FAPI WG Agenda & Meeting Notes (2023-09-21)

Agenda

The meeting was called to order at 00:00 UTC.

1. Roll Call (Anoop)

Saudi Arabian profile discussions * Potentially moving to FAPI 2 * currently using FAPI1 w/PAR/PKCE * Migration should be easy

Discussions about Vendor Support of FAPI2

Certification page lists 10 certified implementations
FAPI1 has more support
Lots of vendors support underlying specs so FAPI2 is also supported
Only the motions of going through certification remains
Support of the Issuer in the authorization response needs to be configured
Message Signing mechanisms are a part of FAPI1 so they should be widely supported as well
HTTP Signing support is new in FAPI2

PR were discussed but were not merged * Needs more discussions with Dave who was not present

Formal Analysis was completed

Has 2 cases
Identity layer is out of scope for FAPI 2
Added OIDC to the analysis
- User is work authenticated to the client using OIDC
- Session mix-up didn't For FAPI2, if such attacks are of concern, OIDC/identity layer is strongly recommended in conjuction to FAPI2

Mark will approve PR regarding clock skew

Dima needs to fix links in WG page but has no permissions * Will work w/MikeL to resolve

ConnectID is live in production in AU

Next call will be an Pacific Call. Next Pacific call will be in two weeks (10-05-2023 @ 5pm PST) UTC - 10-05-2023 1:00 AM.