- changed status to open
Make clear if there's items where we would expect ecosystems to make choices?
Issue #547
resolved
I recently had a conversation with an ecosystem using FAPI1 (and issuing very long lived grants, i.e. years) about whether they mandated the use of refresh tokens.
The answer was that they felt such items were part of the security profile and hence up to the FAPI standard to define and they shouldn’t get involved, or at least not to the point of making ‘must’/'shall' level declarations.
It may be worth adding some text, perhaps in the introduction, to say something like FAPI is a general purpose spec, and there are further restrictions ecosystems targeting specific use cases may/should make?
Comments (6)
-
-
reporter Daniel Fett suggested we should also add some text to make clear you shouldn’t adopt 90% of FAPI and just ignore some parts.
-
reporter -
reporter -
assigned issue to
-
assigned issue to
-
- changed status to resolved
-
- changed component to FAPI2: Security Profile
- Log in to comment
Joseph to create text.