> On 8. Jul 2020, at 23:52, Neil Madden <[email protected]> wrote: > >> >> On 8 Jul 2020, at 20:56, Torsten Lodderstedt <[email protected]> wrote: >> >>> Am 08.07.2020 um 20:46 schrieb Neil Madden <[email protected]>: >>> >>> On 8 Jul 2020, at 19:03, Torsten Lodderstedt <[email protected]> >>> wrote: >>>>>> >>>>>> What in particular should the use consent with in this step? >>>>> >>>>> “FooPay would like to: >>>>> - initiate payments from your account (you will be asked to approve each >>>>> one)” >>>>> >>>>> The point is that a client that I don’t have any kind of relationship >>>>> with can’t just send me a request to transfer $500 to some account. >>>> >>>> Are we talking about legal consent or a security measures here? >>> >>> Normal OAuth consent. My phone is my resource, and I am its resource owner. >>> If a client wants to send payment requests to my phone (e.g. via CIBA >>> backchannel) then it should have to get my permission first. Even without >>> backchannel requests, I’d much rather that only the three clients I’ve >>> explicitly consented to can ask me to initiate payments rather than the >>> hundreds/thousands clients my bank happens to have a relationship with. >> >> To me it sounds like you would like to require a client to get user >> authorization to send an authorization request. Would you require the same >> if I would use scope values to encode a payment initiation request? > > Yes. If something is sufficiently high value to require per-transaction > authorization then initiating transactions itself becomes a privileged > operation.
The per transaction authorization alone is a significant increase in security. What is the added value of requiring an authorization to send a per-transaction authorisation request in an additional step? > >>>> >>>> In case of open banking the user legally consents to this process at the >>>> client (TPP) even before the OAuth/Payment Initiation dance starts. >>> >>> How does the bank (ASPSP) confirm that this actually happened? >> >> It does not because it is not the responsibility of the ASPSP. The TPP is >> obliged by law to obtain consent. > > If the TPP can be trusted to obey the law about this, why not also trust them > to be honest about transactions? Why enforce one thing with access tokens but > take the other on trust? Especially as the actual transactions are more > likely to have a rigorous audit trail. > > If we could trust clients to obtain consent we wouldn’t need OAuth at all. I thought the same initially, but we must distinguish between legal consent and strong authentication/transaction authorization in such a case. Legal consent can be obtained in various ways including the traditional OAuth user consent but also in other places. Authenticating the user (probably with 2FA) and getting authorization for a certain transaction (the meaning of PSD2 SCA) must be conducted by the AS. > > — Neil
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
