[Openid-specs-fapi] EUIDW-4-Payments update: dropping OAuth

Wed Jul 3 18:12:45 UTC 2024

On 2024-07-03 18:41, Joseph Heenan via Openid-specs-fapi wrote:
> Hi Anders
> 
> I’m unsure what point you were trying to make, but for clarity this flow is still based on OAuth2. (It uses OpenID for Verifiable Presentations, which is built on top of OAuth2.)
> 
> I guess you may mean it’s not based on a standard OAuth2 authorization code flow with the bank.

Indeed, the revised flow has no resemblance to OAuth2.

Regarding Verifiable Presentations, it is a bit of a misnomer since Merchants are not verifiers.  In fact, the Payer (PSU) has no direct contact with the actual verifier at all.

Anyway, this is just the beginning.  With respect to FAPI, the lack of a suitable Open Banking API may be worth looking into.  The Berlin Group's take on this matter, is simply put too awkward to ever become mainstream.

Anders

> 
> Thanks
> 
> Joseph
> 
> 
>> On 2 Jul 2024, at 23:19, Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
>>
>> Apparently the EUIDW folks finally realized that OAuth is the wrong solution for wallet-based payment authorizations:
>> https://github.com/digitallabor-berlin/eudiw-sca/blob/ea5db12b59f583f79e3c866896565fa6c93ae2e4/openbanking-r2s.md#payment
>> That is, a PISP is now just a backend process, technically no different than Stripe & Co, while the wallet only communicates with the Merchant.
>>
>> My review of the update:
>> https://github.com/openid/OpenID4VP/issues/180#issuecomment-2203209092
>>
>> Anders
>>
>>
>>
>>
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi