Closed gregory1g closed 6 months ago
fernandopradocabrillo
commented
7 months ago Hi @gregory1g The text added in that PR doesn't change what has been agreed. It just specifies what we all already knew, the flow will be determined in the onboarding and according legislation. But the valid or invalid starting flows are dictated by the rules indicated for using 2-legged or 3-legged. So it doesn't affect the allowed flows we have for sim swap.
bigludo7
commented
6 months ago Hello team, Agree with @fernandopradocabrillo
If this client credential point has to be challenged (and it is fair to challenge it by any member) it must be done in Identy&Consent project and not here because this point is under the Identy&Consent project responsibility.
My proposal is to close this issue and @gregory1g you can raise this point in Identy&Consent project. WDYT?
DT-DawidWroblewski
commented
6 months ago Hi!
following @bigludo7 statement - @gregory1g please continue discussion at ID&C.
Thx!
Currently SimSwap API specification allows openid 3-legged flow only. Recently approved change in the identity management allows APIs to offer different flows for different invokers (https://github.com/camaraproject/IdentityAndConsentManagement/pull/120/files).
This approach can be used by SimSwap to: 1) provide MNOs a possibility to use client credential flow in regions where regulations allow this. 2) provide MNOs a possibility to use client credential flow for some trusted invokers and still use 3-legged credentials for regular ones.
In both cases it will be an MNO responsibility to clarify legal and security implications of such decision, but API specification will provide such technical possibility.
This Issue suggests to adjust SimSwap API specification to allow both - openid and client credentials flows.