Wiki
Clone wikifapi / FAPI_Meeting_Notes_2022-03-09_Atlantic
FAPI WG Meeting Notes (2022-03-09)
- Date & Time: 2022-03-09T14:00Z
- Location: GoToMeeting https://global.gotomeeting.com/join/321819862
- Self: https://bitbucket.org/openid/fapi/wiki/edit/FAPI_Meeting_Notes_2022-02-02_Atlantic
Agenda
- 1. Roll Call (Nat)
- 2. Adoption of Agenda (Nat)
- 3. Events (Nat)
- 4. Internal Liaison (Nat)
- 5. External Organizations (Nat)
- 6. Specs (Nat)
- 7. PRs (Dave)
- 7.1. PR306 - Add refresh token rotation clause and note
- 7.2. PR307 - Rework the TLS section re issue 461
- 7.3. PR311 - Remove support for hybrid flow
- 7.4. PR312 - Make clear that we only support code flow
- 7.5. PR310 - withdraw clause re introspection (re: #417)
- 7.6. PR315 - FAPI2 iss + JARM (Re: #478)
- 7.7. PR316 - Explicitly mention mtls_endpoint_aliases (re: #415)
- 7.8. PR314 (re: #471)
- 8. Issues (Dave)
- 9. AOB (Nat)
The meeting was called to order at 14:04 UTC.
1. Roll Call (Nat)
- Attending:
- Regrets:
- Guest:
2. Adoption of Agenda (Nat)
- Adopted as is
3. Events (Nat)
3.1. OSW 2022 (Daniel)
Early bird ticket is available for the next 8 days.
3.2. IIW Workshop (Mike)
- April 25
- Still trying to find the location in Mountain View.
- Full WS details will be available this week.
- Working group updates
- Guest speakers
- Torsten will give GAIN PoC updates
- Debbie Bucci on open data initiatives in healthcare.
3.3. IETF OAuth (Rifaat)
- DPoP etc.
5. External Organizations (Nat)
5.1. U. Stuttgart
FAPI 2.0 security review: delivered contract on Tuesday.
5.2. Saudi Arabia
Call with Central bank of SA.
5.3. Berling Group
Next meeting end of April.
6. Specs (Nat)
6.3. JARM
- Dave to send out the WGLC.
7. PRs (Dave)
7.2. PR307 - Rework the TLS section re issue 461
Follow BCP. s/4/3/.
7.3. PR311 - Remove support for hybrid flow
Tending to remove. Please chime in if you think that is not a good idea.
7.4. PR312 - Make clear that we only support code flow
Change back to "shall support" instead of "shall use".
7.6. PR315 - FAPI2 iss + JARM (Re: #478)
The text should be modified to make the client not use iss outside JWT.
JARM is not required in FAPI 2.0 Baseline.
7.8. PR314 (re: #471)
Add explicit clause about lifetime of request_uri
Maybe a good idea but the attacker model does not directly imply that. Also, it may act as a limiting factor for some use-cases.
8. Issues (Dave)
#481- try to absorb it in FAPI 2.0 Advanced.
Updated