FAPI WG Agenda & Meeting Notes (2024-01-10)

Date & Time: 2024-01-10 14:00 UTC
Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09

Agenda

1. Roll Call (Nat)
2. Adoption of agenda (Nat)
3. Events (Mike L.)
- 3.1. OIDF Hybrid Workshop in Tokyo
- 3.2. OpenID Summit Tokyo 2024
4. External Orgs & Liaisons (Mike L.)
- 4.1. Open Finance Brasil
5. FAPI 2.0 Issues (Dave/Nat)
6. Other Issues & PRs (Dave/Nat)
- 6.1. PRs
- 6.2. Issues:
7. AOB (Nat)

The meeting was called to order at 14:04 UTC.

1. Roll Call (Nat)

Attendees: Mike Leszcz, Dave Tonge, Brian Campbell, Lukasz Jaromin, Chris Michael, Filip Skokan, Peter Wallach, Kosuke Kowai, Joseph Heenan
Regrets:

2. Adoption of agenda (Nat)

3. Events (Mike L.)

3.1. OIDF Hybrid Workshop in Tokyo

Tokyo, Japan on Thursday, January 18, 2024

https://openid.net/registration-oidf-workshop-tokyo-2024/

In person registration is full, virtual attendance is still available

3.2. OpenID Summit Tokyo 2024

https://www.openid.or.jp/summit/2024/en/

Friday, January 19, 2024, 10:00 - 18:00

4. External Orgs & Liaisons (Mike L.)

4.1. Open Finance Brasil

Standardizing on a single profile. Open for a few banks and RPs for testing purposes. If it goes well, it will be open to the public.

5. FAPI 2.0 Issues (Dave/Nat)

To finish the draft off, we need to close the loose ends.

5.1. ID Token Encryption

~~#659~~ - No normative statement on id_token encryption

Fix the table by just saying no ID Token in the front channel.

Table is intended to be informative

Certified implementations may not be interoperable due to differences of support for ID Token encryption

Too restrictive to prohibit encryption

Limits the use of FAPI as baseline for other profiles

For migration from FAPI1 to FAPI2, encryption needs to be disabled

May want certification test to fail for implementations returning encrypted ID Tokens

Not prohibiting encryption would mean that certification tests will need to accept encrypted ID Tokens

Add some text regarding interoperability problems if encrypted ID Tokens are returned

5.2. TLS connections in Security Profile

Reported by Axel Nenker in ML - https://lists.openid.net/pipermail/openid-specs-fapi/2024-January/003003.html

Suggested

“All TLS connections between web browsers, clients, authorization servers, and resource servers shall be protected against network attackers."

should read

"All network connections between web browsers, clients, authorization servers, and resource servers shall be protected against network attackers."

Joseph stated that suggestion would be wrong.

~~#454~~ - add text around enforcement of one-time use of require_uri
- ~~#635~~ - one-time use of request_uri causing error
- https://bitbucket.org/openid/fapi/pull-requests/454
- Request objects and JAR has been in use for years, why did this problem surface now?
- But one time use of JAR was not a requirement and was not tested.
- PAR requirement is more stringent than JAR
- Problem may arise due to the link with the request_uri is being rendered somewhere
- Could also be some proxy that is preloading links
- The problem may be implementation specific that occurs on the client side which invalidates the request_uri
- Add note
- Dave will update

6.2. Issues:

~~#657~~ - Fix sentence fragments
- Attacker description contains sentence fragments

7. AOB (Nat)

Elections for 2024 Community Representative
- All members in good standing may vote
2 corporate representative seats are available
- Candidate statements and election details have been sent to corporate members

The meeting adjourned at 14:__.

Wiki

fapi / FAPI_Meeting_Notes_2024-01-10_Atlantic