<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Thanks Ralph! The flows where the login_hint_token actually contains a login hint are a bit boring by comparison (other than that they also pass the new intent id via the login_hint_token), hence why I drew out the QR Code based one :-)<div class=""><br class=""></div><div class="">On "however the QR code / thing to convey to the customer just needs to be a long / nonce intentid” - the OB 3.1.2 spec seems to be pretty explicit on this point, to quote:</div><div class=""><br class=""></div><div class=""><i class="">"In order to initiate authentication, the TPP must lodge a bc_authorize request and then displaying the resulting auth_req_id and intent_id as a QR code which the user would scan using their banking app. The ASPSP would then link the user (who is authenticated in their banking app) with the authentication request.”</i></div><div class=""><br class=""></div><div class="">Is there are later spec I should be looking at? To be honest I find it a bit strange - as you say the bank has to be known up front, so the presented QR code could instead contain a deep link into the mobile banking app so the user would also have the option to just scan the QR code with the mobile device's camera app.</div><div class=""><br class=""></div><div class="">Thanks</div><div class=""><br class=""></div><div class="">Joseph</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 17 Jun 2019, at 15:48, Ralph Bragg <<a href="mailto:ralph.bragg@raidiam.com" class="">ralph.bragg@raidiam.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252" class="">

<div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<div class="">
<div class="">
<div style="direction: ltr;" class="">Jospeh, yes sort of. The login hint token is meant to contain a user identified, either a previously used request/intent ID, a static user ID that’s pairwise bound to the client or worst case a static ID for the user.
</div>
<div class=""><br class="">
</div>
<div style="direction: ltr;" class="">This would facilitate a push (in the first two cases) and potentially a phishing Vector in the third.</div>
<div class=""><br class="">
</div>
<div style="direction: ltr;" class="">If there’s no “hint” then yes, a CIBA flow can be used in the way that you described however the QR code / thing to convey to the customer just needs to be a long / nonce intentid, the customer already knows the bank that they selected
 and all of the information should have been staged with the CIBA request this is sufficient to allow a customer to come and claim the CIBA initiated request. This flow is useful when you’re performing authN/authZ on two different devices. Mobile to mobile
 a redirect is much better. </div>
</div>
<div class=""><br class="">
</div>
<div class="ms-outlook-ios-signature"></div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1" class="">
<div id="divRplyFwdMsg" dir="ltr" class=""><font face="Calibri, sans-serif" style="font-size:11pt" class=""><b class="">From:</b> Openid-specs-fapi <<a href="mailto:openid-specs-fapi-bounces@lists.openid.net" class="">openid-specs-fapi-bounces@lists.openid.net</a>> on behalf of Joseph Heenan via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" class="">openid-specs-fapi@lists.openid.net</a>><br class="">
<b class="">Sent:</b> Monday, June 17, 2019 7:22:55 AM<br class="">
<b class="">To:</b> Openid-specs-fapi<br class="">
<b class="">Cc:</b> Joseph Heenan<br class="">
<b class="">Subject:</b> [Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token</font>
<div class=""> </div>
</div>
<div class="">Hi all,
<div class=""><br class="">
</div>
<div class="">On the last call we talked about how the OpenBanking UK spec ( <a href="https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA" class="">
https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA</a> ) uses the login_hint_token in CIBA.</div>
<div class=""><br class="">
</div>
<div class="">Dave raised a ticket that’s quite related ( <a href="https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent" class="">
https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent</a> ).</div>
<div class=""><br class="">
</div>
<div class="">I thought it would be useful to people’s comprehension to draw out a sequence diagram of the OB CIBA flow, in particular the one that uses the login_hint_token to communicate intent, and uses a QR code to replace the login_hint_token as a way
 to identify the user, as I didn’t understand how this worked when I first read the spec.</div>
<div class=""><br class="">
</div>
<div class="">Image of the flow is attached below. Note that it assumes the user has already setup the bank’s mobile banking app on their phone and linked it to their account.</div>
<div class=""><br class="">
</div>
<div class="">This I believe relates to ‘2.3.3 model C’ on page 40 of <a href="https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf" class="">https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf</a> -
 this has some pictures showing the flow from the viewpoint of the user.</div>
<div class=""><br class="">
</div>
<div class="">(I believe this is right, but If anyone from OB can confirm/deny I’m happy to make corrections. I’ve included both the image and the source plantuml)</div>
<div class=""><br class="">
</div>
<div class="">Thanks</div>
<div class=""><br class="">
</div>
<div class="">Joseph</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><span id="cid:952D1408-C6C2-4F6E-AEBB-E22AB9B73566"><openbanking_ciba.png></span></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<pre style="background-color: rgb(255, 255, 255); font-family: Menlo; font-size: 9pt;" class=""><span style="color:#808000;" class="">@startuml<br class=""></span><span style="color:#808000;" class=""><br class=""></span><span style="color:#000080;font-weight:bold;" class="">title</span> Standard CIBA<br class=""><span style="color:#000080;font-weight:bold;" class="">autonumber</span> "<b>Step #: "<br class=""><br class=""><span style="color:#000080;font-weight:bold;" class="">box</span> "User Interactions" #LightBlue<br class=""><span style="font-weight:bold;" class="">participant</span> Relying_Party as RP<br class=""><span style="font-weight:bold;" class="">participant</span> Authentication_Device as AD<br class="">endbox<br class=""><br class=""><span style="color:#000080;font-weight:bold;" class="">box</span> "Bank" #LightGray<br class=""><span style="font-weight:bold;" class="">participant</span> Authorization_Server as AS<br class=""><span style="font-weight:bold;" class="">participant</span> Resource_Server as RS<br class="">endbox<br class=""><br class="">RP->RP: User launches process<br class=""><span style="color:#808080;font-style:italic;" class="">'RP->AS: client_credentials grant<br class=""></span><span style="color:#808080;font-style:italic;" class="">'AS->RP: access_token_client<br class=""></span><span style="color:#808080;font-style:italic;" class="">'RP->RS: Register intent using access_token_client<br class=""></span><span style="color:#808080;font-style:italic;" class="">'RS->RP: indent_id</span><br class="">RP->AS: CIBA request<br class="">RP<-AS: auth_req_id<br class="">AS->AD: request user authenticates<br class="">...wait for user to approve...<br class="">AS<-AD: authentication approved<br class="">RP<-AS: CIBA ping notification<br class="">RP->AS: token request<br class="">RP<-AS: access_token<br class="">RP->RS: access transaction data using access_token<br class=""><br class=""><span style="color:#000080;font-weight:bold;" class="">autonumber</span> 1<br class=""><span style="color:#000080;font-weight:bold;" class="">newpage</span> OpenBanking UK version<br class=""><span style="color:#808080;font-style:italic;" class="">' <a href="https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA" class="">https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA</a></span><br class="">RP->RP: User launches process<br class=""><span style="color:#000080;font-weight:bold;" class="">group</span> OB Intent creation<br class="">RP->AS: client_credentials grant<br class="">AS->RP: access_token_client<br class="">RP->RS: Register intent using access_token_client<br class="">RS->RP: indent_id<br class="">RP->RP: <span style="color:#000080;font-weight:bold;" class="">create</span> login_hint_token: \n"IID", intent_id<br class=""><span style="color:#000080;font-weight:bold;" class="">end</span><br class="">RP->AS: CIBA request: login_hint_token<br class=""><span style="color:#000080;font-weight:bold;" class="">note right</span>: nothing in here identifies the user<br class="">RP<-AS: auth_req_id<br class=""><span style="color:#000080;font-weight:bold;" class="">group</span> OB <span style="color:#000080;font-weight:bold;" class="">link</span> user to request<br class="">RP->RP: display QR code containing\nintent_id, auth_req_id<br class="">AD->AD: user opens bank's mobile app<br class="">RP->AD: user scans QR code<br class="">AD<->AS: fetch authorisation details: auth_req_id, intent_id<br class=""><span style="color:#000080;font-weight:bold;" class="">note right</span>: Only here does AS know what\nuser it is authenticating<br class=""><span style="color:#000080;font-weight:bold;" class="">end</span><br class="">...wait for user to approve...<br class="">AS<-AD: authentication approved<br class="">RP<-AS: CIBA ping notification<br class="">RP->AS: token request<br class="">RP<-AS: access_token<br class="">RP->RS: access transaction data using access_token<br class=""><br class=""><span style="color:#808000;" class="">@enduml<br class=""></span></pre>
<div class=""><br class="">
</div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</div>
</div>

</div></blockquote></div><br class=""></div></body></html>