Thoughts on authorization of authorized agents and removing friction in the authorized agent process #51
Description
What about this:
- The consumer goes to
authorizedagent.exampleand creates an account. authorizedagent.exampledisplays a link tocoveredbusiness.exampleindicating that the authorized agent organization is willing/capable of performing requests on behalf of the consumer fromcoveredbusiness.example.- The consumer clicks on the link to
coveredbusiness.example, which leads the browser to an OAuth-style dialog served bycoveredbusiness.example. - First, the consumer may need to (re-)authenticate with
coveredbusiness.example, just as in case of "Log in with Google" or such for OAuth. - Then, the dialog asks "Dear consumer, do you wish
authorizedagent.exampleto act as your authorized agent?" This may be Yes/No or Selective/All indicating which rights the authorized agents may exercise on the consumer's behalf. - The dialog re-directs back to
authorizedagent.example, carrying an OAuth-style token that enables the authorized agent to safely access some web service endpoint hosted bycoveredbusiness.exampleto perform the data rights protocol. That token might last 90 days or such, soauthorizedagent.examplecan get data from "access" even if they are slow to provide it.
This flow appears -- to me, at least :-) --
- to authenticate the consumer with respect to
coveredbusiness.example, so no abusive boyfriend scenario and just as secure as, say, having to re-authenticate to download your Facebook data directly from their site; - to authenticate the
authorizedagent.examplewith respect tocoveredbusiness.example-- it may require OAuth-style pre-registration to avoid fly-by-night pretend authorized agent the consumer was tricked into using; - to prove to
coveredbusiness.examplethat the consumer indeed wanted to appointauthorizedagent.exampleas their authorized agent with respect tocoveredbusiness.example; - to enable
authorizedagent.exampleto safely invoke any/all features of the data rights protocol on behalf of the consumer, as the token that is wielded is specific to that consumer; - does not need complicated paperwork, affidavits and powers of attorney and all of that.
This just occurred to me. What am missing, why won't it work?