3.1.   Identiverse May 28-31 in Vegas

OIDF has a breakout room if the WG is interested in meeting

• FAPI WG is confirmed for F2F meeting on Wednesday, May 29, 2024. Mike Leszcz sent a message to the FAPI mail list earlier today requesting those that plan to attend in person respond to that message. Virtual participants will use the standard FA{I WG Zoom session.

3.2.   EIC June 4-7 in Berlin

3.3.   OAuth WG

Interim meetings start on May 7, 12:00 Eastern on Tuesdays.

• FedCM
• Status attestation, Token Status List, Global Tokn Revocation
• Proof issuer key authority
• Update on OAuth 2.1

3.4.   OIDF Calendar

OIDF calendar on the website is slightly behind: https://openid.net/calendar/

4.1.   OF & OPIN Brasil

• OFBR—The high volume of FAPI re-certification requests to meet central bank mandates/milestones continued. The certification team is doing an excellent job managing the increased volume.
• OPIN – call today to confirm the transition to an updated single Brazil FAPI profile by May 1st.
  • Previously allowed lots of optionality:
  • Simplified and now requires PAR, private key JWT, ID Token encryption on both channels
  • Use DCM to transfer clients to new profile

4.2.   UAE

• Domingos leading the analysis of the draft FAPI profile with the Raidiam technical team.

4.3.   UIDAI

• Unique Identification Authority of India – Gail, Joseph and Mark had a call to discuss how UIDAI may get involved with OIDF. Follow-up call next week to take a deeper dive into some of the OIDF specs and certification.

5.1.   483 - reworking the text around length of the state parameter

https://bitbucket.org/openid/fapi/pull-requests/483

Removed text regarding state parameter and kept nonce length requirements and interoperability note

There were some discussions, but eventually, the callers decided to merge it as is.

Conformance suite currently tests 384 length state

Had pushback since there is no requirement for AS to accept long state value.

AS either processes it correctly or returns an error

Will makes tests give warnings instead of failure

5.2.   484 - Redirect vs decoupled recommendation for the same device use cases - first attempt.

https://bitbucket.org/openid/fapi/pull-requests/484

Related to #686

Added text that CIBA is designed for cross device flow

To be merged.

6.1.   685 Use of TLS 1.2 Ciphers

#685

Waiting for Joseph to add some details on the certification suite before closing.

No change will be made to the spec

https://bitbucket.org/openid/fapi/pull-requests/383 is related.

Requirements on who enforces the cipher requirements

6.2.   688 Simplifying the usage of FAPI-CIBA and FAPI 2 profiles together

#688

Should mention FAPI CIBA as valid alternative to code flow

CIBA is referenced in Security Profile

CIBA lists FAPI2 requirements

Discuss further with Dima

6.3.   642 Continuation of #619 -- Add some text to make the readers aware of the caveats.

#642

Dealt with in #619

Closing

6.4.   689 - FAPI + FedCM

#689

https://bitbucket.org/openid/fapi/issues/689/fapi-fedcm

Had a meeting with Sam at IIW.

Some browsers plan to deprecate link decoration embedded with tracking IDs

Tracking flow similar to OAuth so browsers plan to block it which will affect OAuth/OpenID Connect

W3C is using FedCM API to bypass redirections for SSO authentication

Possible PoC to mitigate the NASCAR issue using FedCM.

We should invite Sam Goto once the PoC is ready to discuss potential extensions to FedCM APIs.

Chrome has implemented FedCM. Apple plans to support it.

Possible to make enhancements more useful for open banking use cases.

Currently, not possible for apps to be an IDP

Helpful to make POC to help push for changes

FedCM is intended to provide solution for lost of 3rd party cookies, not loss of link decorations.

Chrome has no plans to blank remove link decorations so may not have to deal with this problem

Bounce tracking is easy to detect due to lack of interaction

Login flows have user interaction

Invite Sam for presentation with POC when ready