You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: profiles/read-write-data-api-profile.md
+31-43Lines changed: 31 additions & 43 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -833,11 +833,17 @@ The `id_token` is a signed JWT that consists of a number of claims that identify
833
833
As the `id_token` is signed by the ASPSP and bound to a specific TPP (through the `aud` claim), the `id_token` could be leveraged to *identify* the PSU in subsequent authorisation requests. OIDC caters for this by allowing the `id_token` to be passed into an authorization code grant request as the `id_token_hint` query parameter (as documented [here](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)).
834
834
835
835
#### CIBA
836
-
The [Client Initiated Back-channel Authentication flow](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html) is part of the OpenID specifications. A [FAPI Profile of the CIBA specification](https://bitbucket.org/openid/fapi/src/a9e55356b5f233af804227d5001d3c32d23d1a91/Financial_API_WD_CIBA.md?at=master&fileviewer=file-view-default) is available and ASPSPs that implement CIBA **must** adhere to the profile. An ASPSP **may** optionally implement the CIBA flow to allow PSUs to authenticate themselves using a decoupled *authentication device* that is distinct from the *consumption device* on which they consume the TPP application.
836
+
The [Client Initiated Back-channel Authentication flow](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html) is part of the OpenID specifications.
837
+
838
+
FAPI has published [Financial-grade API: Client Initiated Backchannel Authentication Profile](https://openid.net/specs/openid-financial-api-ciba-ID1.html).
839
+
840
+
ASPSPs that implement CIBA **must** adhere to the profile.
841
+
842
+
An ASPSP **may** optionally implement the CIBA flow to allow PSUs to authenticate themselves using a decoupled *authentication device* that is distinct from the *consumption device* on which they consume the TPP application.
837
843
838
844
##### Identifying the PSU
839
845
840
-
ASPSPs that implement CIBA must support one or more of the following methods of identifying the PSU that is to be authenticated using the `login_hint_token`.
846
+
ASPSPs that implement CIBA must support one or more of the following methods of identifying the PSU that is to be authenticated:
841
847
842
848
***User Id**: Using a static identifier that is shared by the ASPSP and the PSU. This could include a static identifier issued by the ASPSP (e.g., a user name, card number, account number) or a public identifier that allows the ASPSP to uniquely identify the PSU (e.g., an email address or phone number)
843
849
***Ephemeral User Id**: Using a dynamically generated, single use identifier issued by the ASPSP to the PSU. This could be a single use token generated on the PSU's authentication device or communicated to the PSU by any other means.
@@ -846,16 +852,24 @@ ASPSPs that implement CIBA must support one or more of the following methods of
846
852
847
853
An ASPSP **must** document on their developer portal, the methods of identifying a PSU the ASPSP supports.
848
854
849
-
If the ASPSP does not support a specific method of identifying a PSU, the ASPSP **must** return an authentication error with the error field set to invalid_request.
855
+
If the ASPSP does not support a specific method of identifying a PSU, the ASPSP **must** return an authentication error with the error field set to `invalid_request`.
850
856
851
-
Prior to creating the `login_hint_token` the TPP must create a consent. The generated consent id must be passed in the `http://openbanking.org.uk/openbanking-intent-id` custom claim. This allows the access token that is eventually generated to be bound to a specific consent.
852
857
853
-
###### Identifying the PSU Using a User Id
858
+
###### Identifying the consent to be authorised
859
+
For the OBIE APIs, all authentication journeys take place in the context of a consent.
860
+
861
+
CIBA does not define a standard mechanism for transmitting an identifier for the consent to the ASPSP. Additionally, FAPI-CIBA specifically states that the Authorization server:
862
+
> should not use the login_hint or login_hint_token to convey "intent ids" or any other authorization metadata
863
+
864
+
It goes on to suggest that additional contextual information should be passed in using one of the alternatives defined in the "Lodging Intent" pattern.
854
865
855
-
To identify a PSU through a user Id, the TPP **must** issue `login_hint_token` in the `bc_authorize` request that contains:
866
+
Prior to creating the issuing the `bc-authorize` request the TPP must create a consent.
867
+
The generated consent id must be passed in the request object as a parameter called `openbanking-intent-id`.
868
+
This allows the access token that is eventually generated to be bound to a specific consent.
856
869
857
-
* The custom claim `http://openbanking.org.uk/sit` set to the value UID
858
-
* At least one of the following claims with a value indicating the user Id:
870
+
###### Identifying the PSU Using a User Id
871
+
872
+
To identify a PSU through a user Id, the TPP **must** issue a `login_hint_token` in the `bc_authorize` request that contain at least one of the following claims with a value indicating the user id:
859
873
* sub
860
874
* preferred_username
861
875
* email
@@ -866,72 +880,46 @@ If the ASPSP support identification of the user through a static identifier, it
###### Identifying the PSU Using an Ephemeral User Id
890
897
891
-
To identify a PSU through an ephemeral user Id, the TPP **must** issue a `login_hint_token` in the `bc_authorize` request that contains:
892
-
893
-
* The custom claim `http://openbanking.org.uk/sit` set to the value EUID
894
-
* The claim sub populated with the ephemeral user Id
898
+
###### Identifying the PSU Using an Ephemeral User Id
899
+
To identify a PSU through an ephemeral user Id, the TPP **must** issue a `login_hint_token` in the `bc_authorize` request that contains the custom claim `ephemeral_sub` set to the ephemeral user id
To identify a PSU through an intent Id, the TPP **must** first create a consent resource with the ASPSP.
909
+
To identify a PSU through an intent Id, the only passes in the consent id as described in the previous section.
910
+
A `login_hint_token`**must not** be included in the request.
907
911
908
-
In order to initiate authentication, the TPP must lodge a `bc_authorize` request and then displaying the resulting `auth_req_id` and `intent_id` as a QR code which the user would scan using their banking app. The ASPSP would then link the user (who is authenticated in their banking app) with the authentication request.
912
+
In order to initiate authentication, the TPP must lodge a `bc_authorize` request and then display the resulting `auth_req_id` and `intent_id` as a QR code.
909
913
910
-
The TPP must provide a `login_hint_token` in the `bc_authorize` request that contains:
914
+
The PSU would authenticate themselves on the ASPSP's banking app and then scan the QR code.
911
915
912
-
* The custom claim `http://openbanking.org.uk/sit` set to the value IID
913
-
* The claim `http://openbanking.org.uk/openbanking_intent_id` set to the value of the intent Id that is being used.
0 commit comments