I have many bank accounts. If I wanted to use a new and shiny graphing service, I have to get authorization from each banks individually. That’s a bit of nuisance. Instead of doing that, if I can instruct each banks to delegate authorization on my accounts to my Authorization server, it would simplify my life a lot.
Resource Registration Phase
Sure enough, I have to register each bank accounts at my preferred Authorization Server, but that is just one time. I have depicted it as the Resource Registration Phase in the following diagram.
What follows is the Authorization Phase. It is sometime later in my life. While I was surfing the web, I stumbled on a cool site “Grapher”. It pulls the standardized data from Financial APIs and makes a great graphical representation of my financial situation. Cool. Let’s use it.
I just tell the Grapher my AS by hitting “AS” button. (Or, I could have given my acct: URL so that it could pull the info about my AS.) The Grapher issues an authorization request saying “Hey AS, give me authorization to pull Nat’s data, wherever are banks are.” At this point, the Grapher does not know which bank I am using so it just cannot go to the Bank directly. In a usual OAuth case, you would have to start from the protected resource, in this case, Bank. However, in this use case, the Grapher is not doing it. Instead, it just tells the AS, “Nat’s Bank Data, please!”.
Then, I will be shown the dialogue: “Are you sure that you want to give Grapher your data?”(). I would say “Yup!” and clicks a button. Authorization is done, and the Authorization Code is returned from the Authorization Endpoint to the Grapher’s Redirection Endpoint via a browser redirect (, ). Then, the Grapher sends the Authorization Code and the Client Secret to the Token Endpoint . As the response, The Token Endpoint returns an Access Token and the location of the service that give it back the set of Bank API URIs and the tokens. In the diagram, this service is depicted as “Intro” standing for Introspection service. UserInfo endpoint in OpenID Connect Core is a kind of introspection point, but there can be many other types. An AS might be supporting bunch of them. Upon receiving the access token, the Grapher sends it to the Introspection Endpoint specified in the Authorization Response. The endpoint returns list of pairs of Bank API URI and Access Token. e.g.,
Having been working on Digital Identity since 2000.
Co-author of various identity related specifications like OpenID Connect, JSON Web Token.
Chair of the OpenID Foundation (2011-)
Vice Chair of the OpenID Foundation (2010),
Founder of OpenID Foundation Japan (2008-),
Trustee of Kantara Initiative (2009-).