What is the best forum to ask for clarifications on specs where your name is mentioned as a contributor?

Arjun Balla reporter

Apologies for the off-topic question, but I urgently need clarification and trust your expertise on this. I promise not to ask specification-related questions here again. However, I don’t know anyone better equipped to interpret the FAPI specification than you, so I would greatly appreciate your help. If you'd like me to delete this question, please let me know, and I will do so.

I am interpreting the below “FAPI: Final Baseline → Protected resources provisions“ sections as API Gateway implementers (Proxy to actual APIs).

Specification:

FAPI: Final Baseline (https://openid.net/specs/openid-financial-api-part-1-1_0-final.html#introduction-3 6th bullet point)

shall identify the associated entity to the access token;

FAPI: ID2 (https://openid.net/specs/openid-financial-api-part-1-ID2.html#introduction-2 6th bullet point)

shall identify the associated entity to the access token;

FAPI: ID1 (https://openid.net/specs/openid-financial-api-part-1-ID1.html#protected-resources-provisions 7th bullet point)

shall identify the associated user to the access token;

My Interpretation as API Gateway Implementer:

FAPI: Final Baseline and From ID2, I interpret this as, from access_token, protected resource should identify the Resource Owner or Client depending on Grant Type which can be done using sub claim in access_token.

From ID1, I interpret this as, from access_token, protected resource should identify the Resource Owner which can be done using sub claim in access_token..

As we are API Gateway implementers (Proxy to actual APIs), we don't have any business logic, so it is up to the target API to do this and if required API Gateway can pass-through the access_token to target API.

For example if a protected resource is self/my API like api/my/contacts, based on access_token the API should know who is my and return all contacts.

Is my interpretation correct?

Specification:

FAPI: Final Baseline (https://openid.net/specs/openid-financial-api-part-1-1_0-final.html#introduction-3 8th bullet point)

shall encode the response in UTF-8 if applicable;

My Interpretation as API Gateway Implementer:

As API Gateway implementers (Proxy to actual APIs), we don't need to do anything. The target should encode the response and we need to return the same to the Client.

Example:

With UTF-8 encoding (human-readable). ✓ (checkmark) is directly represented. é (accented e), ñ (Spanish n), and 你好 (Chinese) are also directly represented.

{ "message": "Hello, World!", "special_characters": "✓ é ñ 你好" }
Without UTF-8 encoding (escaped unicode representation). ✓ becomes \u2713. é becomes \u00e9. ñ becomes \u00f1. 你好 becomes \u4f60\u597d (each Chinese character is represented by a 4-digit Unicode escape code).

{ "message": "Hello, World!", "special_characters": "\u2713 \u00e9 \u00f1 \u4f60\u597d" }

Is my interpretation correct?

Specification:

FAPI: Final Baseline (https://openid.net/specs/openid-financial-api-part-1-1_0-final.html#introduction-3 9th bullet point)

shall send the Content-type HTTP header Content-Type: application/json if applicable;

My Interpretation as API Gateway Implementer:

As API Gateway implementers (Proxy to actual APIs), we don't need to do anything. The target should return application/json response and we need to return the same to the Client.

Is my interpretation correct?

2024-09-09T20:30:31+00:00

Comments (5)

Arjun Balla reporter
- edited description
- 2024-09-06T23:50:58+00:00
Brian Campbell repo owner
- changed status to open
- 2024-09-07T13:02:13+00:00
Arjun Balla reporter
Apologies for the off-topic question, but I urgently need clarification and trust your expertise on this. I promise not to ask specification-related questions here again. However, I don’t know anyone better equipped to interpret the FAPI specification than you, so I would greatly appreciate your help. If you'd like me to delete this question, please let me know, and I will do so.

I am interpreting the below “FAPI: Final Baseline → Protected resources provisions“ sections as API Gateway implementers (Proxy to actual APIs).

Specification:

FAPI: Final Baseline (https://openid.net/specs/openid-financial-api-part-1-1_0-final.html#introduction-3 6th bullet point)

shall identify the associated entity to the access token;

FAPI: ID2 (https://openid.net/specs/openid-financial-api-part-1-ID2.html#introduction-2 6th bullet point)

shall identify the associated entity to the access token;

FAPI: ID1 (https://openid.net/specs/openid-financial-api-part-1-ID1.html#protected-resources-provisions 7th bullet point)

shall identify the associated user to the access token;

My Interpretation as API Gateway Implementer:

FAPI: Final Baseline and From ID2, I interpret this as, from access_token, protected resource should identify the Resource Owner or Client depending on Grant Type which can be done using sub claim in access_token.

From ID1, I interpret this as, from access_token, protected resource should identify the Resource Owner which can be done using sub claim in access_token..

As we are API Gateway implementers (Proxy to actual APIs), we don't have any business logic, so it is up to the target API to do this and if required API Gateway can pass-through the access_token to target API.

For example if a protected resource is self/my API like api/my/contacts, based on access_token the API should know who is my and return all contacts.

Is my interpretation correct?

Specification:

FAPI: Final Baseline (https://openid.net/specs/openid-financial-api-part-1-1_0-final.html#introduction-3 8th bullet point)

shall encode the response in UTF-8 if applicable;

My Interpretation as API Gateway Implementer:

As API Gateway implementers (Proxy to actual APIs), we don't need to do anything. The target should encode the response and we need to return the same to the Client.

Example:
1. With UTF-8 encoding (human-readable). ✓ (checkmark) is directly represented. é (accented e), ñ (Spanish n), and 你好 (Chinese) are also directly represented.
  
  { "message": "Hello, World!", "special_characters": "✓ é ñ 你好" }
2. Without UTF-8 encoding (escaped unicode representation). ✓ becomes \u2713. é becomes \u00e9. ñ becomes \u00f1. 你好 becomes \u4f60\u597d (each Chinese character is represented by a 4-digit Unicode escape code).
  
  { "message": "Hello, World!", "special_characters": "\u2713 \u00e9 \u00f1 \u4f60\u597d" }
Is my interpretation correct?

Specification:

FAPI: Final Baseline (https://openid.net/specs/openid-financial-api-part-1-1_0-final.html#introduction-3 9th bullet point)

shall send the Content-type HTTP header Content-Type: application/json if applicable;

My Interpretation as API Gateway Implementer:

As API Gateway implementers (Proxy to actual APIs), we don't need to do anything. The target should return application/json response and we need to return the same to the Client.

Is my interpretation correct?
- 2024-09-09T20:30:31+00:00
Brian Campbell
On one hand, I am just some guy who happens to have his name on a few documents due to working in the area for a long long time and has made some software available for free. But despite being just some guy, like most people I’d imagine, I do have many different things competing for my limited time and attention. One such thing is my employer who pays me for contributions to these standards and the experience gained from such. I already find myself unable to meet those demands for my time.

For FAPI questions, urgent or otherwise, I’d suggest the FAPI WG mailing list or repository issue tracker, both of which are linked from https://openid.net/wg/fapi/ somewhere

‌

‌

‌
- 2024-09-10T21:14:05+00:00
Arjun Balla reporter
Thanks for the suggestion. I will try mailing list.
- 2024-09-10T22:49:46+00:00
Log in to comment