Authentication

Tip

It is not in the spirit of rebel, to restrict access to the data of data owners for business reasons. The data belongs neither to service providers, nor to service customers. It belongs to the data owners, and should be made available if they choose so.

The process to become a service consumer of a specific service provider should be easy, quick, and mostly automated.

How to authenticate

In general, OAuth does not mandate a specific authentication scheme (see REFC6749 - 2.3 Client Authentication). However, we recommend to use a suitable client authentication method, such as:

Client ID / Client Secret

You may use a OAuth 2.0 Client ID / Client Secret combination for authentication.

• RFC6749 - 2.3.1 Client Password

Mutual TLS

You may use OAuth 2.0 mTLS Client Authentication.

• RFC8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

End-to-End Security

rebel is a protocol. This means, that you will never interact with any rebel server in the process of connecting to financial institutions that implement the protocol. You will always directly connect to the server of the financial institution. This has a couple of important security implications:

• Your users can be sure, that no third-party is able to log, process or otherwise misuse your data, whether by intent of negligence.

• Your users have to trust YOU, to keep their access tokens safe and secure. The generated tokens are the key to their financial data, and you should take the necessary precautions to secure them.