Wiki
Clone wikifapi / FAPI_Meeting_Notes_2023-10-25_Atlantic
FAPI WG Agenda & Meeting Notes (2023-10-25)
- Date & Time: 2023-10-25 14:00 UTC
- Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Agenda
The meeting was called to order at 14:03 UTC.
1. Roll Call (Nat)
- Attendees: Harsha Mogili, Nat Sakimura, Lukasz Jaroin, Joseph Heenan, Peter Stanley, Dave Tonge, Justin Richer, Kosuke Koiwai Robert Gallagher, Chris Wood, Mike Leszcz, Takahiko Kawasaki
- Regrets:
2. Adoption of agenda (Nat)
- Adopted as is.
- OBIE Liasons
3. Letter of Acceptance
- Send letter of acceptance for Security Analysis to AU government
- See
#628 - Nat received the mandate from the WG to send the letter in line with what we did in phase 1 of WP2.
- Use statement from first milestone as template
5. Liaison/Ext Org (Mike/Chris)
5.1. OBIE (Joseph)
Closure to issue #570 brought up the question of whether they should move to FAPI 1.0 Final or FAPI 2. Extend the lifetime of FAPI 1 ID-1.
Banks did not plan for upgrade in 2024
The callers agreed to extend to advise the board March 2025 as EOL for FAPI 1.0 ID-1.
Joseph is going to create the text for it.
Banks asked if they move to FAPI 1.0, will it be deprecated also?
Will FAPI1 be maintained and how long? Don’t have any definite schedule but should be pretty long for deprecation (4-5 years minimum).
Need more discussion on what maintenance means?
Should be phases for deprecation.
Shouldn’t recommend ecosystems adopt FAPI1 after 2 more years.
Some ecosystems are still considering FAPI1 since they’re not fast movers, so language should not be overly negative to prevent adoption at all.
FAPI 2.0 is still not final so full vendor adoption may not be 100%.
Should not discourage FAPI 1.0 in the meantime.
Peter is concerned about whether certifications will end for FAPI 1 certifications? What is the maintenance plan for FAPI1 and certification? Realistic timescale?
Looking about 5 years for the FAPI 1 specification and more for certification.
6. PRs (Dave)
- PR #441 - make note around audience param clearer
- Reworded
- Awaiting review and approval
- Wording suggests all endpoints are required to token endpoint URL
- Spec specifies only Issuer value
- Don’t want to override the PAR endpoint where it’s required
- Change to SHOULD instead and not use a Note
- PR #449 - fixes
#624- "client's misconfigured token endpoint" is confusing- Updated wording per comments
- PR #444 - add clause around message integrity
- Need corrections for typos
- PR # 438 - attempt to clarify code phishing attack in fapi1
- Improved wording about code phishing attack
- Spec does not mitigate this attack due to high requirement for attack
- Joseph will review and use similar text from FAPI2
- PR #440 - add text about clock skew
- shall allow iat or nbf future values of up to 10 seconds and should reject future values > 60 seconds
- Notes that DPoP allows reasonable values of seconds or minutes
- Adds lower bound of 10 seconds for interoperability
- Typo in in “interopatability”
- What about values in the past?
- There are several different types of JWTs with different requirements for exp, iat, etc. DPoP, client assertions, request objects
- DPoP doesn’t require exp
- Clock skew in the past should not be a problem
- Solicit feedback from Mark
- PR #442 - improve wording around which grant and response types are supported
- Previously discussed to deny resource owner password only
- Also to make sure that tokens are not allowed in front channel
- Sounds like hybrid flow is allowed as well as response_type=id_token as there is no requirement to support the authorization code flow. It is part of sentence “For the Authorization code flow”
- Suggest to change to “For flows that use the authorization endpoint”
7. Issues (Dave)
n/a
8. AOB (Nat)
8.1. Clock change
The UK and the US will go off daylight saving time next week and the week after, respectively. This meeting is hinged to UTC, so it means the meeting time will shift t for them. Please be aware of it.
8.2. The meeting on the IETF week
- The call the week after conflicts with IETF OAuth WG F2F so we are cancelling it.
The meeting adjourned at 15:00.
Updated