Change Request: Third party account linking discovery requires prior user authorisation
PaulGregoryBaker opened this issue · comments
Open API for FSP Interoperability - Change Request
The sharing of account information from a DFSP to a PISP can only occur after explicit permission for that has been granted by the Party. This requirement is outlined in the open banking standard guidelines. The current API doesn't directly support this.
Table of Contents
1. Preface
___It is suggested that the existing authentication API flows (I.e. using /tppConsentRequests and /tppConsents) are adjusted so that they can be used for obtaining account information for a party.
1.1 Change Request Information
| Requested By | Paul Baker, INFITX |
|---|---|
| Change Request Status | In review ☐ / Approved ☐ / Rejected ☐ |
| Approved/Rejected Date |
1.2 Document Version Information
| Version | Date | Author | Change Description |
|---|---|---|---|
| 1.0 | 2023-06-01 | Paul Baker | Initial version. |
2. Problem Description
___2.1 Background
The sharing of account information from a DFSP to a Third Party Provider can only occur after explicit permission for that has been granted by the Party. The current third party API v1.0 and v2.0 do not support obtaining the consent directly and would require obtaining this consent out of band.
In the API documentation the account linking discovery occurs before the /tppConsentRequests and /tppConsents are called.
It is suggested that the existing authentication API flows (I.e. using /tppConsentRequests and /tppConsents) are adjusted so that they can be used for obtaining account information for a party.
Example :
GET /tppAccounts/{userId} can only be fulfilled by the DFSP after Party provides consent to the DFSP for this.
2.2 Current Behaviour
The Current /tppConsentRequests API requires
- accounts to be provided with actions (this cannot be provided as the account information has not yet been obtained),
- consents that are once off.
Example :
It is not possible to create a once off consent to obtain account information from a DFSP using /tppConsentRequests and /tppConsents
2.3 Requested Behaviour
Before the account linking third party discovery call may not be required for the web auth flow, as the selected account could be returned in the JWT, however in the OTP this cannot be done so the Party will be required to authenticate twice. The first time to obtain consent to get the account information for the user, and the second to define the third party scope action that is defined against a particular account.Example:
E.g. the account access consent is added prior to the account discovery flow. (This is described in more detail in the sequence diagram example below.)
