[Openid-specs-fapi] Proposal to use DDA specification in FAPI

John Bradley jbradley at pingidentity.com
Mon Aug 22 21:40:39 UTC 2016


Yes RFC 6750 recommends sending the AT in the header.  It however also
allows some backwarrds compatibility modes such as passing it as a query
parameter.

Mostly this is used by lazy developers these days.   I think Nat and I are
recommending only allowing the header option, and by doing that using GET
is not such an issue.

John B.

On Mon, Aug 22, 2016 at 1:31 PM, Suhas Chatekar <suhas.chatekar at gmail.com>
wrote:

> I am new to the group so apologies if I am duplicating something that is
> sent earlier to the group.
>
> There is a IETF standard on how to send access token in HTTP headers as
> bearer tokens - https://tools.ietf.org/html/rfc6750
>
> May be we can just adopt this standard?
>
> Suhas
>
> On Mon, 22 Aug 2016, 16:23 Nat Sakimura via Openid-specs-fapi, <
> openid-specs-fapi at lists.openid.net> wrote:
>
>> We can certainly constrain that it has to be sent in the header.
>>
>> Sent from iPad
>>
>> 2016/08/22 23:48、John Bradley via Openid-specs-fapi <
>> openid-specs-fapi at lists.openid.net> のメッセージ:
>>
>> It is a debate that we keep having, mostly around backwards compatibility
>> and people wanting to send the acess token as a paramater rather than in a
>> headder.
>>
>> If we prohibit sending the AT as a query paramater, I am more than happy
>> with GET for read only.
>>
>> John B.
>>
>> On Aug 22, 2016 10:59 AM, "Luis SAIZ GIMENO via Openid-specs-fapi" <
>> openid-specs-fapi at lists.openid.net> wrote:
>>
>> Hi,
>>
>> Maybe it's not a subject for this list but it sounds odd to me the use of
>> POST for "get" info. In order to be more consistent with REST APIs and to
>> avoid mistakes in authorization rules/scopes I think it should be used GET
>> for read-only operations and POST(PUT/DELETE) for write operations
>> ("transfer" scope)
>>
>> The use of GET vs POST for security reasons dates from the early HTTP RFC
>> when TLS was uncommon (HTTP predates TLS). Nowadays and even more in a
>> financial scenario, all transfers must be done under TLS and so no
>> sensitive info can be leaked in proxies. Web servers has access to the full
>> info regardless GET/POST, it's a server-side responsibility to configure
>> web servers audit logs for not logging sensitive information
>>
>> Recommendations of W3C:
>>
>> https://www.w3.org/2001/tag/doc/whenToUseGet.html
>>
>>
>> BTW, HEART WG explicitly refers to RESTful APIs but FAPI don't. Should we
>> consider and discuss about it?
>>
>>
>> Best,
>>
>> Luis
>>
>> -------
>> "Crypto can't create trust It merely automates the trust that already
>> exists for other reasons" -- John Gilmore
>>
>> 2016-06-09 2:34 GMT+02:00 Saxena, Anoop <Anoop_Saxena at intuit.com>:
>>
>>> Hello All,
>>>
>>>
>>>
>>> FS-ISAC working group   ratified a solution that will replace credential
>>> based aggregation of data via screen scraping bank website with  OAUTH 2.x
>>> & DDA (durable data API).
>>>
>>>
>>>
>>> Recommendation for Open Id FAPI working group to use Durable Data API as
>>> base which defines various entities definition (such as Account,
>>> transactions etc.. ).
>>>
>>> These entities are returned under the scope of OAUTH token.
>>>
>>>
>>>
>>>
>>>
>>> Note: See attachment for detail DDA Specification.
>>>
>>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Anoop Saxena
>>>
>>> Architect
>>> *Intuit |** simplify the business of life**tm*
>>>
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-fapi mailing list
>>> Openid-specs-fapi at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>>
>>>
>>
>>
>> --
>>
>> *BBVA*
>>
>> *Luis Saiz Gimeno*
>>
>> *Innovation in Security*
>>
>> Móvil +34 609703264 - Tel. +34 918073152 - luis.saiz at bbva.com
>>
>> *Engineering - Architecture & Global Deployment *– Monforte de Lemos,
>> s/n, 28029
>>
>> Maps: https://www.google.es/maps/place/Av.+de+Monforte+de+
>> Lemos,+28,+28029+Madrid/
>>
>> Antes de imprimir este mensaje, por favor comprueba que es necesario
>> hacerlo. Before you print this message please consider if it is really
>> necessary.
>>
>> "Este mensaje está dirigido de manera exclusiva a su destinatario y puede
>> contener información privada y confidencial. No lo reenvíe, copie o
>> distribuya a terceros que no deban conocer su contenido. En caso de haberlo
>> recibido por error,  rogamos lo notifique al remitente y proceda a su
>> borrado, así como al de cualquier documento que pudiera adjuntarse.
>>
>>  Por favor tenga en cuenta que los correos enviados vía Internet no
>> permiten garantizar la confidencialidad de los mensajes ni su transmisión
>> de forma íntegra.
>>
>>  Las opiniones expresadas en el presente correo pertenecen únicamente al
>> remitente y no representan necesariamente la opinión del Grupo BBVA."
>>
>>  "This message is intended exclusively for the adressee and may contain
>> privileged and confidential information. Please, do not disseminate, copy
>> or distribute it to third parties who should not receive it. In case you
>> have received it by mistake, please inform the sender and delete the
>> message and attachments from your system.
>>
>>  Please keep in mind that e-mails sent by Internet do not allow to
>> guarantee neither the confidentiality or the integrity of the messages
>> sent."
>>
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>>
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>


-- 
[image: Ping Identity] <https://www.pingidentity.com>
<https://www.pingidentity.com>
John Bradley
Sr Technical Architect
jbradley at pingidentity.com
w:
c: +1 202.630.5272
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo]
<https://plus.google.com/u/0/114266977739397708540> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20160822/4e353ee7/attachment-0001.html>


More information about the Openid-specs-fapi mailing list