<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<div>
<div>
<div style="direction: ltr;">Jospeh, yes sort of. The login hint token is meant to contain a user identified, either a previously used request/intent ID, a static user ID thatís pairwise bound to the client or worst case a static ID for the user.
</div>
<div><br>
</div>
<div style="direction: ltr;">This would facilitate a push (in the first two cases) and potentially a phishing Vector in the third.</div>
<div><br>
</div>
<div style="direction: ltr;">If thereís no ďhintĒ then yes, a CIBA flow can be used in the way that you described however the QR code / thing to convey to the customer just needs to be a long / nonce intentid, the customer already knows the bank that they selected
 and all of the information should have been staged with the CIBA request this is sufficient to allow a customer to come and claim the CIBA initiated request. This flow is useful when youíre performing authN/authZ on two different devices. Mobile to mobile
 a redirect is much better. </div>
</div>
<div><br>
</div>
<div class="ms-outlook-ios-signature"></div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Openid-specs-fapi <openid-specs-fapi-bounces@lists.openid.net> on behalf of Joseph Heenan via Openid-specs-fapi <openid-specs-fapi@lists.openid.net><br>
<b>Sent:</b> Monday, June 17, 2019 7:22:55 AM<br>
<b>To:</b> Openid-specs-fapi<br>
<b>Cc:</b> Joseph Heenan<br>
<b>Subject:</b> [Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token</font>
<div> </div>
</div>
<div>Hi all,
<div class=""><br class="">
</div>
<div class="">On the last call we talked about how the OpenBanking UK spec ( <a href="https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA" class="">
https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA</a> ) uses the login_hint_token in CIBA.</div>
<div class=""><br class="">
</div>
<div class="">Dave raised a ticket thatís quite related ( <a href="https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent" class="">
https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent</a> ).</div>
<div class=""><br class="">
</div>
<div class="">I thought it would be useful to peopleís comprehension to draw out a sequence diagram of the OB CIBA flow, in particular the one that uses the login_hint_token to communicate intent, and uses a QR code to replace the login_hint_token as a way
 to identify the user, as I didnít understand how this worked when I first read the spec.</div>
<div class=""><br class="">
</div>
<div class="">Image of the flow is attached below. Note that it assumes the user has already setup the bankís mobile banking app on their phone and linked it to their account.</div>
<div class=""><br class="">
</div>
<div class="">This I believe relates to Ď2.3.3 model Cí on page 40 of <a href="https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf" class="">https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf</a> -
 this has some pictures showing the flow from the viewpoint of the user.</div>
<div class=""><br class="">
</div>
<div class="">(I believe this is right, but If anyone from OB can confirm/deny Iím happy to make corrections. Iíve included both the image and the source plantuml)</div>
<div class=""><br class="">
</div>
<div class="">Thanks</div>
<div class=""><br class="">
</div>
<div class="">Joseph</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><img apple-inline="yes" id="A6D935F9-0891-476C-A7F6-EAF27A8738F1" class="" src="cid:952D1408-C6C2-4F6E-AEBB-E22AB9B73566"></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<pre style="background-color: rgb(255, 255, 255); font-family: Menlo; font-size: 9pt;" class=""><span style="color:#808000;" class="">@startuml<br class=""></span><span style="color:#808000;" class=""><br class=""></span><span style="color:#000080;font-weight:bold;" class="">title</span> Standard CIBA<br class=""><span style="color:#000080;font-weight:bold;" class="">autonumber</span> "<b>Step #: "<br class=""><br class=""><span style="color:#000080;font-weight:bold;" class="">box</span> "User Interactions" #LightBlue<br class=""><span style="font-weight:bold;" class="">participant</span> Relying_Party as RP<br class=""><span style="font-weight:bold;" class="">participant</span> Authentication_Device as AD<br class="">endbox<br class=""><br class=""><span style="color:#000080;font-weight:bold;" class="">box</span> "Bank" #LightGray<br class=""><span style="font-weight:bold;" class="">participant</span> Authorization_Server as AS<br class=""><span style="font-weight:bold;" class="">participant</span> Resource_Server as RS<br class="">endbox<br class=""><br class="">RP->RP: User launches process<br class=""><span style="color:#808080;font-style:italic;" class="">'RP->AS: client_credentials grant<br class=""></span><span style="color:#808080;font-style:italic;" class="">'AS->RP: access_token_client<br class=""></span><span style="color:#808080;font-style:italic;" class="">'RP->RS: Register intent using access_token_client<br class=""></span><span style="color:#808080;font-style:italic;" class="">'RS->RP: indent_id</span><br class="">RP->AS: CIBA request<br class="">RP<-AS: auth_req_id<br class="">AS->AD: request user authenticates<br class="">...wait for user to approve...<br class="">AS<-AD: authentication approved<br class="">RP<-AS: CIBA ping notification<br class="">RP->AS: token request<br class="">RP<-AS: access_token<br class="">RP->RS: access transaction data using access_token<br class=""><br class=""><span style="color:#000080;font-weight:bold;" class="">autonumber</span> 1<br class=""><span style="color:#000080;font-weight:bold;" class="">newpage</span> OpenBanking UK version<br class=""><span style="color:#808080;font-style:italic;" class="">' <a href="https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA" class="">https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA</a></span><br class="">RP->RP: User launches process<br class=""><span style="color:#000080;font-weight:bold;" class="">group</span> OB Intent creation<br class="">RP->AS: client_credentials grant<br class="">AS->RP: access_token_client<br class="">RP->RS: Register intent using access_token_client<br class="">RS->RP: indent_id<br class="">RP->RP: <span style="color:#000080;font-weight:bold;" class="">create</span> login_hint_token: \n"IID", intent_id<br class=""><span style="color:#000080;font-weight:bold;" class="">end</span><br class="">RP->AS: CIBA request: login_hint_token<br class=""><span style="color:#000080;font-weight:bold;" class="">note right</span>: nothing in here identifies the user<br class="">RP<-AS: auth_req_id<br class=""><span style="color:#000080;font-weight:bold;" class="">group</span> OB <span style="color:#000080;font-weight:bold;" class="">link</span> user to request<br class="">RP->RP: display QR code containing\nintent_id, auth_req_id<br class="">AD->AD: user opens bank's mobile app<br class="">RP->AD: user scans QR code<br class="">AD<->AS: fetch authorisation details: auth_req_id, intent_id<br class=""><span style="color:#000080;font-weight:bold;" class="">note right</span>: Only here does AS know what\nuser it is authenticating<br class=""><span style="color:#000080;font-weight:bold;" class="">end</span><br class="">...wait for user to approve...<br class="">AS<-AD: authentication approved<br class="">RP<-AS: CIBA ping notification<br class="">RP->AS: token request<br class="">RP<-AS: access_token<br class="">RP->RS: access transaction data using access_token<br class=""><br class=""><span style="color:#808000;" class="">@enduml<br class=""></span></pre>
<div class=""><br class="">
</div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</div>
</body>
</html>