> On 13 Jul 2020, at 09:29, Torsten Lodderstedt <[email protected]> wrote: > > > >> On 9. Jul 2020, at 19:58, Neil Madden <[email protected]> wrote: >> >> The point is that RAR can’t make payment transactions the primary use-case, >> emphasised throughout the draft, and then fail to even discuss this issue or >> make any kind of suggestion as how to handle it. > > I’m still trying to understand the issue and your proposed solution. What you > are suggesting is an OAuth authorization to subsequently send another more > detailed or transactional OAuth authorization. > > If your basic assumption is that users just accept a payment conformation > screen, why do you think the additional pre-authorization won’t be accepted > straight away?
It’s not about having two authorization screens. It’s about allowing users to manage their relationship with a client just as they can for any other OAuth client. If a normal OAuth client behaves badly I can go and revoke my grant of access to that client. I can’t do that with the transactional uses of RAR because each one is a blank slate. Having individual transactions tied to an overall grant of authority lets the user control which clients they interact with and which they trust. To me, this (user consent and control) is a fundamental strength of OAuth and any approach to transactional authorization using OAuth should preserve this. The other point I was making is that when the transactional authorization occurs over a backchannel then it is much better if the user has previously explicitly authorized that client over a front channel - eg when they first installed an app. I’m not suggesting that the AS would send two backchannel authorization requests instead of one. > > The way PSD2 uses to secure such transactions is transaction authorization > using a dynamic second factor (called strong customer authentication). I > assume the rational is SCA will make users think before they confirm. I hope so. But given that authN usually occurs before the consent stage, the user may not know what it is they are consenting to before they complete 2FA. — Neil _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
