1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi

Wiki

Clone wiki

fapi / FAPI_Meeting_Notes_2023-12-14_Pacific

View History

FAPI WG Agenda & Meeting Notes (2023-12-14)

Date & Time: 2023-12-15 00:00 UTC Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09

The meeting was called to order at 00:00 UTC.

1.   Roll Call (Anoop)

  • Attendees: Bjorn, Dima, Nat, Ed, Anoop
  • Regrets:

2.   Events Update

  • Japan Event

Thursday Jan 18, 2024 Hybrid Workshop 8-11 PST

Workshop information, including registration link: https://openid.net/registration-oidf-workshop-tokyo-2024/ Registration is REQUIRED.
  • FDX - March 2024

https://www.financialdataexchange.org/FDX/FDX/Events/Event_display.aspx?EventKey=GSSPRING24

3.   Liaison/Ext Org

  • CAMARA

Issue #632 - Security profile for CAMARA https://bitbucket.org/openid/fapi/issues/632/security-profile-for-camara

Reached out to Camara leadership about doing a presentation.

Proposal to do FAPI update on Dec. 20 15:00 UTC. 20 minutes slot. Nat intends to attend but he will reach out to Dave as well as he would be more alert. From the certification team, Mike L. and Domingos will be there.

They are interested in certification profiles as well.

  • CFPB draft rules 1033:

https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-jumpstart-competition-and-accelerate-shift-to-open-banking/ https://files.consumerfinance.gov/f/documents/cfpb-1033-nprm-reg-text-with-1001_2023-10.pdf

Themes of feedack listed in https://docs.google.com/spreadsheets/d/14x6BOqO8l5-yjk0qm1m6aaDwjqpseLgMTCIx_Rd036I/edit?usp=sharing

Here is a page with the full proposed rule and link for submitting comment: https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights

4.   Issues

  • one-time use of request_uri causing error

It was found in Australia that one time usage for request_uri in PAR causes errors in some browser-to-app interactions.

A combination of browser and virus checker was consuming the PAR uri by the time the client got the PAR response.

May need some guidance regarding relaxing the strict one time usage of PAR uri.

Wording from PAR:

Authorization servers SHOULD treat request_uri values as one-time use but MAY allow for duplicate requests due to a user reloading/refreshing their user agent.

https://www.rfc-editor.org/rfc/rfc9126.html#section-4

Relaxing one time usage may be dangerous but might be practical

May write implementation advice/note that these situations may arise

Dima is going to open the issue. We are going to reach out to the Stuttgart team to find if it is a show-stopper if we relax it.

6.   Next Call

Next call will be an Pacific Call. Next Pacific call will be in two weeks (1-12-2024 @ 5pm PST) UTC - 1-13-2024 1:00 AM.

Updated