Re: [OAUTH-WG] Question regarding RFC 8628

2019-11-26 Thread Torsten Lodderstedt
derstedt [mailto:tors...@lodderstedt.net] > Envoyé : mardi 26 novembre 2019 11:33 > À : Robache Hervé > Cc : Joseph Heenan; oauth@ietf.org > Objet : Re: [OAUTH-WG] Question regarding RFC 8628 > > Hi Hervé, > > the flow you outline is equivalent to CIBA > (https://openid.net/sp

Re: [OAUTH-WG] Question regarding RFC 8628

2019-11-26 Thread Robache Hervé
gt; > De : Joseph Heenan [mailto:joseph.hee...@fintechlabs.io] > Envoyé : lundi 18 novembre 2019 14:49 > À : Torsten Lodderstedt > Cc : Robache Hervé; oauth@ietf.org > Objet : Re: [OAUTH-WG] Question regarding RFC 8628 > > Hi all, > > Thanks, Torsten. > > > On

Re: [OAUTH-WG] Question regarding RFC 8628

2019-11-26 Thread Torsten Lodderstedt
> De : Joseph Heenan [mailto:joseph.hee...@fintechlabs.io] > Envoyé : lundi 18 novembre 2019 14:49 > À : Torsten Lodderstedt > Cc : Robache Hervé; oauth@ietf.org > Objet : Re: [OAUTH-WG] Question regarding RFC 8628 > > Hi all, > > Thanks, Torsten. > > > O

Re: [OAUTH-WG] Question regarding RFC 8628

2019-11-18 Thread Joseph Heenan
Hi Hervé > On 18 Nov 2019, at 14:20, Robache Hervé wrote: > > Thanks Joseph > > I agree with you. There should be no issue when the URL is registered during > the TPP app installation. > > From my perspective, this URL should be passed during the authorization > request within the [redirec

Re: [OAUTH-WG] Question regarding RFC 8628

2019-11-18 Thread Joseph Heenan
Hi all, Thanks, Torsten. > On 18 Nov 2019, at 13:22, Torsten Lodderstedt wrote: > > Hi Hervé, > > looping in Joseph. > >> On 18. Nov 2019, at 21:17, Robache Hervé > > wrote: >> >> Thanks Torsten >> >> Yes, we study this flow as well. Actually we consider the tw

Re: [OAUTH-WG] Question regarding RFC 8628

2019-11-18 Thread Torsten Lodderstedt
Hi Hervé, looping in Joseph. > On 18. Nov 2019, at 21:17, Robache Hervé wrote: > > Thanks Torsten > > Yes, we study this flow as well. Actually we consider the two following flows > for a mobile-based authentication > > - DECOUPLED : via a RFC8628-derived or CIBA approach (as sugg

Re: [OAUTH-WG] Question regarding RFC 8628

2019-11-18 Thread Torsten Lodderstedt
Hi Hervé, I assume you want to allow the TPP to send the PSU to the bank’s app on the same device? In that case, why don’t you just make the bank’s authorization endpoint URL the universal link? If the universal link is defined on the smartphone (since the bank’s app is installed), the redirec

Re: [OAUTH-WG] Question regarding RFC 8628

2019-11-18 Thread Rob Otto
Salut Hervé I wonder if you have looked at all at the OpenID Connect Client-Initiated BackChannel Authentication (CIBA) flow for this use case? Certainly the feeling amongst the Open Banking community here in the UK is that it might be a better fit for decoupled authentication than the Device Aut