*[+architecture]* Hi Ruwan,
As mentioned in my original mail, I am calling them "untrusted", because they are 3rd parties to IS, and we can't guarantee that they will send authentication requests in a way we want them to send under a particular scenario. For example, one of the SCA authentication rules in OB is, at any time when the AISP makes a request to view the transaction details after 90 days has passed since the previous authentication, the authorization server has to re-authenticate the user. In this scenario the we can't expect that the TPP will send a force authentication request with prompt=login or send appropriate LOA values. It needs to be solely enforced by IS to force authentication if 90 days have elapsed. So I am trying to figure out how this can be implemented in IS with/without extensions. And if we need extensions what are the correct extensions to do so. Regards, Johann. On Thu, Apr 18, 2019 at 7:02 PM Ruwan Abeykoon <[email protected]> wrote: > Hi Johann, > Can you please explain what is the "untrusted application", what is the > logic to decide an SP is untrusted, and what would be the behavior when it > is "untrusted" > > Cheers, > Ruwan A > > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
