[Openid-specs-fapi] Kicking off Part 2: Read Write API Security

Nat Sakimura nat at sakimura.org
Tue Dec 13 16:44:47 UTC 2016


Dear FAPI members:

Now that we have sent the Part 1 to the OIDF secretary, we should 
immediately start working on Part 2.

What Part 2 needs to do is to specify the additional requirements on 
Part 1 to do the "write" operation.

My gut feeling is to require

* OAuth Token Bind;
* LoA 3 for authentication;
* the use of request object;
* to put all the intended endpoints in the request; and
* potentially, one time access token.

These needs to be decomposed to Authorization server requirements and 
client requirements.

Is there anything else that comes up to your mind?

Best,

-- 
Nat Sakimura
Chairman, OpenID Foundation


More information about the Openid-specs-fapi mailing list