- attached openbanking_ciba.png
CIBA: initiating a CIBA flow without a hint for identifying the user
The UK OB CIBA spec allows an RP to initiate a CIBA flow without providing any information to identify the user. (I’ve attached a sequence diagram showing how this works; the user is identified by the OP / on the AD.)
The CIBA spec does not currently provide a way to do this; it is mandatory to pass one of login_hint, login_hint_token or id_token_hint. (It works in the current OB spec because OB currently use login_hint_token to pass intent.)
It may be desirable to define a standard way to do this.
Comments (5)
-
reporter -
reporter As Dave very sensibly pointed out on the mailing list, in almost all use cases where QR codes are involved it looks the UX would be improved by doing the ‘decoupling’ on the TPP side and using a normal (non-CIBA) redirect flow on the “authentication device”:
-
So I still think this is a potentially valid use case, but not sure that we should say anything about it in the FAPI CIBA spec. If OB want to define a login_hint which just conveys the fact that the user will be identified later, then they can do that.
-
We discussed on the call and agreed that we don’t need to add anything about this to the FAPI CIBA profile for the moment.
-
- changed status to resolved
- Log in to comment