FAPI Working Group Meeting Notes - July 17, 2024

• Date: 2024-07-17
• Location: Zoom

Attendees

• Nat Sakimura
• Mike Leszcz
• Dima Postnikov
• Filip Skokan
• Lukasz Jaromin
• Imran Ulghar
• Dave Tonge
• Aaron Parecki
• Domingos Creado
• Ralph Bragg
• Mark Andrus

Agenda

1. Roll call and agenda review
2. Vote on refresh token rotation
3. Updates from Mike on OIDF events and outreach
4. Review of open PRs and issues
5. Discussion on security considerations for FAPI2

Main Points

Refresh Token Rotation Vote

• Extensive discussion on options for handling refresh token rotation in FAPI2
• Three main options considered: 1. Prohibit rotation completely 5. Allow rotation but with specific semantics defined 6. Soft limit on rotation, allowing exceptions but not defining specific semantics
• Consensus reached on Option 6
• Dima tasked with drafting specific language for the specification

Key Discussion Points on Refresh Token Rotation

• Concerns raised about impact on existing implementations and certification
• Debate on testability of different options
• Discussion on use cases for rotation (e.g. migration scenarios)
• Agreement that rotation should not be used for general security purposes

OIDF Updates from Mike

• Workshop planned for October 28th before IIW, details to be published in early August
• Recent meetings with CFPB and Open Banking Canada
• Continued engagement on FAPI1 vs FAPI2 questions

Open Issues

• Brief discussion on Issue 704 regarding security considerations
• Consensus to include security considerations in the main FAPI2 spec rather than a separate document

Action Items

• Dima to draft specification language for refresh token rotation based on Option 6
• Work to continue on security considerations section for FAPI2 spec

Next Meeting

Next week, same time