openid / fapi / issues / #312 - Clarify intended purpose of FAPI 1.0 profiles — Bitbucket

Issue #312 resolved

Nat Sakimura created an issue 2020-09-02

All the references within the documents also need to be changed.

Comments (12)

Nat Sakimura reporter
- changed title to Change the title of FAPI 1.0 to Baseline and Advanced
- 2020-09-02T18:01:03+00:00
Nat Sakimura reporter
- changed status to open
Just add some explanatory text to introduction. Since the current name is quite well known now, keep the naming as is.
- 2020-09-09T14:36:52+00:00
Nat Sakimura reporter
- assigned issue to
  
  Dima Postnikov
- 2020-09-09T14:37:30+00:00
Dima Postnikov
Current FAPI 2 introduction is good:

This document is Part 2 of FAPI that specifies the Financial-grade API and it provides a profile of OAuth that is suitable to be used in write access to financial data (also known as transaction access) and other similar higher risk access. This document specifies the controls against attacks such as: authorization request tampering, authorization response tampering including code injection, state injection, and token request phishing. Additional details are available in the security considerations section.

Although it is possible to code an OpenID Provider and Relying Party from first principles using this specification, the main audience for this specification is parties who already have a certified implementation of OpenID Connect and want to achieve a higher level of security. Implementors are encouraged to understand the security considerations contained in section 8.7 before embarking on a 'from scratch' implementation.

Is it sufficient?

Alternatively, it can be made more generic:

This document is Part 2 of FAPI that specifies the Financial-grade API and it provides a profile of OAuth that is suitable to be used for high risk access (read or write), for example, read access to highly sensitive data or write access to financial data (also known as payment initiation).

What does everyone think?
- 2020-09-09T15:07:32+00:00
Nat Sakimura reporter
Modification proposal looks good.
- 2020-09-16T14:42:39+00:00
Dima Postnikov
Pull request: https://bitbucket.org/openid/fapi/pull-requests/193 for Part 2.

Part 1 looks good already: “This document is Part 1 of FAPI that specifies the Financial-grade API and it provides a profile of OAuth that is suitable to be used in the access of read-only financial data and similar use cases. A higher level of security profile is provided in Part 2, suitable for read and write financial access APIs and other similar situations where the risk is higher.”
- 2020-09-16T15:04:37+00:00
Dima Postnikov
- changed title to Clarify intended purpose of FAPI 1.0 profiles
- 2020-09-29T20:24:26+00:00
Nat Sakimura reporter
Has 223d757 resolved this ticket?
- 2020-09-30T10:59:57+00:00
Nat Sakimura reporter
- changed status to resolved
- 2020-09-30T14:27:23+00:00
Nat Sakimura reporter
- changed component to Part 2: Advanced
- 2022-12-14T15:36:08+00:00
Nat Sakimura reporter
- changed component to FAPI 1 – Part 2: Advanced
- 2022-12-14T15:36:42+00:00
Nat Sakimura reporter
- changed component to FAPI 1: Advanced
- 2022-12-14T15:38:52+00:00
Log in to comment

Assignee: Dima Postnikov

Type: bug

Priority: major

Status: resolved

Component: FAPI 1: Advanced

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!