- changed title to [Federation] - Clarify session about other use cases of Federation Automatic Registration
[Federation] - Clarify session 10.1.3 - Other use cases of Federation Automatic Registration for FAPI Ecosystems
Issue #2034
resolved
Open Finance in Brazil is currently considering migrating from DCR to “Federation with Automatic Registration” as the Standard Client Registration Profile and we would like to request a review on chapter 10.1.3 of the documentation to facilitate us implementing the standard.
To facilitate the adoption of Federation in our Ecosystem, our suggestion would be to re-write Chapter 10.1.3 “Possible Other Uses of Automatic Registration” to be more explicit about allowing other use cases, as we understand that it currently hints that it might be used with other use cases, like, OAuth 2.0 or FAPI, however, it’s still very subtle. We understand the current writing can bring challenges when convincing all the Ecosystem Participants why we want to use this specification.
Additional Details About Brazil:
The Ecosystem uses FAPI 1.0 Advanced as the security profile and our specific User Authentication Journey, similar to the OBIE journey, starts with a Lodging Intent. This means that the first interaction between the RP ↔︎ OP requires the client to authenticate using a grant_type: client_credentials.
We are assuming that if we were to implement Federation, the mechanism used by the OP to accept the RP token request would be similar to the one used on the Authentication Request, so we see no technical blockers on this point.
Comments (9)
-
reporter
-
reporter
- changed title to [Federation] - Clarify session 10.1.3 - Other use cases of Federation Automatic Registration for FAPI Ecosystems
-
- changed status to open
We discussed this during the 18-Aug-23 Federation Editors' call.
What else would you like us to say in Section 10.1.3, Erick?
-
Hi Erick,
Is your question about how a client can obtain an access token using the
client_credentialsgrant and OIDC Federation 1.0 automatic registration? -
reporter
A suggestion would be something along the lines of:
While the primary focus of Automatic Registration is to be used with OpenID Connect, we anticipate that its design and flexibility allows it to be used in conjunction with other use cases and Profiles. Notably, ecosystems relying on Pure OAuth 2.0 or Financial-grade APIs (FAPI) may also benefit from Automatic Registration.
The application of Automatic Registration can be set to suit the specific requirements of different use cases. For instance, if secure identification of the client is not a mandatory requirement, the necessity for signed requests may be relaxed. Additionally, in environments that utilize Pure OAuth 2.0, Automatic Registration could be configured to take place during the Authorization Request phase.
-
We talked about this on the 22-Sep-23 Federation Editor’s call. While we agree that Automatic Registration could be used with FAPI, it’s not clear that we should try to enumerate all the things that it can be used with. That list could grow very large!
@Giuseppe De Marco is asking a FAPI implementer what he thinks about using them together.
-
-
-
assigned issue to
Giuseppe De Marco
-
assigned issue to
-
- changed status to resolved
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 2
