[Openid-specs-fapi] Issue #295: Possible support for "embedded" SCA mode (openid/fapi)

Torsten Lodderstedt torsten at lodderstedt.net
Thu Jun 4 07:31:53 UTC 2020


Embedded SCA is a multi step authentication/authorization process with a variety of different methods. I think, if we gone support it, we should define a new endpoint for it. Otherwise, CIBA endpoints are cluttered with additional logic specific to embedded.

> Am 03.06.2020 um 16:23 schrieb dgtonge via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>:
> 
> New issue 295: Possible support for "embedded" SCA mode
> https://bitbucket.org/openid/fapi/issues/295/possible-support-for-embedded-sca-mode
> 
> Dave Tonge:
> 
> There is currently a legislative requirement for some banks in the EU to allow TPPs to use an “embedded' mode where the TPP collects the user’s credentials and passes them through to the bank.
> 
> While this is not our recommended approach, maybe we should consider a way of supporting it. This would help with harmonisation efforts so that we can try and get FAPI adopted more widely.
> 
> This is how the Berlin Group support this type of interaction:
> 
> ![](https://bitbucket.org/repo/K7gLBb/images/3573164385-Screenshot%202020-06-03%20at%2016.11.01.png)
> It is important to note that there is a requirement for the TPP to receive back a challenge to present to a user.
> 
> One idea for how to implement this would be to use CIBA as it already has the concept of an “authorization session” via the auth\_req\_id.
> 
> The flow could be:
> 
> * RP → AS: /bc-authorize Create authorization request with a parameter indicating that embedded auth is preferred
> * AS → RP: Ask the user for username/password
> * RP → AS /token \{auth\_req\_id, auth\_params: \{user, password\}\}
> * AS → RP: Ask the user for OTP
> * RP → AS /token \{auth\_req\_id, auth\_params: \{OTP\}\}
> * AS → RP Token
> 
> No new endpoints would be needed. We would need extensions to the backchannel authentication endpoint and the token endpoint.
> 
> 
> 
> 
>> 
>> 
>> 
> Responsible: Dave Tonge
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3629 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200604/26666c90/attachment.p7s>


More information about the Openid-specs-fapi mailing list