Wiki
Clone wikifapi / FAPI_Meeting_Notes_2018-01-23
FAPI WG Meeting Notes (2018-01-23)
Date & Time: 2018-01-23 23:00 UTC
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
Agenda
- 1. Roll Call
- 2. Adoption of the Agenda (Nat)
- 3. Upcoming Events
- 4. Issues
- 4.1. #129 TLS cipher restrictions should be relaxed for the authorise endpoint
- 4.2. #127 CIBA: security issues
- 4.3. #116 CIBA - authentication methods and proof of possession
- 4.4. #110 more definition of s_hash
- 4.5. #114 Require state
- 4.6. #128 redirect_uri in url query vs request object
- 4.7. zzz: client_id
- 4.8. Implementer's Draft (Edmund)
- 5. AOB
The meeting was called to order at 23:05 UTC.
1. Roll Call
- Attending: Nat, Dave, Edmund, Joseph, Bjorn, Tom
- Guest:
- Regrets: John, Anoop
2. Adoption of the Agenda (Nat)
- OAuth Question on the client id added.
3. Upcoming Events
3.1. Open Banking (Don)
Remote participation may be available
3.2. API Days (Nat)
Nat will be attending to do presentation about FAPI and OpenBanking
3.3. Informal FAPI meeting
Monday afternoon in London. Location TBD. Nat will send out a message asking who is going to attend.
4. Issues
4.1. #129 TLS cipher restrictions should be relaxed for the authorise endpoint
What is currently in the pull request seem to be a good text. If there is no objection, we should adopt it.
ASK: Adopted the pull request.
4.2. #127 CIBA: security issues
Text for the security consideration was proposed. When the text is added, the ticket should be closed.
Tom wanted it to be a requirement. Dave is going to put it as the requirement.
Dave also has submitted it to be dealt at the OAuth security workshop in March.
DISPOSITION: Adopted the proposed text.
4.3. #116 CIBA - authentication methods and proof of possession
New text was provided. https://bitbucket.org/openid/fapi/diff/Financial_API_WD_CIBA.md?diff1=6ef7ed915782&diff2=cf71704c2d24aa59c06acc5a9294d9ab6876fb15&at=master
DISPOSITION: To close the ticket.
4.4. #110 more definition of s_hash
Brian wants the behavior of the AS when state is not in the request to be specified. Nat suggested that s_hash must not be in the ID Token if the request did not have state specified.
DISPOSITION: Proposal accepted. Nat to make a pull request.
4.5. #114 Require state
Linked to #110.
Nat proposed to require state in pure OAuth, while making it optional for OIDC.
DISPOSITION: Adopted the direction.
4.6. #128 redirect_uri in url query vs request object
Pull request: https://bitbucket.org/openid/fapi/pull-requests/42/part-2-require-redirect_uri-to-be-inside/diff
4.7. zzz: client_id
Test suite always sends client id in the body.
4.8. Implementer's Draft (Edmund)
Waiting for the issues to be cleared.
5. AOB
5.1. Next Call (Atlantic)
The next call is scheduled to be in the Atlantic time zone.
- The meeting was adjourned at 23:55 UTC.
Updated