Lodging Intent

[michielbdejong]

This pattern benefits from the domain specific knowledge in the RS and keeps the AS very clean and generic. As a consequence, there must be a properly protected interface between AS and RS.

https://bitbucket.org/openid/fapi/src/master/Financial_API_Lodging_Intent.md#markdown-header-642-rs-provides-intent-implementation

[michielbdejong]

Via https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948

[michielbdejong]

And "Pushed Request Object"

I'll do some more web search!

[michielbdejong]

It's explained well in https://www.youtube.com/watch?v=U9i7YaN8v9c - just don't put the scopes through the front channel. It's only a part of our solution though. See https://github.com/pondersource/surf-token-based-access/blob/main/token-based-access%20flows.pdf for next steps

[michielbdejong]

• blogpost by Thorsten Loddestedt
• FAPI website
• Curity video
• Nordic APIs blogpost
• Authlete tweet
• IBM blogpost
• FAPI-CIBA refers to it