IETF Logo Mail Archive

[OAUTH-WG] Example of financial aggregator authorization

Tim Cappalli <Tim.Cappalli@microsoft.com> Tue, 12 May 2020 14:14 UTC

Return-Path: <Tim.Cappalli@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C9B33A0A83 for <oauth@ietfa.amsl.com>; Tue, 12 May 2020 07:14:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.262
X-Spam-Level:
X-Spam-Status: No, score=-2.262 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_SPAMMY_FILENAME=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tL-JmBaltHRG for <oauth@ietfa.amsl.com>; Tue, 12 May 2020 07:14:38 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650096.outbound.protection.outlook.com [40.107.65.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 915173A0A69 for <oauth@ietf.org>; Tue, 12 May 2020 07:14:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LfT7xL1eUvEtwfiZMJeDR/BkBXct5BdJeT39UD3ksG9UrN92/SP+/XLNNq1OnLnnPhbfFJGyT9xGg0pvGVgeArRMPZI1hW9Dm5GWIlHwJotZaHrpILK6UFFlBBb/uDablEE9oOUyweO5zSHw9x6ivh2EOoSU0oTosnJdbb0KW59Ay0C4zpoaXLwmHOhmKHBGrt6UfLdtYFR2v1UpRSnCUdMRhu0zzfgRajPFNfeR+A4Wi4yopdF6DjCbtpkYKgChQMY7l5uN62EUghh07AJBUYj4n0sf1LGraHpkB2Y+JiizhuxVLQz2zdBwhAeGh55OR2+jIscJXsYMTiGad2IXTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mPMGC/Fz4vox4kHQmBtF6mF+/wJavWSiwF94+6w2dYU=; b=J2qehbegWxzNZO2+XywyAE0NU+RwaUeVTuSazB9G9mFzZeHOavp9uoLnC1rrVuF4nE4PnEguK5weB/VTr8XiGTl3MV9K2QCpIAbDBuBcTbLBtt25wed50Xni9BLENLTZ68kUxMpWJFQWe0af2gGGkjFdVGu3PhaO4vnYontxARu7vxJZhebtJLXmJsdUd6TX7yoGnD5E06u8kMRgYYqKk73zJA3qfELDzH+yFj987VH4JjN7NICQid6sFWqjhEM9kKQPHED0KIDjE9b9YbVJi9bEG0u9EspGTNL+ZQjih0QoQJ5RIcAScY+mhoMTjeAaq4C1FVkIw0b9sowR5rIlVg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mPMGC/Fz4vox4kHQmBtF6mF+/wJavWSiwF94+6w2dYU=; b=Nm9EUGT+bQx0ad1Az5Cm3IxEfCxL4QmnIW4oheMcSyeNcO+lGWzjz8FRqzAbPfE07eVQyR1qJ25N+A9z+N8XRRs2TH5YFSX27Wywgo5IEcSPc+d1NA62kbkF8Mj26Ab7Ddh6nMpHpZmjUf6KAtzoad2bBPhjxy8RADQpZNGud9A=
Received: from MN2PR00MB0686.namprd00.prod.outlook.com (2603:10b6:208:15f::13) by MN2PR00MB0462.namprd00.prod.outlook.com (2603:10b6:208:c2::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3033.0; Tue, 12 May 2020 14:14:36 +0000
Received: from MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::68f6:b54c:8d5e:d283]) by MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::68f6:b54c:8d5e:d283%7]) with mapi id 15.20.3035.000; Tue, 12 May 2020 14:14:36 +0000
From: Tim Cappalli <Tim.Cappalli@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Example of financial aggregator authorization
Thread-Index: AQHWKGbvNdpufhJbiUCmxwqRAWAyxA==
Date: Tue, 12 May 2020 14:14:35 +0000
Message-ID: <MN2PR00MB0686DE4BB6B386803B93B6B495BE0@MN2PR00MB0686.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-05-12T14:14:37.685Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [71.245.224.225]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 38d52223-777e-42e2-417d-08d7f67eccf9
x-ms-traffictypediagnostic: MN2PR00MB0462:
x-microsoft-antispam-prvs: <MN2PR00MB0462E0741CF7466263107DC095BE0@MN2PR00MB0462.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:1728;
x-forefront-prvs: 0401647B7F
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FInvEaQiwYvqPTzEj06PiTkbDVIasKtepuoUSIS8IHY9vx/laf4jSmpfn3V6gSY5LNVpsmVrqaWz5o/JaHua5h6zhPeyP7oZHGcjn6CL73tX+9dfEijYR771uE5rTjN/b6T6AJ4F3XvIb0A6gQVEO9PT2/Auyj8rq8r4PTOf+kbaKh3Z4hnlDCEgS6quCjpSNk0R5fdBc7WqC8i/t8LVBMtZkrZoOCVBC+gPIhMEaAshFThBQrkySarK2isXyL4KouQTwZCDj8rf7ZwnO3y4WB0nDQiAqBi+vujNr00R7dcJDB1RMvuHmTwkYtvz6V9JV5WAa49yAGIleoPgGC7Oi5O/IsixokBnIFDfjaVm/AW+qjimWbNoCjMKFuKWmlooHuI/cCEr04X0tj3ZgJ72MiPKMAn3jt5RIiO9Hm0fK8Gbc7RdDOZ+XJTvfarFuE3a/4yRknc0j43TsYeyq8lzArniSzajD9NuIgMZjP6/Pno=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0686.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(346002)(136003)(396003)(366004)(376002)(33430700001)(10290500003)(82950400001)(166002)(52536014)(33656002)(66446008)(71200400001)(6506007)(76116006)(7696005)(33440700001)(66476007)(66556008)(4744005)(64756008)(66946007)(66616009)(99936003)(186003)(5660300002)(8936002)(26005)(82960400001)(6916009)(316002)(86362001)(478600001)(19627405001)(8990500004)(8676002)(55016002)(966005)(2906002)(9686003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: VAJAgdlR6dR4YmXpe7NRqLc6BSQreHHn9xlmqvuyXf82dYTwyywnj7H3OSkUPUGNqezKSwb0qt8hebYFFYNTkRyEVUCQOvRurlndKwiQ0qQuBlKH6ku82SW4NzDhVDSVvwarnTDx5LGbGJh0Wxp+o9yq9J4g/SITQVcLkz/V4tCFfqVYFL84JeIe6BAtLrXp2YgtxCL3Sbp6TOr1vdXd7v1I8xWQ3vg5+LVvwhaZ+FggkRIw6b9ESUwyO2CFJ0DC9QktTBF1hB3ZDDX47Ze6DA07EIuTFzt4CTieOaEusjySFcodsel5/vj5UjK+4gdXA+q6AUgS8270fStEjR6i3AGVE9HolRfpfhYpTIAdJbN4IiV9uWOPxQKFPPG9mPhmES69lTGwTZD1+A1NCOrvW4JWMHISvESYvZeOQP/qypU=
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_004_MN2PR00MB0686DE4BB6B386803B93B6B495BE0MN2PR00MB0686namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0686.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 38d52223-777e-42e2-417d-08d7f67eccf9
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 May 2020 14:14:35.9900 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QIJmyeYm5MdNL1TWKlcFwwPwWUIYWO5N1qzx0MpQbV5b1WYpL7SW0yWwxzgpl8ujg6pNUsN2dtHSZW4KR0Hg1g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0462
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Gm1K_5jE3VDAcMWKB2HnodfZMDA>
Subject: [OAUTH-WG] Example of financial aggregator authorization
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 14:14:40 -0000

Hey all,

As mentioned on the call yesterday, here's an example of Capital One's financial data sharing flow for aggregators. Intuit's Mint is used in this example but others like Simplifi (Quicken) also use this flow. Chase and Capital One are the only two of my personal financial providers that provide delegated authorization vs screen scraping with direct user credentials.

Screencast of flow and Capital One-side screenshots:
https://1drv.ms/u/s!AkYnERHf4_toguJP2ZSDduOgkha9Zg?e=3GWW2d

Data sharing link presented during consent:
https://www.capitalone.com/legal/datasharing-terms-conditions

Hope this helps.
tim


 Tim Cappalli | @timcappalli<https://www.twitter.com/timcappalli>

[Microsoft logo]

v2.23.0 | Report a Bug | By Email