This space is deprecated and no longer supported. Please use the latest available version here.
Authentication and Authorization
- Chris Michael
1. Overview
There are three main ways or methods of carrying out the authentication procedure of the User through a dedicated interface, and APIs in particular, namely redirection, decoupled approaches, and embedded approaches (or a combination thereof).
These approaches are categorized based on the device and the application where the consumption of User-facing TPP service and authentication with the LFI takes place
Redirection - The User consumes the User-facing TPP service and authenticates with the LFI on separate applications on the same device. The authentication data is exchanged only between User and LFI through the LFI application and the User-facing TPP has no visibility of this. Redirection uses the principle of deeplinking when the User’s action within the User-facing TPP app/website invokes the LFI app/website.
Decoupled - The User consumes the User-facing TPP service and authenticates with the LFI on separate applications on separate devices. The authentication data is exchanged only between User and LFI through the LFI application and the User-facing TPP has no visibility of this. A Decoupled experience on the two devices can be achieved by
using Redirection where the User uses a deeplink within the User-facing TPP app/website on one device to invoke their LFI app/website on another device
using Client-Initiated Backchannel Authentication(CIBA) Flow where User-facing TPPs can obtain a valid identifier for the User they want to authenticate. They will be able to initiate an interaction flow to authenticate the User with their LFIs without having end-user interaction from the consumption device. The flow involves direct communication from the User-facing TPP to the LFI without redirecting the User through the User’s browser (consumption device).
Embedded - The User consumes the User-facing TPP service and authenticates with the LFI within the User-facing TPP application on a single device. The authentication data is exchanged directly between a User-facing TPP and LFI through the User-facing TPP application.
1.1. UAE Standard Support and Requirements
The UAE Open Banking Standard (the Standard) will support redirection, decoupled redirection, and decoupled CIBA to allow a User of a TPP to use the same authentication mechanisms as they do when accessing their LFI directly.
Using the Redirection implementation the User-facing TPPs can implement a redirection flow on a single device or a Decouple redirection flow using two devices depending on the customer experience they want to support. A Decoupled Redirection does not require the LFI to implement anything in addition to the Redirection flow they will be implementing.
The general principles relating to authentication that apply are:
LFIs authenticate: The User MUST go through Multi-Factor Authentication (MFA) at their LFI for a User-facing TPP request (i.e. Service Initiation or Data Sharing) to be actioned by the LFI.
Availability of normal authentication methods: The User MUST be able to use the elements they prefer to authenticate with their LFI if supported when interacting directly with their LFI.
Parity of experience: The experience available to a User when authenticating a journey via a User-facing TPP SHOULD involve no more steps, delays or friction in the customer journey than the equivalent experience they have with their LFI when interacting directly.
No unnecessary additional authentication: It is not expected that MFA would be required more than once when facilitating authentication for a single session of data sharing request, or Service Initiation request.
No Obstacles: LFIs MUST not create unnecessary delay or friction during authentication including unnecessary or superfluous steps, attributes, or unclear language, e.g. advertising of LFI products or services, language that could discourage the use of User-facing TPP services or additional features that may divert the User from the authentication process.
2. Redirection
Redirection-based authentication has a range of possible experiences for a User based on whether the User has a LFI app or not and the device on which the User is consuming the User-facing TPP service.
When using a User-facing TPP for Data Sharing Requests(DSR) and Service Initiation Requests(SIR) User MUST be able to authenticate with the LFI using the same authentication methods they are accustomed to using when accessing the LFI directly.
We have used one example of a User-facing TPP and DSR journey to demonstrate how a redirection flow MUST work. (The same applies to SIR and service requests)
2.1 App-to-App
User authentication with the LFI using the LFI mobile app installed on the same device on which the User is consuming the User-facing TPP service. The User starts the journey from a User-facing TPP app.
2.1.1 User Journey
2.1.2 Wireframes
This enables the User to authenticate with the LFI while using a User-facing TPP for an Open Banking services (i.e. DSR, SIR, & Service Request) using the same LFI app-based authentication method which they use when accessing the LFI mobile channel directly.
User-facing TPP service COULD be web-based or app-based. The redirection MUST directly invoke the LFI app to enable the User to authenticate and MUST not require the User to provide any User identifier or other credentials to the User-facing TPP.
To demonstrate an app-based redirection part of the journey, we have used the User-facing TPP initial setup as one example.
| Rules & Guidelines |
|---|---|
1 | User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs data group and/or service initiation capabilities. |
2 | User-facing TPPs SHOULD make the User aware on the inbound redirection screen( User-facing TPP to LFI) that they will be taken to their LFI for authentication for data sharing. |
3 | If the User has an LFI app installed on the same device the redirection MUST invoke the LFIs app for authentication purposes only without introducing any additional screens. The LFIs app-based authentication MUST have no more than the number of steps that the User would experience when directly accessing the LFI app (biometric, passcode, credentials) and offer the same authentication method(s) available to the User when authenticating in their LFIs direct channels |
4 | After authentication, the User MUST be deep linked within the app to confirm the account(s) to which they would like the User-facing TPP to have access. |
5 | LFIs SHOULD have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP. |
6 | LFIs SHOULD inform the User on the outbound redirection screen that their session with the LFI was closed. |
7 | User-facing TPPs SHOULD confirm the successful completion of the Open Banking Service Request (DSR, SIR). |
2.2 Browser-to-App
Conversely, User-facing TPP may be browser based only. However, if the User:
a) is using a browser on a mobile device and
b) has the LFI app installed on their device
then the User-facing TPP website MUST redirect the User’s browser to the LFI. The LFI on receiving the redirection request MUST invoke the LFI app for authentication on the User’s device. Following authentication, the User MUST be redirected back to the User-facing TPP browser on the mobile device.
2.3 Browser-to-Browser
If a User is using a desktop browser to access the User-facing TPP, then under the redirection model the journey MUST be completed on the LFI browser channel.
Browser-to-Browser Redirection is also applicable when:
a) the User-facing TPP is browser based only
b) the User is using a browser on a mobile device and
c) the mobile device does not have the LFI mobile app installed, or the LFI does not provide an app at all.
It is imperative in these circumstances that the LFI browser channel has been optimized for mobile browser and device type.
2.3.1 User Journey
2.3.2 Wireframes
| Rules & Guidelines |
|---|---|
1 | User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs data group and/or service initiation capabilities. |
2 | User-facing TPPs SHOULD make the User aware on the inbound redirection screen(User-facing TPP to LFI) that they will be taken to their LFI for authentication for data sharing. |
3 | The redirection MUST take the User to the LFI web page (desktop/mobile) for authentication purposes only without introducing any additional screens. The web-based authentication MUST have no more than the number of steps that the User would experience when directly accessing the web-based LFI channel (desktop/mobile). |
4 | After authentication, the User MUST be deep linked within the app to confirm the account(s) to which they would like the User-facing TPP to have access to. |
5 | LFIs SHOULD have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP. |
6 | LFIs SHOULD inform the User on the outbound redirection screen that their session with the LFI was closed. |
7 | User-facing TPPs SHOULD confirm the successful completion of the Open Banking Service Request (DSR, SIR). |
2.4 App-to-Browser
It is possible that a User is using the User-facing TPP app on a mobile device which does not have their LFI mobile app installed, or their LFI does not provide an app at all.
In these instances, the User-facing TPP app MUST redirect the User to use the default mobile browser to present the User with their LFI's web channel to authenticate.
The browser for the User authentication MUST not be an embedded view within the User-facing TPP app.
Again, in these circumstances, it is imperative that the LFI browser channel has been optimized for mobile browser and device type.
3. Decoupled Redirection
In “Decoupled” authentication, typically the User uses a separate secondary device to authenticate with the LFI. This model allows for several innovative solutions and has the added benefit of allowing a User to use their mobile phone to authenticate taking advantage of biometrics for MFA, where they are engaging with a User-facing TPP through a separate device, such as a desktop/laptop of a point of sale (POS) device.
In a Decoupled Redirection flow the User uses a deeplink within the User-facing TPP app/website on one device to invoke their LFI app/website on another device using the same redirection mechanism as in [TBC]
The following User experiences are available using Decouple Redirection:
3.1 Selection of LFI on First Device
An authentication flow in which a dynamic link (e.g. via a QRCode or NFC) is generated by the User-facing TPP on one device (e.g. desktop/laptop or kiosk) and is scanned by User on another device (e.g. User’s mobile device). This dynamic link will invoke the LFI’s mobile banking app which uses the information from the dynamic link to then redirect User to process the request after authenticating the User.
This journey does not introduce any changes in the redirection flow between the User-facing TPP and the LFI.
3.1.1 User Journey
3.1.2 Wireframes
To demonstrate a Redirection flow on different devices, we have used one variation of the DSR journey as an example where the LFI receives all the details of the request from the TPP.
We have illustrated an example where the dynamic identifier is a QR code. The code SHOULD contain a DeepLink (as within the Redirection flow) supported by the LFI which SHOULD invoke the LFI app when the User scans the QRCode.
Guidelines | |
|---|---|
| 1 | User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs data group and/or service initiation capabilities. |
| 2 | User-facing TPPs MUST present Users with the authentication options supported by the LFI which in turn can be supported by the User-facing TPP device/channel (e.g. A User-facing TPP kiosk that can only support authentication by LFI mobile app). |
| 3 | The User-facing TPPs MUST display a code which is scannable or readable ( QRCode/NFC) by another User device. The User-facing TPP MUST present the information on how to use the code with their mobile device (e.g. scan QR code with the mobile phone camera). NOTE: The QRcode MUST be a deep link (as within the Redirection flow) supported by the LFI which MUST invoke the LFI app on scanning. |
| 4 | User MUST be able to easily scan the code (e.g. scan the code from the Kiosk in this instance) without much friction (like manually entering any URLs). |
| 5 | After the User scans the code from the User-facing TPP with a device camera, the LFI app MUST be invoked to perform the MFA. |
| 6 | The LFI app-based authentication MUST have no more than the number of steps that the User would experience when directly accessing the LFI mobile app (biometric, passcode, credentials). |
| 7 | LFIs SHOULD have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP. |
| 8 | LFIs SHOULD inform the User on the outbound redirection screen that their session with the LFI was closed. |
| 9 | For this experience it is essential that the User-facing TPPs MUST have a web page where the LFI can redirect the control back to the User-facing TPP on the second device. The User-facing TPP must confirm on this mobile web page the successful completion of the request and informs the User to continue on the other device(Kiosk/desktop) where they had started their journey. |
3.2 Selection of LFI on Second Device
This journey is a variation of the User-facing TPP flow within the standard redirection journey which could be triggered from a non interactive interface of the User-facing TPP (e.g. advertising board) which then progresses on the User’s mobile device. The LFI selection and consent request happens on the User's mobile device which then invokes the LFI app/webpage on the same device to complete the authorization using a redirection flow.
This journey does not introduce any changes in the redirection flow between the User-facing TPP and the LFI.
3.2.1 User Journey
3.2.2 Wireframes
To demonstrate a Redirection flow on different devices, we have used one variation of the DSR journey as an example where the LFI receives all the details of the request from the TPP.
We have illustrated an example where the static code on an advertisement board is a QR code. The code SHOULD contain a deepLink supported by the User-facing TPP which SHOULD invoke the User-facing TPP app/webpage on scanning.
Guidelines | |
|---|---|
| 1 | The Call to Action (CTA) COULD be a static QRCode/NFC tag. Scanning of the static code by the User SHOULD invoke a User-facing TPP page/app deep linking them to the service represented by the code. |
| 2 | User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs data group and/or service initiation capabilities. |
| 3 | User-facing TPPs SHOULD make the User aware on the inbound redirection screen(User-facing TPP to LFI) that they will be taken to their LFI for authentication for data sharing. |
| 4 | If the User has an LFI app installed on the same device the redirection MUST invoke the LFIs app for authentication purposes only without introducing any additional screens. The LFIs app-based authentication MUST have no more than the number of steps that the User would experience when directly accessing the LFI app (biometric, passcode, credentials) and offer the same authentication method(s) available to the User when authenticating in their LFIs direct channels |
| 5 | After authentication, the User MUST be deep linked within the app to confirm the account(s) to which they would like the User-facing TPP to have access. |
| 6 | LFIs SHOULD have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP. |
| 7 | LFIs SHOULD inform the User on the outbound redirection screen that their session with the LFI was closed. |
| 8 | User-facing TPPs SHOULD confirm the successful completion of the Open Banking Service Request (DSR & SIR). |
4. Decoupled CIBA
There are several other possible Decoupled authentication flows as listed below which use the CIBA Flow.
In this authentication flow the User-facing TPPs can obtain a valid identifier for the User they want to authenticate. They will be able to initiate an interaction flow to authenticate the User with their LFIs without having end-user interaction from the consumption device. The flow involves direct communication from the User-facing TPP to the LFI without redirecting the User through the User’s browser (consumption device).
4.1 Decoupled Model A: Static User Identifier
An authentication flow in which the User provides a static identifier provided by their LFI to the User-facing TPP which is then used by the LFI to identify the User and initiate an authentication journey on the consumer’s LFI app which is on a device separate to the one on which they are consuming the User-facing TPP service.
4.1.1 User Journey
This enables the User to use the same app-based authentication method with the LFI that they use when accessing the LFI mobile app directly.
This model is best suited to User-facing TPP apps with good user input options (e.g. website on PC/laptop) but also where terminals can scan something that has the User identifier(e.g. debit card) and automatically resolve the LFI .
The exact type of identifier supported by the LFI MUST be published by the LFI.
4.1.2 Wireframes
To demonstrate a Model A-based decoupled journey, we have used one variation of the DSR journey as an example where the LFI receives all the details of the request from the TPP.
Guidelines | |
|---|---|
| 1 | User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs data group and/or Service Initiation capabilities. |
| 2 | User-facing TPPs SHOULD present the User with the authentication options supported by the LFI which in turn can be supported by the User-facing TPP device/channel (e.g. A User-facing TPP kiosk that can only support authentication by LFI mobile app). |
| 3 | If User-facing TPPs and LFIs support Model A, then the User-facing TPP SHOULD request from the User the identifier which is supported by their LFI. |
| 4 | The User-facing TPP SHOULD make the User aware of how this identifier will be used. |
| 5 | After the User enters the specified identifier( or scans a QR code form of the identifier), if the User has a LFI app then the LFI MUST notify the User through the LFI app for authentication purposes, without introducing any additional screens. The notification MUST clearly mention the Open Banking Service Request Type (e.g. DSR, SIR). |
| 6 | The LFI app-based authentication MUST have no more than the number of steps that the User would experience when directly accessing the LFI mobile app (biometric, passcode, credentials) After the User authenticates with the LFI app, then the User MUST be deep linked within the app to confirm the account(s) to which they would like the User-facing TPP to have access. |
| 7 | If the User is logged off from the LFI app, the LFI MUST make the User aware that they have been logged off and notify them to check back on the originating User-facing TPP app. |
| 8 | The User-facing TPP MUST confirm the successful processing of the Open Banking Service Request (e.g. DSR, SIR). |
4.2 Decoupled Model B: LFI Generated Identifier
An authentication flow in which the User provides a dynamic identifier, generated by their LFI, to the User-facing TPP which is then used by the LFI to identify the User and authenticate with the LFI app.
4.2.1 User Journey
This model is best suited to a User-facing TPP app that can “capture” the code from the LFI app (e.g. by scanning a QR code).
Alternatively, the User can be prompted to type in an identifier in the User-facing TPP App. This may be a long series of characters and may result in a sub-optimal customer experience.
4.2.2 Wireframes
To demonstrate a Model B-based decoupled journey, we have used one variation of the DSR journey as an example where the LFI receives all the details of the request from the TPP.
Guidelines | |
|---|---|
| 1 | Not shown in the diagram but as in 1 & 2 in Model A. User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs data group and/or Service Initiation capabilities. |
| 2 | Not shown in the diagram but as in 1 & 2 in Model A. User-facing TPPs SHOULD present the User with the authentication options supported by the LFI which in turn can be supported by the User-facing TPP device/channel (e.g. A User-facing TPP kiosk that can only support authentication by LFI mobile app). |
| 3 | If User-facing TPPs and LFIs support Model B then the User-facing TPP SHOULD provide the User information on how the identifier can be generated with their LFI and make the User aware of how this identifier will be used. |
| 4 | Users use the LFI app to generate unique identifiers. This step SHOULD not require a MFA authentication. |
| 5 | Users SHOULD be able to easily provide the identifier to the User-facing TPP application (e.g. scan the code into the Kiosk in this instance). |
| 6 | After the User provides the LFI app-generated identifier to the User-facing TPP, then the LFI MUST notify the User through the LFI app for authentication purposes, without introducing any additional screens. The notification MUST clearly mention the Open Banking Service Request Type (e.g. DSR, SIR). |
| 7 | LFIs MUST apply MFA to approve the request which SHOULD have no more than the number of steps that the User would experience when directly accessing the LFI mobile app (biometric, passcode, credentials). |
| 8 | LFIs MUST make the User aware that they have been logged off from the LFI app and notify them to check back on the originating User-facing TPP app. |
| 9 | The User-facing TPP MUST confirm the successful processing of the Open Banking Service Request (e.g. DSR, SIR). |
4.3 Decoupled Model C: User-facing TPP Generated Identifier
An authentication flow in which a dynamic identifier generated by the User-facing TPP, is used by the User through their LFI app which is then used by the LFI to process the request after authenticating the User.
4.3.1 User Journey
This model is best suited to a LFI app that can “capture” the code from the User-facing TPP app (e.g. by scanning a QR code). Alternatively, the User can be prompted to type in an identifier in the LFI App. This may be a long series of characters and may result in a sub-optimal customer experience.
4.3.2 Wireframes
To demonstrate a Model C-based decoupled journey, we have used one variation of the DSR journey as an example where the LFI receives all the details of the request from the TPP.
We have illustrated an example where the dynamic identifier is a QR code and is scannable by the LFI app. Ideally, the code SHOULD be part of a DeepLink (as within the Redirection flow) supported by the LFI which SHOULD invoke the LFI app on scanning.
The general requirement is that the use of the code within the LFI app MUST not introduce friction in the journey.
Guidelines | |
|---|---|
| 1 | User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs data group and/or Service Initiation capabilities. |
| 2 | User-facing TPPs MUST present Users with the authentication options supported by the LFI which in turn can be supported by the User-facing TPP device/channel (e.g. User-facing TPP entity kiosk that can only support authentication by LFI mobile app). |
| 3 | If User-facing TPPs and LFIs support Model C then User-facing TPPs MUST display an identifier generated from the User-facing TPP app to the User (e.g. QR code) and information on how the identifier SHOULD be used within the LFI app (e.g. scan QR code with the LFI app). NOTE: Ideally the code SHOULD be part of a deep link (as within the Redirection flow) supported by the LFI which SHOULD invoke the LFI app on scanning. |
| 4 | Users SHOULD be able to easily use the identifier presented by the User-facing TPP application (e.g. scan the code from the Kiosk in this instance) without much friction (like manually entering an alphanumeric code). |
| 5 | After the User scans the identifier from the User-facing TPP with a device camera or with the LFI app, then the LFI performs SCA. |
| 6 | The LFI app-based authentication MUST have no more than the number of steps that the User would experience when directly accessing the LFI mobile app (biometric, passcode, credentials). |
| 7 | LFIs MUST make the User aware that they have been logged off from the LFI app and notify them to check back on the originating User-facing TPP app. |
| 8 | The User-facing TPP MUST confirm the successful processing of the Open Banking service request (e.g. DSR). |
4.4 Decoupled Model D: User With a User-facing TPP Account
A decoupled authentication flow in which the User-facing TPP provides the LFI with a stored User identifier from a previous transaction. This is used by the LFI to enable the User to authenticate using their LFI app on a separate device.
4.4.1 User Journey
This model is ideally suited where the services offered by the User-facing TPP involve POS, telephony, or where User interaction with the User-facing TPP is not possible through a user interface (IoT devices), or even when the User may not be present within the User-facing TPP channel.
4.4.2 Wireframes
To demonstrate a Model D-based decoupled journey, we have used one variation of the DSR journey as an example where the LFI receives all the details of the request from the TPP.
The voice commands are an example of how the User interacts with the User-facing TPP.
Guidelines | |
|---|---|
| 1 | User-facing TPP IoT device through voice-enabled commands asks if they would like to grant access to their data using their stored LFI account where the consent request is constructed in line with the LFIs data group and/or Service Initiation capabilities. |
| 2 | The LFI MUST notify the User through the LFI app for authentication purposes only without introducing any additional screens. The notification MUST clearly mention the data sharing request &/ or Service Initiation request. |
| 3 | The LFI app-based authentication MUST have no more than the number of steps that the User would experience when directly accessing the LFI mobile app (biometric, passcode, credentials). |
| 4 | The LFI MUST make the User aware that they have been logged off from the LFI app and notify them to check back on the originating User-facing TPP app. |
| 5 | The User-facing TPP MUST confirm the successful processing of the Open Banking service request (e.g. DSR). |
5. Effective Use of Redirection Screens
Within a typical redirection journey, a User is presented with two redirection screens:
The redirection screens are a useful part of the process, providing User trust. The following reasons are noted:
The messaging on the redirection screens serves to reassure the User that they are in control and helps engender trust. For example, Users will be more willing to trust the process if they feel there is a partner (User-facing TPP or LFI) on their side that is known and reputable (use language such as ‘we’, ‘our’). In this sense, the use of words that indicate that the User is in control and taking the lead is key, as these are indications that the User-facing TPP or the LFI is working with or for the User. |
|
6. Error Scenarios During Redirection
As per OIDC, there are 2 main scenarios when an error occurs at the LFI side during the authorization process:
Malformed Authorization Request: The authorization request may be malformed when submitted by the User-facing TPP. For example, it may include an invalid redirection URL, invalid parameters, invalid signature on the request object etc. OAuth2 and OIDC define a whole list of potential errors. These are abnormal situations which indicate a significant technical issue at the User-facing TPP's end or even an attacker trying to act as a User-facing TPP. For safety (and as per the Standard) the LFI MUST not redirect the User back to the User-facing TPP in such situations. The LFI MUST display an error message and stop the execution at this point. It is at the LFIs’ discretion to display to the User the message they find most appropriate for this error case, however, an error message MUST be displayed.
In this situation, User-facing TPPs do not receive a response from the LFIs about the malformed authorization request. Therefore, User-facing TPPs are not able to display any message to the User in this situation.
The User relies completely on the LFI to be notified about the occurrence of an error.
User interaction error: An error occurred during user interaction, for example, users click on cancel or are unable to validate their credentials, the debtor account in the authorization request does not belong to the User etc. In this case, the LFI MUST redirect the User back to the User-facing TPP and provide in the response the appropriate OIDC error message.
The LFI COULD potentially display an error message to the User before redirecting back to the User-facing TPP, but it is solely at their discretion. The User-facing TPP SHOULD check the OIDC error code and display additional messages to the User with further information messages.
Error responses are documented as below:
For OIDC: Final: OpenID Connect Core 1.0 incorporating errata set 2
For OAuth 2: RFC 6749: The OAuth 2.0 Authorization Framework
Please note that both of the above scenarios are strictly checked by the FAPI conformance suite from OIDF.
Following the above requirements in the case of these error scenarios will prevent occurrences of bad customer experience due to errors managed insufficiently.
© CBUAE 2024
Open License and Contribution Agreement | Attribution Notice
Please try out our Advanced Search function.