[Openid-specs-fapi] Proposal to use DDA specification in FAPI

John Bradley jbradley at pingidentity.com
Mon Aug 22 14:48:08 UTC 2016

It is a debate that we keep having, mostly around backwards compatibility
and people wanting to send the acess token as a paramater rather than in a

If we prohibit sending the AT as a query paramater, I am more than happy
with GET for read only.

John B.

On Aug 22, 2016 10:59 AM, "Luis SAIZ GIMENO via Openid-specs-fapi" <
openid-specs-fapi at lists.openid.net> wrote:


Maybe it's not a subject for this list but it sounds odd to me the use of
POST for "get" info. In order to be more consistent with REST APIs and to
avoid mistakes in authorization rules/scopes I think it should be used GET
for read-only operations and POST(PUT/DELETE) for write operations
("transfer" scope)

The use of GET vs POST for security reasons dates from the early HTTP RFC
when TLS was uncommon (HTTP predates TLS). Nowadays and even more in a
financial scenario, all transfers must be done under TLS and so no
sensitive info can be leaked in proxies. Web servers has access to the full
info regardless GET/POST, it's a server-side responsibility to configure
web servers audit logs for not logging sensitive information

Recommendations of W3C:


BTW, HEART WG explicitly refers to RESTful APIs but FAPI don't. Should we
consider and discuss about it?



"Crypto can't create trust It merely automates the trust that already
exists for other reasons" -- John Gilmore

2016-06-09 2:34 GMT+02:00 Saxena, Anoop <Anoop_Saxena at intuit.com>:

> Hello All,
> FS-ISAC working group   ratified a solution that will replace credential
> based aggregation of data via screen scraping bank website with  OAUTH 2.x
> & DDA (durable data API).
> Recommendation for Open Id FAPI working group to use Durable Data API as
> base which defines various entities definition (such as Account,
> transactions etc.. ).
> These entities are returned under the scope of OAUTH token.
> Note: See attachment for detail DDA Specification.
> Thanks,
> Anoop Saxena
> Architect
> *Intuit |** simplify the business of life**tm*
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi



*Luis Saiz Gimeno*

*Innovation in Security*

Móvil +34 609703264 - Tel. +34 918073152 - luis.saiz at bbva.com

*Engineering - Architecture & Global Deployment *– Monforte de Lemos, s/n,

Maps: https://www.google.es/maps/place/Av.+de+Monforte+de+

Antes de imprimir este mensaje, por favor comprueba que es necesario
hacerlo. Before you print this message please consider if it is really

"Este mensaje está dirigido de manera exclusiva a su destinatario y puede
contener información privada y confidencial. No lo reenvíe, copie o
distribuya a terceros que no deban conocer su contenido. En caso de haberlo
recibido por error,  rogamos lo notifique al remitente y proceda a su
borrado, así como al de cualquier documento que pudiera adjuntarse.

 Por favor tenga en cuenta que los correos enviados vía Internet no
permiten garantizar la confidencialidad de los mensajes ni su transmisión
de forma íntegra.

 Las opiniones expresadas en el presente correo pertenecen únicamente al
remitente y no representan necesariamente la opinión del Grupo BBVA."

 "This message is intended exclusively for the adressee and may contain
privileged and confidential information. Please, do not disseminate, copy
or distribute it to third parties who should not receive it. In case you
have received it by mistake, please inform the sender and delete the
message and attachments from your system.

 Please keep in mind that e-mails sent by Internet do not allow to
guarantee neither the confidentiality or the integrity of the messages

Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20160822/52e79567/attachment-0001.html>

More information about the Openid-specs-fapi mailing list