FAPI WG Meeting Notes (2019-01-30)

Date & Time: 2019-01-02 14:00 UTC

Agenda

The meeting was called to order at 14:05 UTC.

1. Roll Call

Things are on track for FAPI conformance test
There may be a delay on banks moving to the FAPI RW standard
RP conformance tests - should be released in the next month, still need to add negative tests
Banks need to provide account holder name, currently this will be in an API response rather than an ID Token
App to App flows are going live
Banks are using multiple well-known configs, with diff auth endpoints to support different brands

The editor is asking when FAPI will move to a final draft, we discussed that when things settle around the OB implementation we should probably move to final
Nat and Dave are feeding back to the editor
Dave asked the WG about guidance for websockets with OAuth.
Ralph explained that this is an area that needs more work, e.g. a lot of libraries don’t support auth headers
There are different security implications and may need to be a different protocol - Dave to ask OAuth WG

Research Paper - Formal analysis of FAPI, this is being reviewed by Nat and will be released shortly
ISO27002 in revision, the identity and access management section is very weak. WG members are encouraged to feedback