1.   Roll Call (Nat)

• Attending:
  • Daniel Fett
  • Dave Tonge
  • Filip Skokan
  • George Fletcher
  • Joseph Heenan
  • Justin Richer
  • Mike Leszcz
  • Nat Sakimura
  • Tim Würtele
  • Craig Borysowich
  • David Januchowski
  • Dima Postnikov
  • Justin Richer
  • Lukasz Jaromin
  • Pieter Kasselman
  • Rifaat Shekh-Yusef
  • Takahiko Kawasaki
  • Kosuke Koiwai
• Regrets:
• Guest:

2.   Adoption of Agenda (Dave/Nat)

Adopted as is.

3.   External Orgs & Liaisons (Dave/Nat)

4.   PRs (Dave/Nat)

• PR #367 - Add security consideration for CSRF attack

  • Related to #534 - Authorization Request Leaks lead to CSRF
  • Affects redirect based flows
  • Proposed mitigations reduce the attack surface but may not prevent the attacks
  • Daniel to review and propose wording to align with security BCP
  • Security analysis will formulate the session integrity properties to exclude this case

• PR #363 - FAPI2SP: Add requirement for RP to use discovery

  • Already required OP to support discovery so requiring RPs to use it provides extra protections for some attacks as discussed in #525 - decide-on-what-to-do-for-a-cuckoo-s-token

  • And #526 - Decide on B. Access Token Injection with ID Token Replay

  • The attacker model states for A5:

    • When the token endpoint address is obtained from an authoritative source and via a protected channel, e.g., through OAuth Metadata obtained from the honest AS, this attacker is not relevant.

  • In reality, attacker’s issuer URL can be injected

  • Add clause for clients to verify the issuer value in the discovery document matches the discovery URL. But it is a problem for multi-tenancy where they do not have control of the URLs

  • Many clients do not check the issuer to the location of the discovery document.

  • A lot of implementations are not really very strict around the relationship between issuer and the discovery metadata.

  • Daniel to provide wording.

• PR #364 - FAPI2SP: Add security consideration for cuckoo's token attack

  • Related to #525 - Decide on what to do for A. Cuckoo’s Token Attack
  • PR does not prevent attack but makes it more difficult to attack
  • Preconditions for attack are listed
  • 3 mitigations are proposed
  • Client checks the authorization server from which access token is received and is the authority AS for the resource server. This is implicitly implied and is not in the specs.
  • Document this in the analysis.

• PR #368 - Add mentions of Authorization Code Binding to DPoP key

  • Added that AS shall support “Authorization Code Binding to DPoP Key” but is optional for clients

• PR #366 - Add place holder so links to JARM spec in old location aren't 404s

  • Merged

5.   Issues (Dave/Nat))

• #541 HTTP Signatures (Justin)
  • Feedback for requirements for HTTP signatures
  • Don’t sign ‘date’ header but the ‘created’ header
• #540 - Use of eKYC-IDA spec with CIBA/FAPI-CIBA
  • IDA requires use of CIBA and claims parameters but CIBA does not support claims parameter.
  • Need to decide in which WG to resolve this issue (eKYC, Modrna, or CIBA)

6.   AOB (Dave/Nat))

The call adjourned at 15:00 UTC

7.   Chat Log