Re: [OAUTH-WG] Question regarding RFC 8628

Rob Otto <> Mon, 18 November 2019 08:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 845A71200CE for <>; Mon, 18 Nov 2019 00:40:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vHSz0HAU_IcA for <>; Mon, 18 Nov 2019 00:39:58 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4A71A1200BA for <>; Mon, 18 Nov 2019 00:39:58 -0800 (PST)
Received: by with SMTP id w7so9376047plz.12 for <>; Mon, 18 Nov 2019 00:39:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KKv4jp4qF7g2bgyo4zVL5YXKShXqimDj7R/pwZCGc2E=; b=TlPg4qJdEmzYtfE/xvLgbFyx/B7I0ova37z6E+pyH/jBQgISAiQPmusAW6fBKVPqbQ 7p2FsMUTnkZcZ27wwTxl+3RdF+SmKvc7bRNBZAAoHQYVmFRlqcYrSTOwiUeFY7C8XZzt UDLUV2TPqya1cUBQU+yZUfV3Eq+fgXGi0Q2OgEBvdrxRGm8+Yn9+s6PVHtmB/AbMflsr YHxNShv8ylKaIGWXlLZVlTpFLIzmpdVFzuFtdqduLS23dxuF2ZUgD5htH036JZTUYUPo nZIlRW4OtMtCoUpmDMaLTioVXQIQT0N9bMONkpz+ZaxIjN6ofeCReq5TNrjiCQNGmzbH li0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KKv4jp4qF7g2bgyo4zVL5YXKShXqimDj7R/pwZCGc2E=; b=GN628/UZ2l6Cexo0H9S+eLIivMKk9PHk1GU/eoq/PhHqJcMGdCMouMNKTdSF+iWGoQ LtprlwJBCR89kt+dQAluJbpKWavHQDi2YzHxv3wySH4NKSAAkfnqNtbANZaVBatgBi9w ytBPNPcU+bHxUNfiXgt2UyOvGzLouBl619auyWrx5XSMjeoenZshclWONbhbTs7XIB+9 onftF+5lX6sRKIjxDhAbihVg/sYHVEMz1lp5PXOj75Tl5qtFJ33wQ7sNM3l+shzN5Y8O CPBHpc5XSPmur+4Z86M9uyCAVNRn796afX+YaFT0/bsUq9Cp6P9w4dMzM5n6jedD+NQD JtWg==
X-Gm-Message-State: APjAAAUE8tjonh3+6WxbrO3LhJT9JqCKG6oGE0lt4yL+VtPCefIGp6Hn in+zCrXl2/kBYw0vVBWsVgvuhI4cJvekDIjMg2ytQffQo2R10sdqse0GzhOvzo54xZpbHFVQj/s zvp2Z4E6cjrGyS3b3
X-Google-Smtp-Source: APXvYqwWUpImKV0Xf9cORzebyqVgn5mzJl/MXOsWuo9C4IpsQmcgj9YjdpXNqnDE3yz+nz4UCwDQYKiuY1Eqea3Ufd4=
X-Received: by 2002:a17:902:b481:: with SMTP id y1mr1220863plr.76.1574066397501; Mon, 18 Nov 2019 00:39:57 -0800 (PST)
MIME-Version: 1.0
References: <dc925414da474a0a85d0b28be3009679@STEMES002.steteu.corp>
In-Reply-To: <dc925414da474a0a85d0b28be3009679@STEMES002.steteu.corp>
From: Rob Otto <>
Date: Mon, 18 Nov 2019 08:39:46 +0000
Message-ID: <>
To: Robache Hervé <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="00000000000079f65105979ae44e"
Archived-At: <>
Subject: Re: [OAUTH-WG] Question regarding RFC 8628
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Nov 2019 08:40:02 -0000

Salut Hervé

I wonder if you have looked at all at the OpenID Connect Client-Initiated
BackChannel Authentication (CIBA) flow for this use case? Certainly the
feeling amongst the Open Banking community here in the UK is that  it might
be a better fit for decoupled authentication than the Device Authorisation
Grant. There is even a FAPi (Financial-Grade API) profile of CIBA that is
making its way through the standardisation process - and even has a working
conformance testing suite.

The other option, that could make life easier when it comes to the final
step you mention (switching back to the TPP app from the Bank app) is to
use an app-to-app redirect model under OIDC. Again this is a popular model
for same-device scenarios that's been implemented by many banks here in the

If you'd like more information on either of these approaches, I'm happy to

Best regards

On Mon, 18 Nov 2019 at 08:24, Robache Hervé <> wrote:

> Dear all
> We are considering using RFC8628 for a specific use case that is related
> to the version 2 of Payment Service Directive in Europe (PSD2).
> The purpose of the work is to provide a decoupled authentication flow for
> a payment Service User (PSU) aiming to grant access to a Third Party
> Provider (TPP) for his/her data hosted by a Bank.
> The sequence should be as followed:
> -          Nominal flow (as specified by the RFC)
> o   The TPP asks the PSU about the Bank identity
> o   The TPP posts a Device Access Token Request to the Bank
> o   The Bank sends back a Device Access Token response to the TPP
> o   The TPP starts to poll the bank for gaining the access token
> -          Derived flow
> o   The “verification_uri_complete” will not be displayed to the PSU but
> used as an [app link]/[universal link] on a smartphone in order to launch
> the bank’s app.
> o   The bank’s app authenticates the PSU and asks for consent confirmation
> -          Back to the nominal flow
> o   The TPP gets its access token
> Two questions have raised during the work
> -          As RFC8628 is supposed to work on separate devices, can the
> usage be extrapolated to separate apps on the same device (i.e. the PSU’s
> smartphone)?
> -          One issue of the derived flow is that, after authentication,
> the PSU is still facing the bank’s app
> o   We would like to go back to the TPP’s app as fluently as possible.
> The use of another [app link]/[universal link]could do the job is provided
> by the TPP. We consider adding this uri as an additional parameter to the
> “verification_uri_complete”.
> o   Is this compliant with RFC8628?
> Thanks in advance for your answers.
> Hervé Robache
> Ce message et toutes les pièces jointes sont établis à l'intention
> exclusive de ses destinataires et sont confidentiels.
> Si vous recevez ce message par erreur ou s'il ne vous est pas destiné,
> merci de le détruire ainsi que toute copie de votre système et d'en avertir
> immédiatement l'expéditeur.
> Toute lecture non autorisée, toute utilisation de ce message qui n'est pas
> conforme à sa destination, toute diffusion ou toute publication, totale ou
> partielle, est interdite.
> L'Internet ne permettant pas d'assurer l'intégrité de ce message
> électronique susceptible d'altération, STET décline toute responsabilité au
> titre de ce message dans l'hypothèse où il aurait été modifié, déformé ou
> falsifié.
> N'imprimez ce message que si nécessaire, pensez à l'environnement.
> This message and any attachments is intended solely for the intended
> addressees and is confidential.
> If you receive this message in error, or are not the intended
> recipient(s), please delete it and any copies from your systems and
> immediately notify the sender.
> Any unauthorized view, use that does not comply with its purpose,
> dissemination or disclosure, either whole or partial, is prohibited.
> Since the internet cannot guarantee the integrity of this message which
> may not be reliable, STET shall not be liable for the message if modified,
> changed or falsified.
> Do not print this message unless it is necessary, please consider the
> environment.
> _______________________________________________
> OAuth mailing list

<>[image: Ping Identity]
Rob Otto
EMEA Field CTO/Solutions Architect

c: +44 (0) 777 135 6092
Connect with us: [image: Glassdoor logo]
LinkedIn logo] <> [image: twitter
logo] <> [image: facebook logo]
<> [image: youtube logo]
<> [image: Google+ logo]
<> [image: Blog logo]

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._