FAPI Working Group Meeting Summary

• 2024-07-24
• @ Zoom
• Attendees:
  • Mike Leszcz
  • Filip Skokan: Filip Skokan
  • Joseph Heenan (OIDF & Authlete): Joseph Heenan
  • Dave Tonge: Dave Tonge
  • Daniel Fett: Daniel Fett
  • Peter Stanley (OBL): Peter Stanley
  • hide: Hideki Ikeda
  • Peter Wallach: Peter Wallach
  • Bjorn Hjelm: Bjorn Hjelm

1. Agenda and Updates

• Upcoming OIDF workshop on October 28th before IIW
• External organization engagement updates:
• CFPB
• Open Banking Canada
• Chile
• UAE
• Certification testing for FAPI 2.0 and DPoP discussed

2. Main Discussion Topics

a) Refresh Token Rotation (PR 509)

• Agreed on option 6: Allow rotation only for extraordinary circumstances
• Debated wording to ensure proper testing and certification
• Decided to update text to "shall not use refresh token rotation except for extraordinary circumstances"
• Will finalize in next meeting after further review

b) Updating FAPI Working Group Description

• Noted outdated description on openid.net
• Discussed need to update charter and remove mention of JSON data schemas
• Dave Tonge to draft updated text for review

c) Security BCP Reference (PR 496)

• Discussed how strongly to reference the OAuth 2.0 Security BCP
• Agreed to change wording from "implements" to "follows" recommendations
• Will review and aim to merge in next meeting

3. Other Items

• Brief mention of Chrome's decision to not deprecate third-party cookies
• Request for review of issue 704 referencing a US cybersecurity report

4. Next Steps

• Review and finalize PR 509 and PR 496 in next meeting
• Dave Tonge to update working group description text
• Members to review issue 704 for potential FAPI spec updates

The meeting focused on refining language in key documents and discussing certification processes, with an emphasis on collaborative decision-making and thorough review of proposed changes.