3.1.   OpenID Foundation Mountainview Workshop (Mike)

April 25 @ Google.

Link: https://openid.net/2022/03/22/registration-open-for-openid-foundation-workshop-at-google-monday-april-25-2022/

Hybrid

Registration needed and is closing in a few days: https://openid.net/2022/03/22/registration-open-for-openid-foundation-workshop-at-google-monday-april-25-2022/

FAPI Presentation Deck needed.

3.2.   OpenID Foundation Berlin Workshop (Mike)

May 10, Tue.

https://www.kuppingercole.com/sessions/5048/1

3.3.   OSW 2022 (Daniel)

May 4 - 6 @ Trondheim

In-person only

https://oauth.secworkshop.events/osw2022

OIDF and Microsoft sponsored the event.

Tickets are still available.

5.1.   Australia (Gail/Mike L.)

n/a

5.2.   Brazil (Mike L.)

Mike and Joseph had a meeting with Open Insurance (OPIN) regarding certification, fees, testing process, submissions, and payment process.

Will have 68 institutions to certify between June and August and will use the Brazil conformance tests.

5.3.   Berlin Group (Daniel)

Follow up meeting has not happened but wrote that they would like to discuss some FAPI technical items.

Regulators in Israel asked BG for a localized version of OB standards for their 1st phase open banking implementation. (Account info)

Looking to align second phase Payment initiation with both BG and FAPI.

Global Open Finance Technical Working Group is planning a meeting on May 5. Dave and Gail will be presenting on behalf of OIDF.

Meeting Agenda:

• Global Open Finance Technical Standards Work Group Meeting- Member Presentation:
• OpenID Foundation presentation on Open Banking, Open Data and Financial-grade APIs
• OpenID Foundation Whitepaper on Open Banking
• International movement towards Open Banking, Open Finance, and secure, consent driven access to all user data.
• Financial-Grade API (FAPI) Working Group’s experience with Open Banking ecosystems internationally
• Process of standards development, user experience, consent flow, security research Attack and threat model, mathematical proofs, testing implementations
• The role of conformance testing in driving out inefficiency and improving security
• Selected studies in implementation (UK, Australia, Brazil).
• What did we learn?
• Questions and comments
• Member Presentation: Berlin Group Story of Berlin Group and PSD2 Structure, Governance, standards development,
• Specifications rather than implementation From PSD2 to Open Finance - scope of thinking
• Exploring relationship with FAPI Questions and Comments

Interested parties can contact Brian.Costello@ed.ac.uk for more information.

5 May from 11:00 AM – 13:00 PM BST.

5.4.   EU DIW ARF (Gail)

Architecture Reference Framework

OIDF (Torsten, Gail, others) has created a response to the call for contributions and sent it out.

5.5.   FDX (Mike L.)

• n/a

5.6.   GAIN (Mike L.)

CG meeting is going well. Next one is tomorrow.

• Discussions on how participants can discover each other.

Speaking at Identity Week London Now, EIC, Identiverse, etc.

5.7.   ISO/TC68 (Nat/Dave)

• n/a

5.8.   The Middle East and North Africa (Chris)

Israel: see BG.

Saudi:

• Work is progressing on the localized standard.
• Waiting for the project to officially kick off.
• 1st standard to come in June.
• Very strong regime of certification.

Bahrain is updating their standards

UAE, Oman, Qatar, etc. would be following soon.

5.9.   Mexico (Gail)

• n/a

5.10.   Nigeria (Mike)

In the process to schedule a second call.

5.11.   OECD (Nat)

Call for contribution for privacy enhancing technology by April 27.

Nat has created an outline of the white paper for the privacy aspect of technology.

Due to confidentiality requirements, contact Nat for details and/or provide feedback.

5.12.   UK (Chris)

• Published ver. 3.1.10 -- final version to be published under CMA order.
• What happens to OBIE, Open Finance, etc. is not known yet.

5.13.   USA (Gail)

n/a

9.1.   Grant Management (Dima)

Working on issues

9.2.   FAPI DCR/M (Dynamic client registration and Management) (Joseph)

Joseph has started work on the draft and may have a version available by the next meeting

9.3.   Advanced authorization (Dima)

Will address issues in person

9.4.   FAPI 2 Attack, Baseline and Advanced (Daniel)

Perhaps look at the open issues at OSW.

9.5.   JARM (Brian)

Merged outstanding PR

Closed last remaining issue

It’s ready for the next step in draft process

Only editorial changes have been made since the last draft.

Nat will contact Mike Jones for the next step

Can probably go straight to Final

Dave will start WG last call

11.1.   #494 FAPI1Adv: Apparent inconsistency in RP tests compared to OP tests

In the FAPI1Adv RP tests, we have a test for clause 5.2.3-10 in FAPI1-base:

shall verify that the scope received in the token response is either an exact match or contains a subset of the scope sent in the authorization request

The test includes an extra random scope in the token endpoint response, and expects the client to fail.

In the FAPI1Adv OP tests, we don’t appear to do any checks on the scope returned by the token endpoint, i.e. we don’t seem to be failing OPs if they decide to return extra unrequested scopes.

The FAPI1Adv spec did not require scope to be returned from the token endpoint

A Brazil bank returned token with additional scope to RPs causing clients to fail

The conformance test should

1. Update OP to check for scope at the token endpoint
2. Remove the RP test

Conformance suite only tests FAPI 1 Advanced but not baseline. Carryover from baseline to Advanced does not seem to make sense, but we cannot change the specs.

WG decided to delete the RP test.

If this really needs to be fixed, we can do an FAPI 1.1.

Accumulate FAPI 1 issues and decide how to handle them.