1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi

Wiki

Clone wiki

fapi / FAPI_Meeting_Notes_2024-06-05_Atlantic

View History

FAPI WG Agenda & Meeting Notes (2024-06-05)

The meeting was called to order at 14:05 UTC.

1.   Roll Call (Nat)

  • Attendees: Nat Sakimura, Peter Stanley (OBL), Chris Wood (Ozone), Dave Tonge, Charlie Greenhalgh (OBL), Filip Skokan, Mark Andrus, Rifaat Shekh-Yusef, Daniel Fett, Peter Wallach, Robert Gallagher, Hideki Ujeda, Dima Postnikov, Brian Campbell
  • Regrets:

2.   Adoption of agenda (Nat)

  • The default agenda adopted.

5.   PRs (Dave)

5.1.   500 - Remove explicit reference to ciphers

  • PR #500
  • Avoid explicit list of supported ciphers and refer to BCP 195 instead
  • Joseph mentioned that this could be a breaking changed between ID2 and Final
    1. “ the banks that are compliant with ID2 are 99% likely not to be only allowing ciphers that are not complaint with final.”
    2. Call out changes in FAPI1 vs FAPI2 table
    3. Handle dependency on BCP 195 - Compliance can change based on BCP updates
  • Allow one year grace period to apply BCP updates, but may also depend on ecosystem regulators
  • BCP updates will not change suddenly
  • Only impacts TLS 1.2 and certification suite
  • As of writing, the PR is not a breaking change
  • If BCP changes, most likely it would be to remove a cipher
  • Need feedback from Joseph

5.2.   494 issue-694 readability of refresh token rotation clause

  • PR #494
  • clarify situations in which AS can use refresh token
  • Ralph questioned how AS will know that the client did not receive the refresh token due to network error
  • Suggested to keep the last 2 refresh tokens alive, but may be too normative on implementation details
  • Note 2 already suggests AS allow the use of previous refresh token

5.3.   495 editorial content for the MTLS ecosystem section

  • PR #495
  • updated per Dima’s comment
  • Will merge

5.4.   497 editorial: attempt to improve readability for clock skew clause

  • PR #497
  • Need to fix typos
  • Replace time with timestamp
  • Hideki :
    • Are JWTs with iat = current time + 60s rejected or acceptted?
    • According to note4, they could be acceptted. However the main clause seems to reject them.
    • I believe those JWTs will be rejected. If so, I think, we can modify wording of note4
    • note4 says “up to a maximum of 60 seconds” is accepttable. I thought current time + 60s seems to be OK.
  • PR allows a maximum of 60 seconds
  • Will modify wording to “iat + 60 seconds”
  • There is discrepancy in main text - “60 second or more in the future, and the other one saying” and PR says “up to max time in the future of 60 seconds”
  • Dave will update

5.5.   496 - remove grant management and other non final specs

  • PR #496
  • OAuth 2.0 is already mentioned in another paragraph
  • Idea is to say best practices are implemented
  • Explicitly refer to section 2 of Best Practices document and that all of it is implemented
  • Double check other areas where BCP is mentioned

5.6.   493 - typ in request objects

  • PR #493
  • JWT BCP states that typ should be used is unclear on whether typ should be used/defined for newly defined JWTs
  • The typ parameter has caused some interoperability issue due to mismatch between client/server expectations
  • Need feedback from Joseph/Ralph

6.   Issues (Dave)

6.1.   689 - FAPI + FedCM

  • #689
  • The purpose is to raise awareness FedCM and FAPI and how they can interoperate
  • FedCM seems Chrome focused and primarily only works with Google servers
  • Mozilla prefers browsers stay out of UI mediation role and collect UI consent for unblocking
  • Dima plans to do a demo on how it would work in an openbanking ecosystem

7.   AOB

  • No other business raised

The meeting adjourned at 15:02.

Updated