<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none"><!-- p { margin-top: 0px; margin-bottom: 0px; }--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Thanks @Ralph</p>
<p><br>
</p>
<p>@Joseph, please can we make sure the spec supports all 4 models/flows as per <a href="https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf" class="" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);">https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf</a><br>
</p>
<p><br>
</p>
<p>While one of these does potentially allow a phishing vector, my preference would be to allow this but clearly call out the risk, as there are some use cases where the OP may chose to implement this.<br>
</p>
<p><br>
</p>
<div id="Signature">
<div name="divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:; margin:0">
<p style="font-size:16px"><strong><br>
</strong></p>
<p style="font-size:16px"><strong>Chris Michael</strong><br>
</p>
<p style="font-size:16px">Head of Technology<br>
</p>
<p style="font-size:16px"><br>
</p>
<p style=""><font size="2">+44 7767 372277</font></p>
<p style=""><font size="2"><a href="http://www.openbanking.org.uk" target="_blank" id="NoLP">http://www.openbanking.org.uk</a></font></p>
<p style=""><font size="2">2 Thomas More Square, London E1W 1YN</font></p>
<p style=""><font size="2"><a href="https://twitter.com/UKOpenBanking" target="_blank" style="font-family:"Times New Roman",serif; background-color:rgb(255,255,255)" id="NoLP"><font face="Calibri,sans-serif"><font color="#0563C1">Twitter</font></font></a><font face="Calibri,sans-serif" color="#1F497D" style="background-color:rgb(255,255,255)"> | </font><a href="https://www.facebook.com/UKOpenBanking" target="_blank" style="font-family:"Times New Roman",serif; background-color:rgb(255,255,255)" id="NoLP"><font face="Calibri,sans-serif"><font color="#0563C1">Facebook</font></font></a><font face="Calibri,sans-serif" color="#1F497D" style="background-color:rgb(255,255,255)"> | </font><a href="https://www.linkedin.com/company/openbanking/" target="_blank" style="font-family:"Times New Roman",serif; background-color:rgb(255,255,255)" id="NoLP"><font face="Calibri,sans-serif" style=""><font color="#0563C1" style="">LinkedIn</font></font></a></font></p>
</div>
</div>
<div style="word-wrap:break-word; line-break:after-white-space">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Openid-specs-fapi <openid-specs-fapi-bounces@lists.openid.net> on behalf of Ralph Bragg via Openid-specs-fapi <openid-specs-fapi@lists.openid.net><br>
<b>Sent:</b> 17 June 2019 07:48<br>
<b>To:</b> Financial API Working Group List<br>
<b>Cc:</b> Ralph Bragg<br>
<b>Subject:</b> Re: [Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token</font>
<div> </div>
</div>
<div>
<div>
<div>
<div style="direction:ltr">Jospeh, yes sort of. The login hint token is meant to contain a user identified, either a previously used request/intent ID, a static user ID thatís pairwise bound to the client or worst case a static ID for the user.
</div>
<div><br>
</div>
<div style="direction:ltr">This would facilitate a push (in the first two cases) and potentially a phishing Vector in the third.</div>
<div><br>
</div>
<div style="direction:ltr">If thereís no ďhintĒ then yes, a CIBA flow can be used in the way that you described however the QR code / thing to convey to the customer just needs to be a long / nonce intentid, the customer already knows the bank that they selected
 and all of the information should have been staged with the CIBA request this is sufficient to allow a customer to come and claim the CIBA initiated request. This flow is useful when youíre performing authN/authZ on two different devices. Mobile to mobile
 a redirect is much better. </div>
</div>
<div><br>
</div>
<div class="ms-outlook-ios-signature"></div>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Openid-specs-fapi <openid-specs-fapi-bounces@lists.openid.net> on behalf of Joseph Heenan via Openid-specs-fapi <openid-specs-fapi@lists.openid.net><br>
<b>Sent:</b> Monday, June 17, 2019 7:22:55 AM<br>
<b>To:</b> Openid-specs-fapi<br>
<b>Cc:</b> Joseph Heenan<br>
<b>Subject:</b> [Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token</font>
<div> </div>
</div>
<div>Hi all,
<div class=""><br class="">
</div>
<div class="">On the last call we talked about how the OpenBanking UK spec ( <a href="https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA" class="">
https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA</a> ) uses the login_hint_token in CIBA.</div>
<div class=""><br class="">
</div>
<div class="">Dave raised a ticket thatís quite related ( <a href="https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent" class="">
https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent</a> ).</div>
<div class=""><br class="">
</div>
<div class="">I thought it would be useful to peopleís comprehension to draw out a sequence diagram of the OB CIBA flow, in particular the one that uses the login_hint_token to communicate intent, and uses a QR code to replace the login_hint_token as a way
 to identify the user, as I didnít understand how this worked when I first read the spec.</div>
<div class=""><br class="">
</div>
<div class="">Image of the flow is attached below. Note that it assumes the user has already setup the bankís mobile banking app on their phone and linked it to their account.</div>
<div class=""><br class="">
</div>
<div class="">This I believe relates to Ď2.3.3 model Cí on page 40 of <a href="https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf" class="">https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf</a> -
 this has some pictures showing the flow from the viewpoint of the user.</div>
<div class=""><br class="">
</div>
<div class="">(I believe this is right, but If anyone from OB can confirm/deny Iím happy to make corrections. Iíve included both the image and the source plantuml)</div>
<div class=""><br class="">
</div>
<div class="">Thanks</div>
<div class=""><br class="">
</div>
<div class="">Joseph</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><img id="A6D935F9-0891-476C-A7F6-EAF27A8738F1" class="" src="cid:952D1408-C6C2-4F6E-AEBB-E22AB9B73566"></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<pre class="" style="background-color:rgb(255,255,255); font-family:Menlo; font-size:9pt"><span class="" style="color:#808000">@startuml<br class=""></span><span class="" style="color:#808000"><br class=""></span><span class="" style="color:#000080; font-weight:bold">title</span> Standard CIBA<br class=""><span class="" style="color:#000080; font-weight:bold">autonumber</span> "<b>Step #: "<br class=""><br class=""><span class="" style="color:#000080; font-weight:bold">box</span> "User Interactions" #LightBlue<br class=""><span class="" style="font-weight:bold">participant</span> Relying_Party as RP<br class=""><span class="" style="font-weight:bold">participant</span> Authentication_Device as AD<br class="">endbox<br class=""><br class=""><span class="" style="color:#000080; font-weight:bold">box</span> "Bank" #LightGray<br class=""><span class="" style="font-weight:bold">participant</span> Authorization_Server as AS<br class=""><span class="" style="font-weight:bold">participant</span> Resource_Server as RS<br class="">endbox<br class=""><br class="">RP->RP: User launches process<br class=""><span class="" style="color:#808080; font-style:italic">'RP->AS: client_credentials grant<br class=""></span><span class="" style="color:#808080; font-style:italic">'AS->RP: access_token_client<br class=""></span><span class="" style="color:#808080; font-style:italic">'RP->RS: Register intent using access_token_client<br class=""></span><span class="" style="color:#808080; font-style:italic">'RS->RP: indent_id</span><br class="">RP->AS: CIBA request<br class="">RP<-AS: auth_req_id<br class="">AS->AD: request user authenticates<br class="">...wait for user to approve...<br class="">AS<-AD: authentication approved<br class="">RP<-AS: CIBA ping notification<br class="">RP->AS: token request<br class="">RP<-AS: access_token<br class="">RP->RS: access transaction data using access_token<br class=""><br class=""><span class="" style="color:#000080; font-weight:bold">autonumber</span> 1<br class=""><span class="" style="color:#000080; font-weight:bold">newpage</span> OpenBanking UK version<br class=""><span class="" style="color:#808080; font-style:italic">' <a href="https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA" class="">https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA</a></span><br class="">RP->RP: User launches process<br class=""><span class="" style="color:#000080; font-weight:bold">group</span> OB Intent creation<br class="">RP->AS: client_credentials grant<br class="">AS->RP: access_token_client<br class="">RP->RS: Register intent using access_token_client<br class="">RS->RP: indent_id<br class="">RP->RP: <span class="" style="color:#000080; font-weight:bold">create</span> login_hint_token: \n"IID", intent_id<br class=""><span class="" style="color:#000080; font-weight:bold">end</span><br class="">RP->AS: CIBA request: login_hint_token<br class=""><span class="" style="color:#000080; font-weight:bold">note right</span>: nothing in here identifies the user<br class="">RP<-AS: auth_req_id<br class=""><span class="" style="color:#000080; font-weight:bold">group</span> OB <span class="" style="color:#000080; font-weight:bold">link</span> user to request<br class="">RP->RP: display QR code containing\nintent_id, auth_req_id<br class="">AD->AD: user opens bank's mobile app<br class="">RP->AD: user scans QR code<br class="">AD<->AS: fetch authorisation details: auth_req_id, intent_id<br class=""><span class="" style="color:#000080; font-weight:bold">note right</span>: Only here does AS know what\nuser it is authenticating<br class=""><span class="" style="color:#000080; font-weight:bold">end</span><br class="">...wait for user to approve...<br class="">AS<-AD: authentication approved<br class="">RP<-AS: CIBA ping notification<br class="">RP->AS: token request<br class="">RP<-AS: access_token<br class="">RP->RS: access transaction data using access_token<br class=""><br class=""><span class="" style="color:#808000">@enduml<br class=""></span></pre>
<div class=""><br class="">
</div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</div>
</div>
</div>
<br clear="both">
Please consider the environment before printing this email.<BR>
<BR>
This email is from Open Banking Limited, Company Number 10440081.  Our registered and postal address is 2 Thomas More Square, London, E1W 1YN.  Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.  <BR>
<BR>
This email and any attachments are confidential and are intended for the above named only.  They may also be legally privileged or covered by other legal rights and rules.  Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal.  If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (https://www.openbanking.org.uk/privacy-policy).<BR>
</body>
</html>