FAPI WG Agenda & Meeting Notes (2023-12-20)

Date & Time: 2023-12-20 14:00 UTC
Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09

Agenda

1. Roll Call (Nat)
2. Adoption of agenda (Nat)
3. Events
- 3.1. OIDF Hybrid Workshop in Tokyo
4. External Orgs & Liaisons
5. Issues & PRs (Nat)
- 5.1. PRs
- 5.2. Issues:
  - 5.2.1. one-time use of request_uri causing error
6. AOB (Nat)

The meeting was called to order at 14:04 UTC.

1. Roll Call (Nat)

Attendees: Robert Gallager, Nat Sakimura, Kosuke Koiwai, Peter Wallach, Geoge Fletcher, Peter Stanley, Dave Tonge, Mark Andrus, Domingos Creado, Victor Lu, Bjorn Hjelm
Regrets: Mike L., Joseph

2. Adoption of agenda (Nat)

Adopted as is.

3. Events

3.1. OIDF Hybrid Workshop in Tokyo

https://openid.net/registration-oidf-workshop-tokyo-2024/

4. External Orgs & Liaisons

4.1. CFPB Public Consultation

Cover letter: https://docs.google.com/document/d/1cSTSg3eXb0HxfVFKalDVt_u90-WSZggpTrZ3S7d8cGw/edit?usp=sharing Spreadsheet: https://docs.google.com/spreadsheets/d/14x6BOqO8l5-yjk0qm1m6aaDwjqpseLgMTCIx_Rd036I/edit?usp=sharing

4.2. CAMARA Project (Bjorn)

Issue #632 - Security profile for CAMARA

Reached out to Camara leadership about doing a presentation.

Proposal to do FAPI update on Dec. 20 15:00 UTC. 20 minutes slot. Nat intends to attend but he will reach out to

Dave as well as he would be more alert. From the certification team, Mike L. and Domingos will be there.

They are interested in certification profiles as well.

4.3. Open Finance Brazil

Joseph and the team are working to have new profile tests in production later this week.

5. Issues & PRs (Nat)

5.1. PRs

PR #442 - improve wording around which grant and response types are supported
- Linked issue ~~#577~~ - FAPI2SP appears to permit response_types "id_token", "id_token token" and "none"
- Reviewed and it looks good except for missing back ticks. It will be merged once this is fixed.
PR #440 - add text about clock skew
- Linked issue ~~#603~~ - Require servers to allow for clock skew
- Merged
PR #453 - editorial: make shall only consistent
- Linked issue ~~#631~~ - shall vs shall only
- Changed to “Shall only support confidential clients”
- Merged

5.2. Issues:

5.2.1. one-time use of request_uri causing error

It was found in Australia that one time usage for request_uri in PAR causes errors in some browser-to-app interactions.

A combination of browser and virus checker was consuming the PAR uri by the time the client got the PAR response.

May need some guidance regarding relaxing the strict one time usage of PAR uri.

Wording from PAR:

Authorization servers SHOULD treat request_uri values as one-time use but MAY allow for duplicate requests due to a user reloading/refreshing their user agent.

https://www.rfc-editor.org/rfc/rfc9126.html#section-4

Relaxing one time usage may be dangerous but might be practical

May write implementation advice/note that these situations may arise

Dima is going to open the issue. We are going to reach out to the Stuttgart team to find if it is a show-stopper if we relax it.

6. AOB (Nat)

We will have a call on Dec. 20.
Call on Dec 27 and the week after is cancelled.

The meeting adjourned at 14:55.

Wiki

fapi / FAPI_Meeting_Notes_2023-12-20_Atlantic