<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><div class="gmail_default">Hi Torsten,</div><div class="gmail_default"><br></div><div class="gmail_default">So at the moment in FAPI part 2 we define a request object endpoint at the AS - that the client can use to post request objects to and receive back a request uri. Part of the rationale behind adding that was that it allowed the client to include all manner of custom claims in the request object without worrying about the size of the JWT as it would be sent via the backchannel rather than the frontchannel. </div><div class="gmail_default"><br></div><div class="gmail_default">I have to admit I was quite attracted to this as an option for lodging intent. If we consider the fact that in order for the AS to generate the appropriate consent screen it needs to know:</div><div class="gmail_default"> - the client</div><div class="gmail_default"> - the redirect_uri (if following the Google pattern of showing the host part of the redirect_uri to the user)</div><div class="gmail_default"> - the scope</div><div class="gmail_default"> - optionally the claims param</div><div class="gmail_default"> - any "intent' that is referred to by either the scope, or the claims param</div><div class="gmail_default"><br></div><div class="gmail_default">I quite liked the idea of bundling all that information into the request object. The auth url the user is redirected to becomes very simple: <a href="https://as/auth?request_uri=urn:as-namesapce:some-id" target="_blank">https://AS/auth?request_uri=urn:as-namesapce:some-id</a>. And the AS has all the information in one place to know how to generate the consent screen. There is an added benefit that the AS can validate all the params in advance and return errors via the backchannel rather than errors having to be returned via the front channel.</div><div class="gmail_default"><br></div><div class="gmail_default">Having said that I know that many people think this is mixing concerns and that the standard OAuth params should be kept separate from custom intent values, and that the pattern you've described in the document is the better approach.</div><div class="gmail_default"><br></div><div class="gmail_default">I think its worth a discussion though as arguably if the WG is against the approach above, then we should maybe consider removing support for the request object endpoint. </div><div class="gmail_default"><br></div><div class="gmail_default">FWIW we are planing to launch a payments API that uses the request object endpoint pattern described above. </div><div class="gmail_default"><br></div><div class="gmail_default">Dave</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 31 Jan 2019 at 18:46, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;">Hi Dave, <div><br></div><div>** taking the conversation to the list to give the WG a chance to contribute **</div><div><br></div><div>What do you mean by "request_uri pattern“?</div><div><br></div><div>kind regards,</div><div>Torsten. </div><div><br><div><div><blockquote type="cite"><div>Anfang der weitergeleiteten Nachricht:</div><br class="gmail-m_5620627396747937296Apple-interchange-newline"><div style="margin:0px"><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif;color:rgb(0,0,0)"><b>Von: </b></span><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif">"Dave Tonge" <<a href="mailto:pullrequests-reply@bitbucket.org" target="_blank">pullrequests-reply@bitbucket.org</a>><br></span></div><div style="margin:0px"><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif;color:rgb(0,0,0)"><b>Betreff: </b></span><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif"><b>Aw: [Bitbucket] Pull request #90: new document describing the lodging intent pattern (openid/fapi)</b><br></span></div><div style="margin:0px"><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif;color:rgb(0,0,0)"><b>Datum: </b></span><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif">28. Januar 2019 um 10:30:03 MEZ<br></span></div><div style="margin:0px"><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif;color:rgb(0,0,0)"><b>An: </b></span><span style="font-family:-webkit-system-font,"Helvetica Neue",Helvetica,sans-serif"><a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a><br></span></div><br><div>
<div style="font:14px/1.42857 Arial,sans-serif;color:rgb(51,51,51)">
<table style="width:100%;border-collapse:collapse">
<tbody>
<tr>
<td style="background:rgb(245,245,245);padding:10px 10px 0px;font:14px/1.42857 Arial,sans-serif">
<table style="width:100%;border-collapse:collapse">
<tbody>
<tr>
<td id="gmail-m_5620627396747937296main" class="gmail-m_5620627396747937296comment-container" style="font:14px/1.42857 Arial,sans-serif;padding:0px;background-color:rgb(255,255,255);border-radius:5px">
<div style="border:none;border-radius:5px;padding:0px;background:rgb(245,245,245)">
<table style="width:100%;border-collapse:collapse">
<tbody>
<tr>
<td class="gmail-m_5620627396747937296main-comment" style="font:14px/1.42857 Arial,sans-serif;padding:0px">
<div style="border:1px solid rgb(204,204,204);border-radius:5px;background-color:rgb(255,255,255);padding:20px">
<span style="display:none">
Dave Tonge commented on pull request #90: new document describing the lodging intent pattern
</span>
<table style="width:100%;border-collapse:collapse">
<tbody>
<tr>
<td class="gmail-m_5620627396747937296comment" style="font:14px/1.42857 Arial,sans-serif;padding:0px">
<table style="width:100%;border-collapse:collapse">
<tbody>
<tr>
<td class="gmail-m_5620627396747937296comment-avatar" style="font:14px/1.42857 Arial,sans-serif;padding:0px;width:32px;vertical-align:top">
<img width="32" height="32" alt="dgtonge" src="https://avatar-cdn.atlassian.com/7795c3c63233ffcf8a67d72f4aad4bbd?s=32&ts=1548664022" style="border-radius: 3px;">
</td>
<td class="gmail-m_5620627396747937296comment-main" style="font:14px/1.42857 Arial,sans-serif;padding:0px 0px 0px 10px">
<table style="width:100%;border-collapse:collapse">
<tbody>
<tr>
<td class="gmail-m_5620627396747937296comment-user" style="font:14px/1 Arial,sans-serif;padding:0px">
<strong>Dave Tonge</strong> commented on pull request #90:
</td>
</tr>
<tr>
<td class="gmail-m_5620627396747937296title" style="font:bold 14px/1.2 Arial,sans-serif;padding:5px 0px 0px">
<a href="https://bitbucket.org/openid/fapi/pull-requests/90/new-document-describing-the-lodging-intent#comment-89459179" style="color:rgb(53,114,176);text-decoration:none" target="_blank">new document describing the lodging intent pattern</a>
</td>
</tr>
<tr>
<td class="gmail-m_5620627396747937296comment-content gmail-m_5620627396747937296markup-content" style="font:14px/1.42857 Arial,sans-serif;padding:10px 0px 15px"><div style="margin:0px;padding:0px">Hi Torsten,</div><p style="margin:10px 0px 0px;padding:0px">Thanks! This looks really good. Perhaps we can discuss on the next call, but I’d like to see it merged in. We can then improve it as a WG.</p><p style="margin:10px 0px 0px;padding:0px">I think that as Ralph says there potentially needs to be more discussion over the RESTful nature of such a resource, i.e. should it be a long lived object that it will be possible to issue a GET /:id against, or is it a single-use ephemeral object and therefore not really RESTful. </p><p style="margin:10px 0px 0px;padding:0px">We should also probably consider the request_uri pattern a bit further as its currently included in FAPI Part 2.</p><p style="margin:10px 0px 0px;padding:0px">Dave</p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td class="gmail-m_5620627396747937296actions gmail-m_5620627396747937296secondary" colspan="2" style="font:14px/1 Arial,sans-serif;padding:20px 0px 0px;color:rgb(112,112,112);border-top:1px solid rgb(204,204,204)">
<a href="https://bitbucket.org/openid/fapi/pull-requests/90/new-document-describing-the-lodging-intent#comment-89459179" style="color:rgb(53,114,176);text-decoration:none" target="_blank">View this pull request</a> or add a comment by replying to this email.
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
</tbody>
</table>
<div style="display:none">
<div>
</div>
</div>
</div>
</td>
</tr>
<tr>
<td style="padding:20px 0px;color:rgb(112,112,112)">
<table style="width:100%;border-collapse:collapse">
<tbody>
<tr>
<td style="padding:0px">
<a style="color:rgb(53,114,176);text-decoration:none" href="https://bitbucket.org/openid/fapi/pull-requests/90/unwatch/tlodderstedt/873891367895c8c139204ff38b1454aeecf78fc0a731b964909d7cdbdc00d32e/" target="_blank">Unwatch this pull request</a> to stop receiving email updates.
</td>
<td style="padding:0px">
<img width="1" height="1" src="https://bitbucket.org/account/notifications/mark-read/1321723458/d587d5ad6e41f77e605f468762eebe00e2528a841da515ce7937adc8ebdb9aa9/">
</td>
<td style="text-align:right;width:100px;padding:0px">
<a href="https://bitbucket.org/" style="color:rgb(53,114,176);text-decoration:none" target="_blank">
<img width="125" height="18" src="https://d301sr5gafysq2.cloudfront.net/7bcc4bef4398/img/email/bitbucket-footer.gif" alt="Bitbucket">
</a>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</div></blockquote></div><br></div></div></div></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:1em;font-weight:bold;line-height:1.4"><div style="color:rgb(97,97,97);font-family:"Open Sans";font-size:14px;font-weight:normal;line-height:21px"><div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4"><div style="font-weight:400;color:rgb(51,51,51);line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div><div style="font-size:0.8125em;line-height:1.4">CTO</div><div style="font-size:0.8125em;line-height:1.4;margin:0px"><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" style="color:rgb(131,94,165)" target="_blank"><img alt="Moneyhub Enterprise" height="50" src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png" title="Moneyhub Enterprise" width="200" style="border: none; padding: 0px; border-radius: 2px; margin: 7px;"></a></div><div style="padding:8px 0px"><div style="padding:8px 0px"><div style="letter-spacing:normal;line-height:normal"><div style="padding:8px 0px"><span style="color:rgb(0,164,183);font-size:11px">Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL</span></div><span style="font-size:11px;line-height:15.925px;color:rgb(0,164,183);font-weight:bold">t: </span><span style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span><br style="color:rgb(0,164,183);font-size:11px;line-height:15.925px"></div><div style="letter-spacing:normal;line-height:normal"><span style="font-size:11px;line-height:15.925px"><br></span></div><div style="color:rgb(97,97,97);font-family:"Open Sans";letter-spacing:normal"><div style="line-height:1.4"><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em">Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em;background-color:transparent">(FRN </span><span style="color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;font-size:10.5px;font-weight:700">809360</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">) at <a href="http://fca.org.uk/register" target="_blank">fca.org.uk/register</a>. M</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:10.5px">oneyhub</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> Financial Technology is registered in England & Wales, company registration number </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> </span><span style="font-weight:bold;color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">06909772</span><span style="background-color:transparent"><font color="#333333" face="lato, open sans, arial, sans-serif"><span style="font-size:0.75em"> .</span></font></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:10.5px">Moneyhub</span><span style="background-color:transparent;font-size:0.75em"> Financial Technology Limited 2018 </span><span style="background-color:transparent;color:rgb(34,34,34);font-family:arial,sans-serif;font-size:x-small">©</span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em"><br></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em;color:rgb(136,136,136)">DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.</span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>