[Openid-specs-fapi] Kicking off Part 2: Read Write API Security

Nat Sakimura nat at sakimura.org
Tue Dec 13 16:44:47 UTC 2016

Dear FAPI members:

Now that we have sent the Part 1 to the OIDF secretary, we should 
immediately start working on Part 2.

What Part 2 needs to do is to specify the additional requirements on 
Part 1 to do the "write" operation.

My gut feeling is to require

* OAuth Token Bind;
* LoA 3 for authentication;
* the use of request object;
* to put all the intended endpoints in the request; and
* potentially, one time access token.

These needs to be decomposed to Authorization server requirements and 
client requirements.

Is there anything else that comes up to your mind?


Nat Sakimura
Chairman, OpenID Foundation

More information about the Openid-specs-fapi mailing list