Guidance required for decoupled
There is a strong requirement in the EU to support decoupled flows.
We have a draft CIBA profile, but we’ve also discussed the fact that in browser based scenarios an “invisible iframe” could be used for a decoupled flow. It would be good to document this and decide if we are happy to continue with the CIBA draft.
Comments (8)
-
-
I guess it's worth defining de-coupled; I think what is meant in this context is "not redirected" as opposed to the authorisation step can be fully de-coupled (e.g. from web to phone to web etc.)
-
reporter Yep decoupled means that the user agent isn't redirected so that on the primary device (consumption device) the user stays within the client application.
-
- changed status to open
Any updates? What is the target date? Can we just defer to CIBA Profile doc?
-
- changed status to closed
It will be a different draft. Some info on FAPI page will help.
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
I have begun a conversation with T-Mobile in the US on a way to strongly ID the phone. The guy doing this is not happy with CIBA and has expressed plans to offer an alternate to MODRNA. I will be discussing this more in the US context over the next weeks. This is related to my pull request to add strong IDs to EVERY digital entity in any FAPI interchange.