FAPI WG Agenda & Meeting Notes (2024-07-03)

Date & Time: 2024-06-26 14:00 UTC
Location: https://zoom.us/j/97456084642?pwd=bTRFVzk4ZmlRK1M3bEprRlN5c3JFZz09

Agenda

1. Roll Call (Nat)
2. Adoption of agenda (Nat)
3. Events (Mike L.)
- 3.1. OIDF Workshop
- 3.2. Working Group Meetings
- 3.3. IETF
- 3.4. 2025 Events
- 3.5. OIDF calendar
4. External Orgs & Liaisons (Mike L.)
5. Refresh Token Rotation Issue (694)
6. Review of PRs and Issues
7. Action Items
8. AOB

The meeting was called to order at 14:04 UTC.

1. Roll Call (Nat)

Attendees: * Nat Sakimura (Chair) * Lukasz Jaromin * Filip Skokan * Joseph Heenan * Michael Palage * Hideki Ikeda * Bjorn Hjelm * Joseph Heenan
Regrets: Mike L., Dave Tonge

2. Adoption of agenda (Nat)

Adopted as is.

3. Events (Mike L.)

3.1. OIDF Workshop

Monday, October 28 at Cisco Details to follow

3.2. Working Group Meetings

Monday and Friday of the IIW week.

3.3. IETF

July 20 - 26.

3.4. 2025 Events

Planning for 2025 events and update of OIDF calendar

Send 2025 events information to mike.leszcz@oidf.org

3.5. OIDF calendar

OIDF calendar on website is current: https://openid.net/calendar/

4. External Orgs & Liaisons (Mike L.)

N/A

5. Refresh Token Rotation Issue (694)

Issue ~~#694~~
Extensive discussion on whether to allow refresh token rotation and under what circumstances.
Lukasz presented 6 options, with debate focusing on options 1 (forbid rotation) vs 5/6 (allow occasional rotation).
Concerns raised about interoperability and existing implementations.
No consensus reached. Chair proposed to send out a vote on the mailing list for options 1 and 5.

6. Review of PRs and Issues

6.1. PR 502 (Access token privilege restriction):

Approved

6.2. PR 504 (CORS wording):

Approved pending no objections

6.3. PR 503:

Looks good, needs more review

6.4. Issue 702: Normative text within security considerations

Issue ~~#702~~. Discussed moving normative requirements out of security considerations section

For 6.4, it was proposed to move to subclause 5.4.
For 6.3, probably the same place.

6.5. Issue 696

Issue ~~#696~~ Need to update link to formal analysis for FAPI 2.0

6.6. Issue 684 Message Signing Discussion

(Issue ~~#684~~)

Debated how to address interoperability issues with content type headers for JARs
Need to balance compatibility with existing implementations vs. promoting best practices
No clear resolution - Filip requested more input on PR 493, especially from Joseph

7. Action Items

Nat to send out vote on refresh token rotation options to mailing list
Joseph to review and provide input on PR 493 (message signing)
Need volunteer to create PR for moving normative requirements from security considerations (Issue 702)
Update link to formal analysis for FAPI 2.0 (Issue 696)

8. AOB

No other business raised

The meeting adjourned at 14:56.

Wiki

fapi / FAPI_Meeting_Notes_2024-07-03_Atlantic