FAPI WG Meeting Notes (2017-03-21)
Date & Time: 2017-03-21 22:00 UTC
- The call started one hour earlier as the calendar entry was pegged to US time rather than UTC.
- More discussion about it in AOB.
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
- 1. Roll Call
- 2. Adoption of the Agenda (Nat)
- 3. Drafts
- 3.1. Part 1: Read Only API Security Profile
- 3.2. Part 2: Read & Write API Security Profile
- 3.3. Part 3: Open Data API
- 3.4. Part 4: Protected Data API and Schema - Read only
- 3.5. Part 5: Protected Data API and Schema - Read and Write
- 4. External Orgs
- 5. AOB
The meeting was called to order at 15:10 UTC.
- Attending: John, Nat, Edmund, Tom, Henrik, Joseph
- Regrets: Tony, ANoop, Sascha
- Adopted as presented.
3.2.1. PoP other than Token Binding - https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01
- We need both raw and artifact version of JPOP token
- Artifact version needs to be introspected.
- Need new claim "jty": JPOP / JPOPA (for artifact)
- Resources discovery: abstract resource identifier.
- AT needs to include aud.
- Resource server returns the header that includes Resoruce server metada URI.
- Resource server metadata format needs to be defined. Mike had one in the past.
- it uses .well-known, which is not good.
- Security consideration on TLS binding on the server side if the server has access to TLS info.
#77, #78: Edmund created a branch for discussion. It is capturing the good practice for authentication protocols.
- Lengthy discussion followed. While this method leaks less information to attackers, for the know attacks, enforcing JWT client authentication seems adequate. For FAPI purposes, we probably do not need it while it would make a good discussion point in the July OAuth Security workshop in Zurich.
- The difference in the security characteristics for including client intent in the authorization request or not is whether Authorization Server can detect badly configured client or not.
- Not recorded
- IETF is wanting another chair for OAuth WG, who knows the administrative process.