[Openid-specs-fapi] FAPI 2.0
joseph at authlete.com
Wed Feb 26 16:23:28 UTC 2020
A few quick initial thoughts:
"2.4. Differences to FAPI 1.0” the first column doesn’t seem quite right - as this is the base line profile should it be comparing against FAPI-R rather than FAPI-RW?
If it is comparing against FAPI-RW, then FAPI-RW already only allows asymmetric client auth, and allows both private_key_jwt and MTLS client auth.
I have some concerns about FAPI 2.0 baseline only allowing MTLS for client authentication.As it stands today this still adds quite a burden on RPs, compared to FAPI-R which did allow simple RP credentials.
I think I was expecting that the baseline profile would allow public clients, which it doesn’t seem to.
I’m surprised to see the baseline spec requiring encrypted id_token support from clients - I think the idea is that id_tokens are only sent in the back channel, so encryption seems unnecessary?
RS Checking access tokens are not revoked ("MUST verify that the access token is neither expired nor revoked;”) is also very strong language in a baseline profile, and appears to rule out the implementation choice of having short lived JWT access tokens that cannot be revoked.
> On 26 Feb 2020, at 15:43, Daniel Fett via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
> Hi all,
> Based on our previous discussions regarding "FAPI Evolution" I prepared drafts for the first two documents of FAPI 2.0:
> https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Attacker_Model.md <https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Attacker_Model.md>
> https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Baseline_Profile.md <https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Baseline_Profile.md>
> (I attached the respective HTML versions to this mail, let's see if the mailing list eats them or not.)
> In the Baseline profile document, I added a table showing the differences to FAPI 1.0 R/W.
> There are some open points collected towards the bottom of the document. There are also no security considerations right now.
> Please read these documents and give feedback here or file issues on bitbucket.
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi