search

camaraproject / OTPValidation

Repository to describe, develop, document and test the OTP Validation API family
https://wiki.camaraproject.org/display/CAM/OTPValidation
Apache License 2.0
6 stars 14 forks source link

Will OTPValidation be secured by a two-legged auth flow (client credentials)? #38

Closed trehman-gsma closed 8 months ago

trehman-gsma commented 11 months ago

Hello OTP team 👋

I hope this is an appropriate channel to ask about auth flows.

As per the title - will OTPValidation be secured by a two-legged auth flow?

I understand that the API spec currently states "two_legged" but my understanding is that CAMARA APIs will use three legged when user data is involved. I also understand from peripheral discussions that OTPValidation may remain as two legged as it has specific use cases.

I am asking in context of routing requests to target operators in a federated/aggregated model. The routing discussion is possibly out of scope of CAMARA - but you are probably aware of discussions in related forums whereby the user identifier in a three-legged auth flow can be used to facilitate routing to target operators. Client Credentials does not contain user data, and this OTPValidation use case likely needs to be taken into account in the relevant platform for routing discussions.

Thanks!

DT-DawidWroblewski commented 8 months ago

Hi!

it looks that client credentials are still "in the game", so there is no need to update our API.

Camara API access & User Consent #client-credentials

Closing...