/
Explaining decoupled authorisation flow

Explaining decoupled authorisation flow

Owned by Matthew Bell
Nov 11, 2019
2 min read

Contents

 

Summary

The introduction of a decoupled authorisation flow provides another option for how the Customer can authorise consent (that has already been agreed between a Customer and Third Party) with the API Provider.

It is important to note that this does not replace the existing ‘re-direct’ model summarised below but instead as an additional option for implementation in specific use cases.

Existing re-redirect authorisation flow

The v1.0 redirect flow, which is retained in the v2.0 Standard, allows a customer to be transferred from the Third Party’s website (or app) to the API Provider (the Customer’s bank) and back again (once authentication and authorisation have been completed). Market feedback was that the ‘redirect flow’ has customer experience friction, and also constrains the use of the Standard.

The Customer must always use the same device and must be on the Third Party website or app at the time authorisation is requested. While v2.0 retains this ‘redirect flow’ functionality, it also adds a new ‘decoupled flow’ option.

New decoupled authorisation flow

The ‘decoupled flow’ separates the API Provider’s and Third Party’s respective interactions with a Customer, making it possible for the API Provider to send the Customer authorisation request notifications, and make it possible to interact on different devices (e.g. customer interacts with a merchant on a laptop and authorises the action via their mobile banking app for the same action enabled by the API). ‘Decoupled flow’ functionality applies to both the Account Information and Payments Initiation APIs.

  • The introduction of ‘decoupled flow’ in the v2.0 standard opens up a range of new use-cases. For example:

    • The Customer does not always need to be present when a Third Party initiates a new authorisation request

    • The interaction with the Customer can occur on different devices or applications

    • The API provider can interact with the Customer via different channels in order to get their authentication and authorisation (i.e. via text message, banking app, etc.)

The ‘decoupled flow’ in the Standard is derived from the Open Banking Implementation Entity’s v3.x standard, which is derived from the Financial-grade API Client Initiated Backchannel Authentication Profile (FAPI-CIBA) standard. FAPI-CIBA is a standard developed by the OpenID Foundation (an international technology standards group).

Related content

Overview and scope for v2.2.0 & v2.3.0
Overview and scope for v2.2.0 & v2.3.0
API Centre Standards Consultation
Read with this
Explaining redirect and decoupled flows
Explaining redirect and decoupled flows
Payments NZ API standards
More like this
3.0 Authentication Methods
3.0 Authentication Methods
Payments NZ API standards
More like this
Overview of the v2.0 standard
Overview of the v2.0 standard
Payments NZ API standards
More like this