[Openid-specs-fapi] Public Client Support
n-sakimura at nri.co.jp
Mon Jan 7 03:06:15 UTC 2019
Thanks for hosting the call. The first three days of January is a big holiday in Japan, so anything work related completely slipped out from my head.
Now, I agree with the point stated. FAPI scope is much larger than PSD2 style applications. Even in the sphere of financial applications, there are a lot of first-party apps that are public clients, many of them are not in good shape from the security point of view. We want to give guidance to such apps.
Also, it would probably worth noting that for read-write, while we speak of “public client,” it really is not. It has something akin to per-client secret via such mechanism as token binding.
From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> On Behalf Of Dave Tonge via Openid-specs-fapi
Sent: Thursday, January 03, 2019 12:26 AM
To: Openid-specs Fapi <openid-specs-fapi at lists.openid.net>
Cc: Dave Tonge <dave.tonge at momentumft.co.uk>
Subject: [Openid-specs-fapi] Public Client Support
Dear FAPI WG
We very briefly discussed the issue of Public Client support on the call today and I said I'd email the list.
We have two issues open:
From my perspective the key argument to remove support for public clients is:
It is harder to implement secure public clients, the spec would be simpler if we just removed support.
The key argument to include support is:
The FAPI specs are not just for use in PSD2 style APIs where a confidential client is required. Rather the specs are intended to also support first party clients, for example a bank or TPP implementing its own app. People will implement such apps using public clients so we should provide guidance on how to do it securely.
It would be good to get feedback from the list on this.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi