IETF Logo Mail Archive

Re: [OAUTH-WG] Question regarding RFC 8628

Robache Hervé <herve.robache@stet.eu> Mon, 18 November 2019 12:52 UTC

Return-Path: <herve.robache@stet.eu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF71F1200EB for <oauth@ietfa.amsl.com>; Mon, 18 Nov 2019 04:52:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXjQyug27MKy for <oauth@ietfa.amsl.com>; Mon, 18 Nov 2019 04:51:51 -0800 (PST)
Received: from mx.stet.eu (mx.stet.eu [85.233.205.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13231120933 for <oauth@ietf.org>; Mon, 18 Nov 2019 04:51:49 -0800 (PST)
Received: from mail.stet.eu ([10.17.2.22]) by mx.stet.eu with ESMTP id xAICpdNl015526-xAICpdNn015526 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=CAFAIL); Mon, 18 Nov 2019 13:51:48 +0100
Received: from STEMES002.steteu.corp (10.17.2.22) by STEMES002.steteu.corp (10.17.2.22) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 18 Nov 2019 13:51:39 +0100
Received: from STEMES002.steteu.corp ([fe80::61f9:86a6:9add:e621]) by STEMES002.steteu.corp ([fe80::61f9:86a6:9add:e621%14]) with mapi id 15.00.1497.000; Mon, 18 Nov 2019 13:51:39 +0100
From: Robache Hervé <herve.robache@stet.eu>
To: Rob Otto <robotto@pingidentity.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Question regarding RFC 8628
Thread-Index: AdWd5gc8ZXfXLSK0SieoRUzTBpAA7f//+qQA///n3HA=
Date: Mon, 18 Nov 2019 12:51:39 +0000
Message-ID: <0ce7423e876b4e2da16784ff9fc68916@STEMES002.steteu.corp>
References: <dc925414da474a0a85d0b28be3009679@STEMES002.steteu.corp> <CABh6VRGoRdXdbAKWKtyQ=U+6tDUkwPsfAP0MX=Thx1ghgd9T6A@mail.gmail.com>
In-Reply-To: <CABh6VRGoRdXdbAKWKtyQ=U+6tDUkwPsfAP0MX=Thx1ghgd9T6A@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.17.2.170]
x-tm-as-product-ver: SMEX-12.5.0.1684-8.5.1010-25050.006
x-tm-as-result: No-28.774400-8.000000-10
x-tmase-matchedrid: JczPR6FUc93+uOM1HR9kKkNkUF3WMuv+Ggp0q+mz1yi407GiW+CVSc9b cwXiFuSWNZ0s3M2km5zrcFn67wIg3UuxHaqL+0QRbX6mWnUTkk7fN6fVv5OHyi907ValgZ4AGFo 8MdqTS3TmLuzu9Gne750Xxwt4+TTdVxUYw7s8YeHIv6X8cjR/asG0UNgaZpYq2gp+A6golzbXEt bQ4pfyIxkoLV384ybqvz00KMC0SEliWc3NHA3wJUNa5QnT8mQ0nQrZDK7DrTqOz/LLJUcaHsmqr XFLFjsW6aX8TYIrj1vupB/5XQtwTejyN78/Hb2MdhxZTImqKvlFH6oTiImwh4ZS+fz1TDISe7ij Hq7g9oYo4AY+u5KaE9JXI3xMJLo+N862GpoHoW4sMLcUZMcjd4vptQwz5tsiVd3S2mFKAj2XfY/ lmJ+9hq2SwIjG5UkR4gWsqmD9xnCieKwFsiQ57XY8h0p1oFuR+/HV1Dwcb5ML8x6i8FR0Bc/CWS bNoQfbrzlon4myzZr/oJYIO0yI2FD6VYdTsIyV6BWIaO7/lBLM0ihsfYPMYW5WC0I3P32SXhMD2 hnuDHCQla2tm4cK8vxRYvlIka/inuVelB1S2Mz73t5CJqhvBd8N/D4ujap5FL4jEZr9gZy+fWK8 N2kAh9xwX69jh9hhoumPU7tM4n7GFLkwiylCdmITxiUN0d76wtE16arXsSKpvf+jmz45w/eawpJ 3WDjFH+mgUoY3FGAul2Xz8/HNUPKuRiDYbxBAZaZpTNSLyfah4ILTlgBL0Z03C0fPk8xKT0IkL8 xYhngag7kz9gRfd15Gypt9XNlwFfs8xPq3gEkPYEsh+enfbhKFZvMGZ730iV8Bbnt/wqmYEkyug eX07a9qwExAVIsfZLW0y3EpOpzIaMo5XhSSPDjAdLIal4R6ccjPZrEKJpSR/UEG+WVj4+Lgrhh/ Rk4aPM+bw2uf1ihpAVMLQROtaw==
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
x-tmase-result: 10--28.774400-8.000000
x-tmase-version: SMEX-12.5.0.1684-8.5.1010-25050.006
x-tm-snts-smtp: 7259E489C7B56FDF5853ABCAC3BE504AA8F7EF5E044B1D1300C05069AF654EA12000:9
Content-Type: multipart/related; boundary="_004_0ce7423e876b4e2da16784ff9fc68916STEMES002steteucorp_"; type="multipart/alternative"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CZIyo9DLMGALgLJYcv8fqDgvNSc>
Subject: Re: [OAUTH-WG] Question regarding RFC 8628
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 12:52:03 -0000

Hi Rob

Thanks for your answer.

Yes, we also studied CIBA. We are also aware that the REDIRECT app2app flow should be the easiest solution for a mobile-based authentication.

Best regards

Hervé

De : Rob Otto [mailto:robotto@pingidentity.com]
Envoyé : lundi 18 novembre 2019 09:40
À : Robache Hervé
Cc : oauth@ietf.org
Objet : Re: [OAUTH-WG] Question regarding RFC 8628

Salut Hervé

I wonder if you have looked at all at the OpenID Connect Client-Initiated BackChannel Authentication (CIBA) flow for this use case? Certainly the feeling amongst the Open Banking community here in the UK is that  it might be a better fit for decoupled authentication than the Device Authorisation Grant. There is even a FAPi (Financial-Grade API) profile of CIBA that is making its way through the standardisation process - and even has a working conformance testing suite.

The other option, that could make life easier when it comes to the final step you mention (switching back to the TPP app from the Bank app) is to use an app-to-app redirect model under OIDC. Again this is a popular model for same-device scenarios that's been implemented by many banks here in the UK.

If you'd like more information on either of these approaches, I'm happy to share.

Best regards
Rob



On Mon, 18 Nov 2019 at 08:24, Robache Hervé <herve.robache@stet.eu<mailto:herve.robache@stet.eu>> wrote:
Dear all

We are considering using RFC8628 for a specific use case that is related to the version 2 of Payment Service Directive in Europe (PSD2).

The purpose of the work is to provide a decoupled authentication flow for a payment Service User (PSU) aiming to grant access to a Third Party Provider (TPP) for his/her data hosted by a Bank.
The sequence should be as followed:

-          Nominal flow (as specified by the RFC)

o   The TPP asks the PSU about the Bank identity

o   The TPP posts a Device Access Token Request to the Bank

o   The Bank sends back a Device Access Token response to the TPP

o   The TPP starts to poll the bank for gaining the access token

-          Derived flow

o   The “verification_uri_complete” will not be displayed to the PSU but used as an [app link]/[universal link] on a smartphone in order to launch the bank’s app.

o   The bank’s app authenticates the PSU and asks for consent confirmation

-          Back to the nominal flow

o   The TPP gets its access token

Two questions have raised during the work

-          As RFC8628 is supposed to work on separate devices, can the usage be extrapolated to separate apps on the same device (i.e. the PSU’s smartphone)?

-          One issue of the derived flow is that, after authentication, the PSU is still facing the bank’s app

o   We would like to go back to the TPP’s app as fluently as possible. The use of another [app link]/[universal link]could do the job is provided by the TPP. We consider adding this uri as an additional parameter to the “verification_uri_complete”.

o   Is this compliant with RFC8628?

Thanks in advance for your answers.

Hervé Robache


Ce message et toutes les pièces jointes sont établis à l'intention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur ou s'il ne vous est pas destiné, merci de le détruire ainsi que toute copie de votre système et d'en avertir immédiatement l'expéditeur.
Toute lecture non autorisée, toute utilisation de ce message qui n'est pas conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite.
L'Internet ne permettant pas d'assurer l'intégrité de ce message électronique susceptible d'altération, STET décline toute responsabilité au titre de ce message dans l'hypothèse où il aurait été modifié, déformé ou falsifié.
N'imprimez ce message que si nécessaire, pensez à l'environnement.

This message and any attachments is intended solely for the intended addressees and is confidential.
If you receive this message in error, or are not the intended recipient(s), please delete it and any copies from your systems and immediately notify the sender.
Any unauthorized view, use that does not comply with its purpose, dissemination or disclosure, either whole or partial, is prohibited.
Since the internet cannot guarantee the integrity of this message which may not be reliable, STET shall not be liable for the message if modified, changed or falsified.
Do not print this message unless it is necessary, please consider the environment.
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


--
[Image supprimée par l'expéditeur. Ping Identity]<https://www.pingidentity.com>

Rob Otto
EMEA Field CTO/Solutions Architect
robertotto@pingidentity.com<mailto:robertotto@pingidentity.com>

c: +44 (0) 777 135 6092


Connect with us:

[Image supprimée par l'expéditeur. Glassdoor logo]<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>[Image supprimée par l'expéditeur. LinkedIn logo]<https://www.linkedin.com/company/21870>[Image supprimée par l'expéditeur. twitter logo]<https://twitter.com/pingidentity>[Image supprimée par l'expéditeur. facebook logo]<https://www.facebook.com/pingidentitypage>[Image supprimée par l'expéditeur. youtube logo]<https://www.youtube.com/user/PingIdentityTV>[Image supprimée par l'expéditeur. Google+ logo]<https://plus.google.com/u/0/114266977739397708540>[Image supprimée par l'expéditeur. Blog logo]<https://www.pingidentity.com/en/blog.html>


[Image supprimée par l'expéditeur.]<https://www.pingidentity.com/en/events/d/identify-2019.html>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.


Ce message et toutes les pièces jointes sont établis à l'intention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur ou s'il ne vous est pas destiné, merci de le détruire ainsi que toute copie de votre système et d'en avertir immédiatement l'expéditeur.
Toute lecture non autorisée, toute utilisation de ce message qui n'est pas conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite.
L'Internet ne permettant pas d'assurer l'intégrité de ce message électronique susceptible d'altération, STET décline toute responsabilité au titre de ce message dans l'hypothèse où il aurait été modifié, déformé ou falsifié.
N'imprimez ce message que si nécessaire, pensez à l'environnement.

This message and any attachments is intended solely for the intended addressees and is confidential.
If you receive this message in error, or are not the intended recipient(s), please delete it and any copies from your systems and immediately notify the sender.
Any unauthorized view, use that does not comply with its purpose, dissemination or disclosure, either whole or partial, is prohibited.
Since the internet cannot guarantee the integrity of this message which may not be reliable, STET shall not be liable for the message if modified, changed or falsified.
Do not print this message unless it is necessary, please consider the environment.

v2.23.0 | Report a Bug | By Email