FAPI WG Agenda & Meeting Notes (2023-12-13)

Date & Time: 2023-12-13 14:00 UTC
Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09

Agenda

1. Roll Call (Nat)
2. Adoption of agenda (Nat)
3. Liaisons
- 3.1. CAMARA Project (Bjorn)
- 3.2. Open Finance Brazil (Mike L.)
4. Events
- 4.1. Japan Workshop (Mike L.)
5. Voting for Errata
6. CFPB Response (Mark)
7. Issues & PRs (Nat)
- 7.1. PRs
- 7.2. Issues:
  - 7.2.1. one-time use of request_uri causing error
8. AOB (Nat)

The meeting was called to order at 14:04 UTC.

1. Roll Call (Nat)

Attendees: Mike L., Nat, Peter Wallach, Daniel Fett, Mark Haine, Kosuke Koiwai, Brian Campbell, Dima Postnikov, Bjorn Hjelm, Victor Lu, Justin Richer. Peter Stanley (OBL), Domingos Creado, Joseph Heenan, Mark Andrus
Regrets: Dave,

2. Adoption of agenda (Nat)

CAMARA Project report added.

3. Liaisons

3.1. CAMARA Project (Bjorn)

Issue #632 - Security profile for CAMARA

Reached out to Camara leadership about doing a presentation.

Proposal to do FAPI update on Dec. 20 15:00 UTC. 20 minutes slot. Nat intends to attend but he will reach out to

Dave as well as he would be more alert. From the certification team, Mike L. and Domingos will be there.

They are interested in certification profiles as well.

3.2. Open Finance Brazil (Mike L.)

Certification team is working on finishing the new conformance profile

Recertification will begin end of January

New tests expected to be deployed by Dec 18

Joseph and Mike have scheduled calls to keep up to date

Gail and Mike had call with Chicago Advisory regarding both organizations’ 2024 plans

Discussed some opportunities around Paris CityHub and Rio Nov 2024

4. Events

4.1. Japan Workshop (Mike L.)

Thursday Jan 18, 2024 Hybrid Workshop 8-11 PST

Workshop information, including registration link: https://openid.net/registration-oidf-workshop-tokyo-2024/
Registration is REQUIRED.

5. Voting for Errata

Vote to Approve Proposed Second Errata Set for OpenID Connect Specifications: https://openid.net/foundation/members/polls/325

6. CFPB Response (Mark)

Comments being prepared on the spreadsheet.

Mark is still working on it.

Would like to call out that something FAPI-like is an important standard to incorporate into their rule making

It seems it is a good idea to hinge on their use of the words "communication protocol". (Page 77)

There needs to be a requirement for a qualified industry standard for the communications protocol.

Mark will create the response for review and notify the WG. In the meantime, if you have additional comments, please add to the spreadsheet above.

Mark will continue working on responses and a supporting letter that points out the big themes and general feedback that aren’t associated with specific questions.

Don Cardinal has pointed out a use case where the US government has explicitly named OpenID Connect as a standard that should be used,

Speak of the pros/cons of having/not having security requirements, lessons learned from other ecosystems,

It seems CFPB is very interested in authentication and data security,

Authentication of third parties and authentication of consumers need to be differentiated. Will notify WG when the response is ready for review.

7. Issues & PRs (Nat)

7.1. PRs

PR #442 - improve wording around which grant and response types are supported
- Linked issue ~~#577~~ - FAPI2SP appears to permit response_types "id_token", "id_token token" and "none"
- Reviewed and it looks good except for missing back ticks. It will be merged once this is fixed.
PR #440 - add text about clock skew
- Linked issue ~~#603~~ - Require servers to allow for clock skew
- Merged
PR #453 - editorial: make shall only consistent
- Linked issue ~~#631~~ - shall vs shall only
- Changed to “Shall only support confidential clients”
- Merged

7.2. Issues:

7.2.1. one-time use of request_uri causing error

It was found in Australia that one time usage for request_uri in PAR causes errors in some browser-to-app interactions.

A combination of browser and virus checker was consuming the PAR uri by the time the client got the PAR response.

May need some guidance regarding relaxing the strict one time usage of PAR uri.

Wording from PAR:

Authorization servers SHOULD treat request_uri values as one-time use but MAY allow for duplicate requests due to a user reloading/refreshing their user agent.

https://www.rfc-editor.org/rfc/rfc9126.html#section-4

Relaxing one time usage may be dangerous but might be practical

May write implementation advice/note that these situations may arise

Dima is going to open the issue. We are going to reach out to the Stuttgart team to find if it is a show-stopper if we relax it.

8. AOB (Nat)

We will have a call on Dec. 20.
Call on Dec 27 and the week after is cancelled.

The meeting adjourned at 14:55.

Wiki

fapi / FAPI_Meeting_Notes_2023-12-13_Atlantic