Clone wiki

fapi / FAPI_Meeting_Notes_2017-03-15

FAPI WG Meeting Notes (2017-03-15)

Date & Time: 2017-03-15 14:00 UTC

Location: GoToMeeting

The meeting was called to order at 14:05 UTC.

1.   Roll Call

  • Present: Nat, John, Tom, Bjorn, Joseph, Dave.
  • Regrets: Henrik
  • Guest:

3.   Drafts

3.2.   Part 2: Read & Write API Security Profile (John, Nat & Dave)

3.2.1.   PoP other than Token Binding

  • WG discussed new draft for JWT Pop Token Usage <>
  • Discussion around the use of "Common Name" rather than "Distinguished Name"
  • Dave to circulate with UK Open Banking for feedback
  • WG discussed whether there should be "mandatory to implement" sections of the spec
  • WG decided that it was important that the client only need to support a small number of PoP methods - even if AS supported many
  • WG discussed how access tokens would be presented - Bearer vs Jpop. Draft to be reviewed to ensure this is clear. Feedback requested on feasibility of support within time constraints.

3.2.2.   Hybrid flow mandated?

  • WG discussed Issue #72
  • WG agreed that where possible the implementation must support token binding and if not supported must require hybrid flow
  • Draft to be adjusted

4.   External Orgs

4.1.   UK OBS (Dave)

  • FAPI Spec is in strong consideration
  • Need to work closely to ensure that the spec balances security requirements and real world implementation issues

4.2.   Others

Followings were not discussed.

  • No other external orgs were discussed

5.   AOB

5.1.   Next Call (Atlantic)

  • Next call is Pacific shift and is in next week.

The meeting adjourned at 15:01 UTC.