FAPI WG Meeting Notes (2019-01-30)
Date & Time: 2019-01-02 14:00 UTC
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
The meeting was called to order at 14:05 UTC.
- Attending: * Nat, Bjorn, Brian, Daniel, Dave, Joseph, Ralph
- Agenda was agreed
- Cross-browser Payment Initiation Attack is in the repo as a markdown document
- WG members to share bilaterally
- There has been more discussion with STET
- Dates have been pushed back
- Things are on track for FAPI conformance test
- There may be a delay on banks moving to the FAPI RW standard
- RP conformance tests - should be released in the next month, still need to add negative tests
- Banks need to provide account holder name, currently this will be in an API response rather than an ID Token
- App to App flows are going live
- Banks are using multiple well-known configs, with diff auth endpoints to support different brands
- The editor is asking when FAPI will move to a final draft, we discussed that when things settle around the OB implementation we should probably move to final
- Nat and Dave are feeding back to the editor
- Dave asked the WG about guidance for websockets with OAuth.
- Ralph explained that this is an area that needs more work, e.g. a lot of libraries don’t support auth headers
- There are different security implications and may need to be a different protocol - Dave to ask OAuth WG
- Research Paper - Formal analysis of FAPI, this is being reviewed by Nat and will be released shortly
- ISO27002 in revision, the identity and access management section is very weak. WG members are encouraged to feedback
- Pacific call next week. Atlantic call in 2 weeks time.