Wiki
Clone wikifapi / FAPI_Meeting_Notes_2024-03-27_Atlantic
FAPI WG Agenda & Meeting Notes (2024-03-27)
- Date & Time: 2024-03-27 14:00 UTC
- Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Agenda
The meeting was called to order at 14:05 UTC.
1. Roll Call (Dave)
- Attendees: Mike Leszcz, Nat Sakimura, Peter Wallach, Robert Gallagher, Filip Skokan, Marko Milich, Peter Stanley, Daniel Fett, Jacob Ideskog, Kosuke Koiwai, Takahiko Kawasaki, Dave Tonge, Dima Postnikov, Gail Hodges, Bjorn Hjelm
- Regrets:
2. Adoption of agenda (Dave)
- nonce
- CIBA and Decompled Flow
3. Events (Mike L.)
3.1. OAuth Security Workshop
Rome April 10-12
All details here: https://oauth.secworkshop.events/osw2024
The certification team is meeting on Monday and Tuesday.
Tuesday meeting will discuss certification with Federation editors for the federation spec.
May also discuss ConnectID with Dima.
3.2. OIDF Workshop at Google
on Monday, April 15th in Sunnyvale – registration now open and required: https://openid.net/registration-oidf-workshop-monday-april-15-2024/
3.3. The OpenID Foundation DCP working group
WG is hosting a hybrid meeting on Friday, April 19, 2024 after IIW Spring 2024. The meeting will allow for in-person and virtual participation and will be hosted at Google in Sunnyvale, CA (address and meeting room to be confirmed).
Note that registration is only required if you are attending in-person:
Please register if you are planning to participate in-person so we can plan accordingly.
3.4. Identiverse
May 28-31, Las Vegas
OIDF has a meeting room available for use for the duration of the event
Any working groups wanting to hold a F2F meeting should contact Mike Lescz to coordinate.
FAPI WG will hold F2F
Identiverse agenda has been announced on the website
3.6. OIDC Calendar
OIDF calendar on website is current: https://openid.net/calendar/
4. External Orgs & Liaisons (Mike L.)
4.1. EU Large Scale Pilot
The Large Scale Pilot Potential will have an event April 3, 2024 1500 CET brief on the interop event, which OIDF DCP WG/ Cert team are supporting for OID4vp / OID4VCI
Still accepting participants but will need Excel form
Details available at https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20240325/000231.html
4.2. ISO PAS Spec Process
Working on progressing the publicly available specs (PAS) process for FAPI 1 and 2.
Need someone to contract for the work to prepare reports for the ISO process.
Interested parties contact Gail.
https://lists.openid.net/pipermail/openid-specs-fapi/2024-March/003077.html
4.3. OF & OPIN Brasil
Continuing to process high volume of Brazil OF and OPIN recertifications requests
4.4. UAE
Received initial specs for security and authorization standards
Joseph and Mike will discuss
Will connect with Radiam and Ozone teams after reviewing them
Will provide update on April 15 board meeting at Google
4.5. Certification Program
There is no DPOP certification available for FAPI 2.0 to date
Will provide update on mailing list
Certification team is looking for a Java developer to join team
https://openid.net/certification-program-recruiting-java-developer/
Interested parties should contact Mike or Joseph
4.6. ISO/IEC JTC 1/SC 27/WG 5
- Liaison statement is to be sent.
- Info about FAPI 2 that it is close to final. FAPI 2.0 drafts weren’t sent due to draft status but links to them have been sent.
- Also mentioned that it is getting adopted in some jurisdictions and growing number of implementations and certifications
4.7. CIBA and Decompled Flow (Jacob)
Some banks especially in Sweden are changing the way they are allowing sessions to be started to authenticate using BankID to mitigate fraud
Many TPPs have used decoupled flows in apps to integrate with the banks using CIBA
Authentication request ID and tokens can and is phished a lot
This is being restricted by EID vendor, so need to present auto start token to the TPP
There is no way to communicate this using CIBA without breaking standard
Need ways on how to mitigate
Need some way for CIBA to communicate token to the client
Starting an app is outside scope of spec
Can possibly send a nonce or other information from the TPP app to CIBA to put into authentication request
Will file issue for discussion
PSD2 is vague on decoupled flow
It would be good to add the app to app recommendation in the Implementation Guidelines doc
5. PRs (Dave)
5.1. 481 - add requirment for PKCE challenge
https://bitbucket.org/openid/fapi/pull-requests/481
Related to #682 - Clarify allowed use of state and required CSRF protection in FAPI 2.0 SP
shall generate the PKCE challenge specifically for each authorization request and securely bind the challenge to the client and the user agent in which the flow was started
5.2. 474 - Fixing #638 - Add some more text to Introduction
https://bitbucket.org/openid/fapi/pull-requests/474
Updated PR from feedback
Dima will review
5.3. 475 - First draft for MTLS ecosystems
https://bitbucket.org/openid/fapi/pull-requests/475
Dima reviewed feedback
Need to check with Joseph to standardize response to Ralph
6. Issues (Dave)
6.1. nonce discussion (Peter)
https://bitbucket.org/openid/fapi/issues/674/length-of-nonce-tested-in-op-conformance
Peter discussed the proposed state and nonce values with TDA in UK
Had feedback regarding using JWT as state value and whether 512 length is enough
Lengths up to 512 must be accepted, longer values may be rejected
Not enough to support JWT values especially for RSA signatures
Some security platforms may have limits on value lengths
Defining an arbitrary length is pointless and may cause more harm
Conformance suite tests for lengths but would like the tests to be covered by normative text
Tests issue a warning but would like guidance to aid implementations and ecosystems
Need further discussion and feedback
https://bitbucket.org/openid/fapi/pull-requests/481 https://bitbucket.org/openid/fapi/pull-requests/474 https://bitbucket.org/openid/fapi/pull-requests/476 Above is merged PR for State and Nonce values length
Updated