FAPI OAuth2 Authentication and Consent flow for UK Open Banking
© 2020 TESOBE GmbH

Customer ThirdPartyProvider ASPSPAuthorizationServer ASPSPInternetBankingSite ASPSPTokenEndpoint ASPSPResourceServer OpenBankingDirectoryTokenEndpoint OpenBankingDirectoryJWKS FAPI Read/Write (Hybrid) Flow Overview This diagram shows the end-to-end flowexpected when implementing the UK openbanking standardsNote that we'll use account infoas an example so the requested URLs aremeaningful Part 1: Obtain Customer Consent In the parlance of the UK standards consentisn't consent until it's authorized - hencethe label "intent" is used Indicate wish to share data Display "Intent"i.e. data to be accessedor payment to be made Confirm intent Show bank selection screen Confirm bank selection Part 2: Create "Intent" With the consent of the Consumer in the bagthe TPP can now call the Consent API at thecorrect ASPSP. Create Intent payload Lookup Token endpointfrom well-known configuration This request will be made using Mutual TLS with the eIDASQWAC or equivalent, pre-eIDAS OB WAC (I believe ASPSPs in theUK are still accepting OB WACs). Access Token request Response POST /account-access-consents Response includingConsentId("Intent ID") Part 3: Customer Redirected to Authorization Server As exemplar the flow shows a web journeybut the mobile journey (app-to-app) stillimplements Hybrid Flow -thisis the guidancefrom OBIE FAPI mandates the use of theRequest object parameterwhich is defined inSection 6of OpenID Connect Core.This is a signed JSON Web Token where the payload containsparameters normally found in the URL (redirect_uri, state, nonce, etc) Create Request parameter The Signing Key can realistically be a QWAC, QSEAL or OB equivalents.The primary constraint is that the public certificate can be referencedin the JSON Web Key Set maintained by the Directory i.e. the key IDmatches one of the TPPs JSON Web Keys. Sign Request parameter with Signing Key Create redirect URL including Request parameter Redirect customer Follow redirect Obviously this is indicative - an ASPSP wouldn'tgo to the Directory for the JSON Web Key Set everytime... or would they...It isn't 100% clear from the documentation availablewhether access to the JWKS is open, through MTLSor Access Token. I would imagine it'd be aClient Credentials Access Token as this wouldfollow other patterns. Get Access Token Response Get JSON Web Key Set Response Match Request parameterkid Verify Request parameter signature Note that this will include verifying the "Intent ID".Obviously the Authorization Server will need a sourceof truth for this, which I haven't drawn as it'll varyacross implementations. Verify Request parameter properties Part 4: Customer Authenticates and Authorizes Consent The following steps aren't in the standards - other than theCustomer Experience guidelines - but is pretty typical i.e.the "internet banking" site will be hosted at a differentdomain to the Authorization Server - the user will thereforeneed to be redirected. Some might serve an iframe fromwithin an Authorization Server webpage... it just dependson the architecture of the ASPSP. The Customer Experience guidelines on these steps canbe foundhere Redirect Customer Follow Redirect Verify redirect Show login screen Submit credentials Verify credentials Get "Intent" properties Response Show Account Selector and Consent Send Account Selectionand Consent Authorization Store Account IDs Customer consented to share Update Consent toAuthorizedstatus Response Redirect Customer Follow Redirect Verify Redirect Mint Authorization Codeand ID Token Redirect Customer Follow Redirect Part 4: Swap Authorization Code for Access Token Verify redirect includingID Token signature, nonce and s_hash value Get ID, Access and Refresh Tokens Response Part 5: Get Data from Account Strictly speaking this is nothing to dowith FAPI Read/Write Flow but for the sake of completeness... It should be noted that due to the adoption ofthe Mutual TLS profile for OAuth 2.0 in FAPI(here)many ASPSP will bind Access Tokens to the client certificatepresented when they were created. This is indicated at thewell-known endpoint through by the value of thetls_client_certificate_bound_access_tokensproperty GET /accounts Response loop[For each authorized endpoint] GET /{{Resource URI}} Response