Wiki
Clone wikifapi / FAPI_Meeting_Notes_2024-06-19_Atlantic
FAPI WG Agenda & Meeting Notes (2024-06-19)
- Date & Time: 2024-06-19 14:00 UTC
- Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09
Agenda
- 1. Roll Call (Nat)
- 2. Adoption of agenda (Nat)
- 3. Events (Mike L.)
- 4. External Orgs & Liaisons (Mike L.)
- 5. PRs (Dave)
- 5.1. 500 - Remove explicit reference to ciphers
- 5.2. 497 - editorial: attempt to improve readability for clock skew clause
- 5.3. 496 - issue-694 readability of refresh token rotation clause
- 5.4. 502 - access token privilege restriction
- 5.5. 503 - client impersonation
- 5.6. 504 - initial attempt at CORS wording
- 6. Issues (Dave)
- 7. AOB
The meeting was called to order at 14:05 UTC.
1. Roll Call (Nat)
- Attendees:
- Regrets:
3. Events (Mike L.)
- None
5. PRs (Dave)
5.1. 500 - Remove explicit reference to ciphers
- https://bitbucket.org/openid/fapi/pull-requests/500/diff
- Now with separate issue to track with so this PR can be merged.
5.2. 497 - editorial: attempt to improve readability for clock skew clause
- https://bitbucket.org/openid/fapi/pull-requests/497
- To be merged.
5.3. 496 - issue-694 readability of refresh token rotation clause
- https://bitbucket.org/openid/fapi/pull-requests/494
- Lukasz is going to look at the diff.
- Dave will reach out to Ralph and Lukasz offline to try to come to an acceptable language.
5.4. 502 - access token privilege restriction
- https://bitbucket.org/openid/fapi/pull-requests/502
- This one tries to fix one of the diffs between FAPI2 and OAuth Security Best Practices.
5.5. 503 - client impersonation
- https://bitbucket.org/openid/fapi/pull-requests/503/diff
- Just stating "influencing" is problematic from the PoV of the Federation spec.
- We need to add some qualifiers regarding the mix-up with the end-user subject identifier.
5.6. 504 - initial attempt at CORS wording
- https://bitbucket.org/openid/fapi/pull-requests/504/diff
- Security BCP is only talking about the authorisation endpoint so the PR should not over-reach to other endpoints.
6. Issues (Dave)
6.1. 699 - FAPI 2 vs. Security BCP Gap Analysis
6.1.1. End-to-end TLS recommendation
- It was pointed out that it is not realistic to demand it in the current environment.
- It is not testable, either.
6.1.2. In-Browser communication
- Different views expressed whether to restrict or not.
- Perhaps a security consideration that defers to the Security BCP?
Updated