<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;color:#0b5394">I think that last point is crucial.</div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:#0b5394"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:#0b5394">If we were to include the intent inside the login_hint_token, a client that wished to use an id_token_hint would then end up in the rather ridiculous position of needing to also include a login_hint_token containing no login hint. </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 19 Jun 2019 at 16:54, Brian Campbell via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Recognizing that there's some uncertainty and differing opinions about how to convey intent id (and such type things), we've tried to design our CIBA support such that it could reasonably be set up to handle it being sent as a parameterized scope value, additional parameter, or claim in a login hint token JWT. <br></div><div><br></div><div>I think reasonable people could make reasonable arguments for any of them as the right way to do it. Personally, the parameterized scope value seems to me to be the most proper approach. So I guess that's my preference. Followed by additional parameter. Then login hint token. Conceptually login hint token seems fine but using it then effectively rules out the other hint types. <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 19, 2019 at 1:14 AM Dave Tonge <<a href="mailto:dave.tonge@momentumft.co.uk" target="_blank">dave.tonge@momentumft.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:"trebuchet ms",sans-serif">Thanks Ralph</div><div style="font-family:"trebuchet ms",sans-serif"><br></div><div style="font-family:"trebuchet ms",sans-serif">So my idea is that the QR code actually contains a url for the TPP, i.e. <a href="https://tpp.com/auth?token=some-token-that-carries-the-session-from-the-kiosk-to-a-browser" target="_blank">https://tpp.com/auth?token=some-token-that-carries-the-session-from-the-kiosk-to-a-browser</a></div><div style="font-family:"trebuchet ms",sans-serif">There is then a straight forward redirect flow from the TPP to ASPSP and back to the TPP on the users device. When the TPP receives the code and exchanges it for a token, the TPP server communicates with the TPP kiosk to show that payment is complete. </div><div style="font-family:"trebuchet ms",sans-serif"><br></div><div style="font-family:"trebuchet ms",sans-serif">About intent passing, it would be good to hear back from <a class="gmail_plusreply" id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743plusReplyChip-0" href="mailto:bcampbell@pingidentity.com" target="_blank">@Brian Campbell</a>, <a class="gmail_plusreply" id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743plusReplyChip-1" href="mailto:taka@authlete.com" target="_blank">@Takahiko Kawasaki</a> and <a class="gmail_plusreply" id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743plusReplyChip-2" href="mailto:vladimir@connect2id.com" target="_blank">@Vladimir Dzhuvinov</a> about what their perspective would be on how easy it would be to allow a new param to be made available for processing,</div><div style="font-family:"trebuchet ms",sans-serif"><br></div><div style="font-family:"trebuchet ms",sans-serif">Dave</div><div style="font-family:"trebuchet ms",sans-serif"><br></div><div style="font-family:"trebuchet ms",sans-serif"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 19 Jun 2019 at 09:04, Ralph Bragg <<a href="mailto:ralph.bragg@raidiam.com" target="_blank">ralph.bragg@raidiam.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">





<div>
<div style="direction:ltr">
<div style="direction:ltr">Dave,</div>
<div><br>
</div>
<div style="direction:ltr">I’ll sync up with freddi today on this, but my initial comments are that Yes, there’s nothing stopping the Authorization url being generated as a QR code and this flow being a standard redirect however how would the auth code be
 returned back to the RP? 2.3.3 is designed for a kiosk type situation, you’d need the kiosk to have an input device as well to scan a AS mobile presented QR code to capture the redirect response? Apologies if I’m missing something. </div>
<div><br>
</div>
<div style="direction:ltr">My concern with adding additional parameters rather than profiling the token is vendor support. We had the same issue when trying to find a solution that would work with existing vendor capability. If vendors are going to follow
 the spec as described and allow any attribute to be passed through and made available for process then great... typically I’ve seen that only the named parameter like login_token_hint etc or request_object be available for processing / profiling.</div>
<div><br>
</div>
<div style="direction:ltr">I’d prefer to profile the token rather than introduce new parameters.</div>
<div><br>
</div>
<div style="direction:ltr">RB</div>
<div><br>
</div>
<div class="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602ms-outlook-ios-signature"></div>
</div>
<div>
<hr style="display:inline-block;width:98%">
<div id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602divRplyFwdMsg" dir="dir="ltr""><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Openid-specs-fapi <<a href="mailto:openid-specs-fapi-bounces@lists.openid.net" target="_blank">openid-specs-fapi-bounces@lists.openid.net</a>> on behalf of Dave Tonge via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>><br>
<b>Sent:</b> Tuesday, June 18, 2019 22:47<br>
<b>To:</b> Financial API Working Group List<br>
<b>Cc:</b> Dave Tonge<br>
<b>Subject:</b> Re: [Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token
<div> </div>
</font></div>

<div dir="ltr">
<div style="font-family:"trebuchet ms",sans-serif">Hi Chris, Ralph and Joseph</div>
<div style="font-family:"trebuchet ms",sans-serif"><br>
</div>
<div style="font-family:"trebuchet ms",sans-serif">So in the base spec we describe the flow where the bank generates a single use identifier (2.3.2 in the Customer Experience Guidelines).</div>
<div style="font-family:"trebuchet ms",sans-serif">I did have language attempting to describe the TPP generated identifier (2.3.3 - the flow described by Joseph), however we dropped the text as we felt it didn't quite fit into CIBA. </div>
<div style="font-family:"trebuchet ms",sans-serif">2.3.1 and 2.3.4 are also supported out of the box by CIBA.</div>
<div style="font-family:"trebuchet ms",sans-serif"><br>
</div>
<div style="font-family:"trebuchet ms",sans-serif">To echo Joseph's point - couldn't the flow described in 2.3.3 be performed using links and a standard redirect flow. i.e. the TPP displays a QR code or link to which the user navigates to
 on their phone. This starts a standard redirect flow. The only limitation here is that not </div>
<div style="font-family:"trebuchet ms",sans-serif"><br>
</div>
<div style="font-family:"trebuchet ms",sans-serif">The separate point of where to pass the intent id is interesting. I'd strongly suggest that OB consider passing it as an extra parameter, rather than including it in to the login_hint_token.
 In CIBA core we have this phrase: <i>"An authentication request is composed of the following parameters and<b>MAY contain additional parameters defined by extension or profile</b>:"</i></div>
<div style="font-family:"trebuchet ms",sans-serif"><i><br>
</i></div>
<div style="font-family:"trebuchet ms",sans-serif">Dave</div>
<div style="font-family:"trebuchet ms",sans-serif"><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, 17 Jun 2019 at 09:29, Chris Michael via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr" style="font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Thanks @Ralph</p>
<p><br>
</p>
<p>@Joseph, please can we make sure the spec supports all 4 models/flows as per <a href="https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf" style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px;background-color:rgb(255,255,255)" target="_blank">https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf</a><br>
</p>
<p><br>
</p>
<p>While one of these does potentially allow a phishing vector, my preference would be to allow this but clearly call out the risk, as there are some use cases where the OP may chose to implement this.<br>
</p>
<p><br>
</p>
<div id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602gmail-m_4287817308951702047Signature">
<div name="divtagdefaultwrapper">
<p style="font-size:16px"><b><br>
</b></p>
<p style="font-size:16px"><b>Chris Michael</b><br>
</p>
<p style="font-size:16px">Head of Technology<br>
</p>
<p style="font-size:16px"><br>
</p>
<p><font size="2">+44 7767 372277</font></p>
<p><font size="2"><a href="http://www.openbanking.org.uk" id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602gmail-m_4287817308951702047NoLP" target="_blank">http://www.openbanking.org.uk</a></font></p>
<p><font size="2">2 Thomas More Square, London E1W 1YN</font></p>
<p><font size="2"><a href="https://twitter.com/UKOpenBanking" id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602gmail-m_4287817308951702047NoLP" style="font-family:"Times New Roman",serif;background-color:rgb(255,255,255)" target="_blank"><font face="Calibri,sans-serif"><font color="#0563C1">Twitter</font></font></a><font style="background-color:rgb(255,255,255)" face="Calibri,sans-serif" color="#1F497D"> | </font><a href="https://www.facebook.com/UKOpenBanking" id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602gmail-m_4287817308951702047NoLP" style="font-family:"Times New Roman",serif;background-color:rgb(255,255,255)" target="_blank"><font face="Calibri,sans-serif"><font color="#0563C1">Facebook</font></font></a><font style="background-color:rgb(255,255,255)" face="Calibri,sans-serif" color="#1F497D"> | </font><a href="https://www.linkedin.com/company/openbanking/" id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602gmail-m_4287817308951702047NoLP" style="font-family:"Times New Roman",serif;background-color:rgb(255,255,255)" target="_blank"><font face="Calibri,sans-serif"><font color="#0563C1">LinkedIn</font></font></a></font></p>
</div>
</div>
<div>
<hr style="display:inline-block;width:98%">
<div id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602gmail-m_4287817308951702047divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Openid-specs-fapi <<a href="mailto:openid-specs-fapi-bounces@lists.openid.net" target="_blank">openid-specs-fapi-bounces@lists.openid.net</a>>
 on behalf of Ralph Bragg via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>><br>
<b>Sent:</b> 17 June 2019 07:48<br>
<b>To:</b> Financial API Working Group List<br>
<b>Cc:</b> Ralph Bragg<br>
<b>Subject:</b> Re: [Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token</font>
<div> </div>
</div>
<div>
<div>
<div>
<div style="direction:ltr">Jospeh, yes sort of. The login hint token is meant to contain a user identified, either a previously used request/intent ID, a static user ID that’s pairwise bound to the client or worst case a static ID for the user.</div>
<div><br>
</div>
<div style="direction:ltr">This would facilitate a push (in the first two cases) and potentially a phishing Vector in the third.</div>
<div><br>
</div>
<div style="direction:ltr">If there’s no “hint” then yes, a CIBA flow can be used in the way that you described however the QR code / thing to convey to the customer just needs to be a long / nonce intentid, the customer already knows the bank that they selected
 and all of the information should have been staged with the CIBA request this is sufficient to allow a customer to come and claim the CIBA initiated request. This flow is useful when you’re performing authN/authZ on two different devices. Mobile to mobile
 a redirect is much better. </div>
</div>
<div><br>
</div>
<div class="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602gmail-m_4287817308951702047ms-outlook-ios-signature"></div>
</div>
<hr style="display:inline-block;width:98%">
<div id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602gmail-m_4287817308951702047divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Openid-specs-fapi <<a href="mailto:openid-specs-fapi-bounces@lists.openid.net" target="_blank">openid-specs-fapi-bounces@lists.openid.net</a>>
 on behalf of Joseph Heenan via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>><br>
<b>Sent:</b> Monday, June 17, 2019 7:22:55 AM<br>
<b>To:</b> Openid-specs-fapi<br>
<b>Cc:</b> Joseph Heenan<br>
<b>Subject:</b> [Openid-specs-fapi] OpenBanking CIBA flow / login_hint_token</font>
<div> </div>
</div>
<div>Hi all,
<div><br>
</div>
<div>On the last call we talked about how the OpenBanking UK spec ( <a href="https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA" target="_blank">
https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA</a> ) uses the login_hint_token in CIBA.</div>
<div><br>
</div>
<div>Dave raised a ticket that’s quite related ( <a href="https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent" target="_blank">
https://bitbucket.org/openid/fapi/issues/228/ciba-and-lodging-intent</a> ).</div>
<div><br>
</div>
<div>I thought it would be useful to people’s comprehension to draw out a sequence diagram of the OB CIBA flow, in particular the one that uses the login_hint_token to communicate intent, and uses a QR code to replace the login_hint_token as a way to identify
 the user, as I didn’t understand how this worked when I first read the spec.</div>
<div><br>
</div>
<div>Image of the flow is attached below. Note that it assumes the user has already setup the bank’s mobile banking app on their phone and linked it to their account.</div>
<div><br>
</div>
<div>This I believe relates to ‘2.3.3 model C’ on page 40 of <a href="https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf" target="_blank">https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines-V1.3.0.pdf</a> -
 this has some pictures showing the flow from the viewpoint of the user.</div>
<div><br>
</div>
<div>(I believe this is right, but If anyone from OB can confirm/deny I’m happy to make corrections. I’ve included both the image and the source plantuml)</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Joseph</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><img id="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602gmail-m_4287817308951702047A6D935F9-0891-476C-A7F6-EAF27A8738F1" src="cid:16b6e9038b8c08b4e231"></div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<pre style="background-color:rgb(255,255,255);font-family:Menlo;font-size:9pt"><span style="color:rgb(128,128,0)">@startuml<br></span><span style="color:rgb(128,128,0)"><br></span><span style="color:rgb(0,0,128);font-weight:bold">title</span> Standard CIBA<br><span style="color:rgb(0,0,128);font-weight:bold">autonumber</span> "<b>Step #: "<br><br><span style="color:rgb(0,0,128);font-weight:bold">box</span> "User Interactions" #LightBlue<br><span style="font-weight:bold">participant</span> Relying_Party as RP<br><span style="font-weight:bold">participant</span> Authentication_Device as AD<br>endbox<br><br><span style="color:rgb(0,0,128);font-weight:bold">box</span> "Bank" #LightGray<br><span style="font-weight:bold">participant</span> Authorization_Server as AS<br><span style="font-weight:bold">participant</span> Resource_Server as RS<br>endbox<br><br>RP->RP: User launches process<br><span style="color:rgb(128,128,128);font-style:italic">'RP->AS: client_credentials grant<br></span><span style="color:rgb(128,128,128);font-style:italic">'AS->RP: access_token_client<br></span><span style="color:rgb(128,128,128);font-style:italic">'RP->RS: Register intent using access_token_client<br></span><span style="color:rgb(128,128,128);font-style:italic">'RS->RP: indent_id</span><br>RP->AS: CIBA request<br>RP<-AS: auth_req_id<br>AS->AD: request user authenticates<br>...wait for user to approve...<br>AS<-AD: authentication approved<br>RP<-AS: CIBA ping notification<br>RP->AS: token request<br>RP<-AS: access_token<br>RP->RS: access transaction data using access_token<br><br><span style="color:rgb(0,0,128);font-weight:bold">autonumber</span> 1<br><span style="color:rgb(0,0,128);font-weight:bold">newpage</span> OpenBanking UK version<br><span style="color:rgb(128,128,128);font-style:italic">' <a href="https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA" target="_blank">https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2#Read/WriteDataAPISpecification-v3.1.2-CIBA</a></span><br>RP->RP: User launches process<br><span style="color:rgb(0,0,128);font-weight:bold">group</span> OB Intent creation<br>RP->AS: client_credentials grant<br>AS->RP: access_token_client<br>RP->RS: Register intent using access_token_client<br>RS->RP: indent_id<br>RP->RP: <span style="color:rgb(0,0,128);font-weight:bold">create</span> login_hint_token: \n"IID", intent_id<br><span style="color:rgb(0,0,128);font-weight:bold">end</span><br>RP->AS: CIBA request: login_hint_token<br><span style="color:rgb(0,0,128);font-weight:bold">note right</span>: nothing in here identifies the user<br>RP<-AS: auth_req_id<br><span style="color:rgb(0,0,128);font-weight:bold">group</span> OB <span style="color:rgb(0,0,128);font-weight:bold">link</span> user to request<br>RP->RP: display QR code containing\nintent_id, auth_req_id<br>AD->AD: user opens bank's mobile app<br>RP->AD: user scans QR code<br>AD<->AS: fetch authorisation details: auth_req_id, intent_id<br><span style="color:rgb(0,0,128);font-weight:bold">note right</span>: Only here does AS know what\nuser it is authenticating<br><span style="color:rgb(0,0,128);font-weight:bold">end</span><br>...wait for user to approve...<br>AS<-AD: authentication approved<br>RP<-AS: CIBA ping notification<br>RP->AS: token request<br>RP<-AS: access_token<br>RP->RS: access transaction data using access_token<br><br><span style="color:rgb(128,128,0)">@enduml<br></span></pre>
<div><br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
<br clear="all">
Please consider the environment before printing this email.<br>
<br>
This email is from Open Banking Limited, Company Number 10440081. Our registered and postal address is 2 Thomas More Square, London, E1W 1YN. Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.<br>
<br>
This email and any attachments are confidential and are intended for the above named only. They may also be legally privileged or covered by other legal rights and rules. Unauthorised dissemination or copying of this email and any attachments, and any use or
 disclosure of them, is strictly prohibited and may be illegal. If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (<a href="https://www.openbanking.org.uk/privacy-policy" target="_blank">https://www.openbanking.org.uk/privacy-policy</a>).<br>
</div>
_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail-m_-9206784093179069602gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div style="font-size:1em;font-weight:bold;line-height:1.4">
<div style="color:rgb(97,97,97);font-family:"Open Sans";font-size:14px;font-weight:normal;line-height:21px">
<div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold">
<div style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;line-height:normal">
<div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">
<div style="font-weight:400;color:rgb(51,51,51);line-height:normal">
<div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">
Dave Tonge</div>
<div style="font-size:0.8125em;line-height:1.4">CTO</div>
<div style="font-size:0.8125em;line-height:1.4;margin:0px"><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" style="color:rgb(131,94,165)" target="_blank"><img alt="Moneyhub Enterprise" src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png" title="Moneyhub Enterprise" style="border:medium none;padding:0px;border-radius:2px;margin:7px" width="200" height="50"></a></div>
<div style="padding:8px 0px">
<div style="padding:8px 0px">
<div style="letter-spacing:normal;line-height:normal">
<div style="padding:8px 0px"><span style="color:rgb(0,164,183);font-size:11px">Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL</span></div>
<span style="font-size:11px;line-height:15.925px;color:rgb(0,164,183);font-weight:bold">t: </span><span style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span><br style="color:rgb(0,164,183);font-size:11px;line-height:15.925px">
</div>
<div style="letter-spacing:normal;line-height:normal"><span style="font-size:11px;line-height:15.925px"><br>
</span></div>
<div style="color:rgb(97,97,97);font-family:"Open Sans";letter-spacing:normal">
<div style="line-height:1.4"><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em">Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial
 Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em;background-color:transparent">(FRN </span><span style="color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;font-size:10.5px;font-weight:700">809360</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">)
 at <a href="http://fca.org.uk/register" target="_blank">fca.org.uk/register</a>. M</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:10.5px">oneyhub</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> Financial
 Technology is registered in England & Wales, company registration number </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> </span><span style="font-weight:bold;color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">06909772</span><span style="background-color:transparent"><font face="lato, open sans, arial, sans-serif" color="#333333"><span style="font-size:0.75em"> .</span></font></span></div>
<div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4">
<span style="background-color:transparent;font-size:10.5px">Moneyhub</span><span style="background-color:transparent;font-size:0.75em"> Financial Technology Limited 2018 </span><span style="background-color:transparent;color:rgb(34,34,34);font-family:arial,sans-serif;font-size:x-small">©</span></div>
<div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4">
<span style="background-color:transparent;font-size:0.75em"><br>
</span></div>
<div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4">
<span style="background-color:transparent;font-size:0.75em;color:rgb(136,136,136)">DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than
 by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may
 be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited
 or of any other group company.</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>

</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="m_774677090158606078gmail-m_7069298780640643088gmail-m_-8525435886674851743gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:1em;font-weight:bold;line-height:1.4"><div style="color:rgb(97,97,97);font-family:"Open Sans";font-size:14px;font-weight:normal;line-height:21px"><div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4"><div style="font-weight:400;color:rgb(51,51,51);line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div><div style="font-size:0.8125em;line-height:1.4">CTO</div><div style="font-size:0.8125em;line-height:1.4;margin:0px"><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" style="color:rgb(131,94,165)" target="_blank"><img alt="Moneyhub Enterprise" src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png" title="Moneyhub Enterprise" style="border:medium none;padding:0px;border-radius:2px;margin:7px" width="200" height="50"></a></div><div style="padding:8px 0px"><div style="padding:8px 0px"><div style="letter-spacing:normal;line-height:normal"><div style="padding:8px 0px"><span style="color:rgb(0,164,183);font-size:11px">Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL</span></div><span style="font-size:11px;line-height:15.925px;color:rgb(0,164,183);font-weight:bold">t: </span><span style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span><br style="color:rgb(0,164,183);font-size:11px;line-height:15.925px"></div><div style="letter-spacing:normal;line-height:normal"><span style="font-size:11px;line-height:15.925px"><br></span></div><div style="color:rgb(97,97,97);font-family:"Open Sans";letter-spacing:normal"><div style="line-height:1.4"><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em">Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em;background-color:transparent">(FRN </span><span style="color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;font-size:10.5px;font-weight:700">809360</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">) at <a href="http://fca.org.uk/register" target="_blank">fca.org.uk/register</a>. M</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:10.5px">oneyhub</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> Financial Technology is registered in England & Wales, company registration number </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> </span><span style="font-weight:bold;color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">06909772</span><span style="background-color:transparent"><font face="lato, open sans, arial, sans-serif" color="#333333"><span style="font-size:0.75em"> .</span></font></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:10.5px">Moneyhub</span><span style="background-color:transparent;font-size:0.75em"> Financial Technology Limited 2018 </span><span style="background-color:transparent;color:rgb(34,34,34);font-family:arial,sans-serif;font-size:x-small">©</span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em"><br></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em;color:rgb(136,136,136)">DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.</span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</blockquote></div></div>

<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="m_774677090158606078gmail_signature"><div style="padding:0px;margin:0px">    <table style="border-collapse:collapse;padding:0px;margin:0px">                       <tbody><tr>                         <td style="width:113px">                                        <a href="https://www.pingidentity.com" target="_blank"></a><a href="https://www.pingidentity.com" target="_blank"><img alt="Ping Identity" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/ping-logo.png"></a>                                </td>                             <td>                                      <table>                                                                                           <tbody><tr>                         <td style="vertical-align:top">                                 <span style="color:rgb(230,29,60);display:inline-block;margin-bottom:3px;font-family:arial,helvetica,sans-serif;font-weight:bold;font-size:14px">Rob Otto</span>                                                          <br>                                                              <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px">EMEA Field CTO/Solutions Architect</span>                                                          <br>                                                              <span style="font-family:arial,helvetica,sans-serif;font-size:14px;display:inline-block;margin-bottom:3px"><a href="mailto:robertotto@pingidentity.com" target="_blank">robertotto@pingidentity.com</a></span>                                                            <br>                                                              <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px">                                                         </span>                                                           <br>                                                              <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px">                                                         c: +44 (0) 777 135 6092</span>                                                    </td>                           </tr>                                       </tbody></table>                            </td>                     </tr>                     <tr>                                      <td colspan="2">          <table style="border-collapse:collapse;border:none;margin:8px 0px 0px;width:100%">            <tbody><tr style="height:40px;border-top:1px solid rgb(211,211,211);border-bottom:1px solid rgb(211,211,211)">              <td style="font-family:arial,helvetica,sans-serif;font-size:14px;font-weight:bold;color:rgb(64,71,75)">Connect with us: </td>              <td style="padding:4px 0px 0px 20px">                <a href="https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm" style="text-decoration:none;margin-right:16px" title="Ping on Glassdoor" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-glassdoor.png" style="border:none;margin:0px" alt="Glassdoor logo"></a>                                                                                <a href="https://www.linkedin.com/company/21870" style="text-decoration:none;margin-right:16px" title="Ping on LinkedIn" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-linkedin.png" style="border:none;margin:0px" alt="LinkedIn logo"></a>                                        <a href="https://twitter.com/pingidentity" style="text-decoration:none;margin-right:16px" title="Ping on Twitter" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-twitter.png" style="border:none;margin:0px" alt="twitter logo"></a>                                                                             <a href="https://www.facebook.com/pingidentitypage" style="text-decoration:none;margin-right:16px" title="Ping on Facebook" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-facebook.png" style="border:none;margin:0px" alt="facebook logo"></a>                                                           <a href="https://www.youtube.com/user/PingIdentityTV" style="text-decoration:none;margin-right:16px" title="Ping on Youtube" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-youtube.png" style="border:none;margin:0px 0px 3px" alt="youtube logo"></a> <a href="https://www.pingidentity.com/en/blog.html" style="text-decoration:none;margin-right:16px" title="Ping Blog" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-blog.png" style="border:none;margin:0px" alt="Blog logo"></a>                                                                                                                    </td>            </tr>          </tbody></table>                                </td>      </tr>    </tbody></table><img src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/freetrials-signature_header.png"></div><div style="padding:0px;margin:0px"><a href="https://www.pingidentity.com/content/ping/en/lp/d/p14e-trial.html" target="_blank"></a><a href="https://www.pingidentity.com/en/lp/d/p14e-trial.html?utm_source=Email&utm_medium=p14e-trial-sso-mfa-emailsig&utm_campaign=p14e-trial-sso-mfa-emailsig" target="_blank"></a><a href="https://www.pingidentity.com/en/lp/d/p14e-trial.html?utm_source=Email&utm_medium=p14e-trial-sso-mfa-emailsig&utm_campaign=p14e-trial-sso-mfa-emailsig" target="_blank"><img style="float:left" src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/freetrials-signature-it.png"></a><a href="https://developer.pingidentity.com/en/signup.html" target="_blank"></a><a href="https://developer.pingidentity.com/en/signup.html" target="_blank"></a><a href="https://developer.pingidentity.com/en/signup.html" target="_blank"></a><a href="https://developer.pingidentity.com/en/signup.html?utm_source=email&utm_medium=P14C-Trial-Email&utm_campaign=P14C-Trial-Email&utm_content=link" target="_blank"></a><a href="https://developer.pingidentity.com/en/signup.html?utm_source=email&utm_medium=P14C-Trial-Email&utm_campaign=P14C-Trial-Email&utm_content=link" target="_blank"><img src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/freetrials-signature-dev.png"></a></div></div></div>

<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>