[Openid-specs-fapi] First draft Australian standard

Ralph Bragg ralph.bragg at raidiam.com
Wed Dec 5 12:55:08 UTC 2018


Hi,

That was the authors original intention as he’d never worked on an implementation where the scopes selection had changed at the OP and this were returned on the token request.

As fapi makes it mandatory that the scopes are returned regardless of if they’re changed or not the stated need for RP’s to have access to the introspection endpoint for access tokens disappears.

It will probably still be included for refresh tokens.

RB


________________________________
From: Torsten Lodderstedt <torsten at lodderstedt.net>
Sent: Wednesday, December 5, 2018 12:19
To: Ralph Bragg
Cc: Financial API Working Group List
Subject: Re: [Openid-specs-fapi] First draft Australian standard

Hi Ralph,

> Am 26.11.2018 um 10:05 schrieb Ralph Bragg via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>:
>
> All,
>
> It’s very closely aligned with RW.
>
> There will be a v 0.0.2 out shortly addressing some of the items like, AT introspection to determine the scopes that were granted, that FAPI part one already addressed by making the requirement to return the scopes from the token endpoint mandatory on code exchange.

Are you assuming token introspection is used by the client to determine granted scopes? Otherwise, this mechanism does not server the same goal, determining whether an attacker changed the requested scope.

best regards,
Torsten.

>
> The biggest area still up in the air is how complex scoped information are exchanged between RP, OP and RS.
>
> We, FAPI, should provide guidance and standardise the way the reference to a complex consent object is passed to avoid fragmentation.
>
> RB
>
> From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Joseph Heenan via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
> Sent: Monday, November 26, 2018 08:37
> To: Openid-specs-fapi
> Cc: Joseph Heenan
> Subject: [Openid-specs-fapi] First draft Australian standard
>
> Hi all,
>
> Here's the first draft of Australia's security profile:
>
> https://consumerdatastandardsaustralia.github.io/infosec/#infosec-profile-0-0-1
>
> TL;DR seems to be that it's essentially FAPI part2 + CIBA, along with making a few optional parts of OIDC/OAuth2 mandatory.
>
> Joseph
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20181205/ebe22655/attachment.html>


More information about the Openid-specs-fapi mailing list