auth\_params: \{OTP\}\}
> * AS → RP Token
> 
> No new endpoints would be needed. We would need extensions to the backchannel authentication endpoint and the token endpoint.
> 
>    
>   
> 
>> 
>> 
>> 
> Responsible: Dave Tonge
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>

More information about the Openid-specs-fapi mailing list