FAPI WG Meeting Notes (2018-01-23)
Date & Time: 2018-01-23 23:00 UTC
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
- 1. Roll Call
- 2. Adoption of the Agenda (Nat)
- 3. Upcoming Events
- 4. Issues
- 4.1. #129 TLS cipher restrictions should be relaxed for the authorise endpoint
- 4.2. #127 CIBA: security issues
- 4.3. #116 CIBA - authentication methods and proof of possession
- 4.4. #110 more definition of s_hash
- 4.5. #114 Require state
- 4.6. #128 redirect_uri in url query vs request object
- 4.7. zzz: client_id
- 4.8. Implementer's Draft (Edmund)
- 5. AOB
The meeting was called to order at 23:05 UTC.
- Attending: Nat, Dave, Edmund, Joseph, Bjorn, Tom
- Regrets: John, Anoop
- OAuth Question on the client id added.
Remote participation may be available
Nat will be attending to do presentation about FAPI and OpenBanking
Monday afternoon in London. Location TBD. Nat will send out a message asking who is going to attend.
Text for the security consideration was proposed. When the text is added, the ticket should be closed.
Tom wanted it to be a requirement. Dave is going to put it as the requirement.
Dave also has submitted it to be dealt at the OAuth security workshop in March.
DISPOSITION: Adopted the proposed text.
DISPOSITION: To close the ticket.
Brian wants the behavior of the AS when state is not in the request to be specified. Nat suggested that s_hash must not be in the ID Token if the request did not have state specified.
DISPOSITION: Proposal accepted. Nat to make a pull request.
Nat proposed to require state in pure OAuth, while making it optional for OIDC.
DISPOSITION: Adopted the direction.
Test suite always sends client id in the body.
Waiting for the issues to be cleared.