5.2 - te - More fine grained scope needed

Comments (18)

1. 

   Nat Sakimura reporter

   • changed component to Security

   • 2016-09-20T22:36:24+00:00
2. 

   Nat Sakimura reporter

   • changed status to open

   Feedback in the list: http://lists.openid.net/pipermail/openid-specs-fapi/2016-September/000086.html

   Maybe the SCOPE's should be more specific per API. Currently we have API's
   like 'account', 'transfer' and 'atm'. The SCOPE could refer to them such
   as 'SCOPE=account transfer atm'.
   This would also allow SCOPE's for the time where WRITE operations come
   into play.
   
   Sascha
   

   • 2016-09-27T00:08:03+00:00
3. 

   Nat Sakimura reporter

   In the call yesterday, Sascha pointed out that the users at least want to know whether it will be read only or read-write. Does that imply that we need a structured scope ?

   • 2016-09-29T08:01:24+00:00
4. 

   Nat Sakimura reporter

   Some suggested fix put in d1a614f

   • 2016-09-29T08:42:41+00:00
5. 

   Anoop Saxena

   Like the prefix of "r" ... rAccount...rCustomer

   1. So when write operation is needed .. I am thinking wAccount or WCustomer???

   • 2016-09-30T22:57:12+00:00
6. 

   Nat Sakimura reporter

   Actually, there can be several types of "write" operation, are there not? I wonder if we should have separate scopes for Create, Update, and Delete.

   • 2016-10-03T02:59:20+00:00
7. 

   Anoop Saxena

   Yes there are various of operation similar to CRUD can be done for given entity (Account or transaction) . There are features as well such as transfer, billpay.

   • 2016-10-03T22:53:59+00:00
8. 

   Sascha Preibisch

   I think the problem is that we will end up very fast with a huge list of "small" scopes. I have seen that in a project I was working on.

   I think when we refer to "read" it is straight forward, reading the account balance for example. But "write"? What is written to an account? A new account alias as "My empty account"?

   It is probably important to come up with a list of actions that could be taken on typical bank entities such "account" or "customer". Once that list is complete we should be able to categorize what actions can be taken and then we can come up with a list of (not too many) scope's.

   • 2016-10-05T04:51:41+00:00
9. 

   Nat Sakimura reporter

   @SaschaZeGerman Agreed. From the customer's point of view, unlike "read", "write" is way too abstract. It should be tied to the use cases rather than the data models, I suppose.

   • 2016-10-05T14:01:01+00:00
10. 

    Dave Tonge

    Here are some example scopes from BBVA API https://www.bbvaapimarket.com/documentation/bbva/bbva-accounts

    • 2016-10-12T12:55:16+00:00
11. 

    Dave Tonge

    I agree with @SaschaZeGerman and @Nat my understanding of use cases are: - List accounts - Read account balance - Read account transactions - Make transaction - Add payee

    • 2016-10-12T13:05:56+00:00
12. 

    Nat Sakimura reporter

    • changed component to Part 1: RO Security

    • 2016-12-13T17:25:17+00:00
13. 

    Edmund Jay

    • changed status to resolved
    • edited description

    Specific scope values are no longer defined.

    • 2017-12-20T22:59:53+00:00
14. 

    Nat Sakimura reporter

    • changed component to Part 1: Baseline

    • 2022-12-14T15:35:52+00:00
15. 

    Nat Sakimura reporter

    • changed component to FAPI 1 - Part 1: Baseline

    • 2022-12-14T15:36:25+00:00
16. 

    Nat Sakimura reporter

    • changed component to FAPI 1 – Part 1: Baseline

    • 2022-12-14T15:36:58+00:00
17. 

    Nat Sakimura reporter

    • changed component to FAPI 1 – Baseline

    • 2022-12-14T15:38:20+00:00
18. 

    Nat Sakimura reporter

    • changed component to FAPI 1: Baseline

    • 2022-12-14T15:39:08+00:00
19. Log in to comment