> Am 08.07.2020 um 20:46 schrieb Neil Madden <neil.mad...@forgerock.com>: > > On 8 Jul 2020, at 19:03, Torsten Lodderstedt <tors...@lodderstedt..net> > wrote: >>>> >>>> What in particular should the use consent with in this step? >>> >>> “FooPay would like to: >>> - initiate payments from your account (you will be asked to approve each >>> one)” >>> >>> The point is that a client that I don’t have any kind of relationship with >>> can’t just send me a request to transfer $500 to some account. >> >> Are we talking about legal consent or a security measures here? > > Normal OAuth consent. My phone is my resource, and I am its resource owner.. > If a client wants to send payment requests to my phone (e.g. via CIBA > backchannel) then it should have to get my permission first. Even without > backchannel requests, I’d much rather that only the three clients I’ve > explicitly consented to can ask me to initiate payments rather than the > hundreds/thousands clients my bank happens to have a relationship with.
To me it sounds like you would like to require a client to get user authorization to send an authorization request. Would you require the same if I would use scope values to encode a payment initiation request? > >> >> In case of open banking the user legally consents to this process at the >> client (TPP) even before the OAuth/Payment Initiation dance starts. > > How does the bank (ASPSP) confirm that this actually happened? It does not because it is not the responsibility of the ASPSP. The TPP is obliged by law to obtain consent. > > — Neil
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
