Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change Request: Third party account linking discovery requires prior user authorisation #123

Open
PaulGregoryBaker opened this issue May 31, 2023 · 0 comments
Assignees
Labels
thirdparty-change-request Change request for the PISP / third party API

Comments

@PaulGregoryBaker
Copy link

Open API for FSP Interoperability - Change Request

The sharing of account information from a DFSP to a PISP can only occur after explicit permission for that has been granted by the Party. This requirement is outlined in the open banking standard guidelines. The current API doesn't directly support this.

Table of Contents

1. Preface

___

It is suggested that the existing authentication API flows (I.e. using /tppConsentRequests and /tppConsents) are adjusted so that they can be used for obtaining account information for a party.

1.1 Change Request Information

Requested By Paul Baker, INFITX
Change Request Status In review ☐ / Approved ☐ / Rejected ☐
Approved/Rejected Date

1.2 Document Version Information

Version Date Author Change Description
1.0 2023-06-01 Paul Baker Initial version.

2. Problem Description

___

2.1 Background

The sharing of account information from a DFSP to a Third Party Provider can only occur after explicit permission for that has been granted by the Party. The current third party API v1.0 and v2.0 do not support obtaining the consent directly and would require obtaining this consent out of band.
In the API documentation the account linking discovery occurs before the /tppConsentRequests and /tppConsents are called.
It is suggested that the existing authentication API flows (I.e. using /tppConsentRequests and /tppConsents) are adjusted so that they can be used for obtaining account information for a party.

Example :
GET /tppAccounts/{userId} can only be fulfilled by the DFSP after Party provides consent to the DFSP for this.

2.2 Current Behaviour

The Current /tppConsentRequests API requires

  • accounts to be provided with actions (this cannot be provided as the account information has not yet been obtained),
  • consents that are once off.

Example :
It is not possible to create a once off consent to obtain account information from a DFSP using /tppConsentRequests and /tppConsents

2.3 Requested Behaviour

Before the account linking third party discovery call may not be required for the web auth flow, as the selected account could be returned in the JWT, however in the OTP this cannot be done so the Party will be required to authenticate twice. The first time to obtain consent to get the account information for the user, and the second to define the third party scope action that is defined against a particular account.

Example:
E.g. the account access consent is added prior to the account discovery flow. (This is described in more detail in the sequence diagram example below.)

3. Proposed Solution Options

___ Please see a sequence diagram for the proposed change. **Note.** A once off permission does not require credential registration.

3PPIAccountLinking_v2.0.svg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
thirdparty-change-request Change request for the PISP / third party API
Projects
None yet
Development

No branches or pull requests

5 participants