Wiki
Clone wikifapi / FAPI_Meeting_Notes_2017-03-15
FAPI WG Meeting Notes (2017-03-15)
Date & Time: 2017-03-15 14:00 UTC
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
Agenda
- 1. Roll Call
- 2. Adoption of the Agenda (Dave)
- 3. Drafts
- 4. External Orgs
- 5. AOB
The meeting was called to order at 14:05 UTC.
1. Roll Call
- Present: Nat, John, Tom, Bjorn, Joseph, Dave.
- Regrets: Henrik
- Guest:
2. Adoption of the Agenda (Dave)
- Adopted as is
3. Drafts
3.1. Part 1: Read Only API Security Profile (Dave)
3.1.1. Can vs May <https://bitbucket.org/openid/fapi/issues/76/meaning-of-can>
- Sacha has opened a pull request
- Consensus to change "can" to "may"
3.2. Part 2: Read & Write API Security Profile (John, Nat & Dave)
3.2.1. PoP other than Token Binding
- WG discussed new draft for JWT Pop Token Usage <https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01>
- Discussion around the use of "Common Name" rather than "Distinguished Name"
- Dave to circulate with UK Open Banking for feedback
- WG discussed whether there should be "mandatory to implement" sections of the spec
- WG decided that it was important that the client only need to support a small number of PoP methods - even if AS supported many
- WG discussed how access tokens would be presented - Bearer vs Jpop. Draft to be reviewed to ensure this is clear. Feedback requested on feasibility of support within time constraints.
3.2.2. Hybrid flow mandated?
- WG discussed Issue
#72 - WG agreed that where possible the implementation must support token binding and if not supported must require hybrid flow
- Draft to be adjusted
4. External Orgs
4.1. UK OBS (Dave)
- FAPI Spec is in strong consideration
- Need to work closely to ensure that the spec balances security requirements and real world implementation issues
5. AOB
5.1. Next Call (Atlantic)
- Next call is Pacific shift and is in next week.
The meeting adjourned at 15:01 UTC.
Updated