[Openid-specs-fapi] Issue #196: OAuth Security BCP and FAPI (openid/fapi)

Dave Tonge issues-reply at bitbucket.org
Wed Dec 19 12:55:49 UTC 2018

New issue 196: OAuth Security BCP and FAPI

Dave Tonge:

As many WG members will be aware there is active work on: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10

As there is an overlap between the authors of the BCP and members of FAPI, and there are common goals between the 2 documents, I think we need to have a discussion on the connection between the documents.

For my perspective I would like to get FAPI to a position where we can categorically state that compliance with FAPI means that the security BCP is being adhered to.

Torsten has mentioned a few differences:
 - AS specific redirect_uris (these are only required for public clients)
 - PKCE (I actually don't think this is an issue, FAPI1 requires it and FAPI2 requires OIDC hybrid mode)

Other differences that I'm aware of:
 - sender-constrained tokens (the BCP has this as a should, however we don't require it in Part 1)

More information about the Openid-specs-fapi mailing list