[Openid-specs-fapi] Proposal to use DDA specification in FAPI

Tue Aug 23 03:38:10 UTC 2016

I agree to only allow the access_token in the header or as POST body parameter. The access_token should not become visible to anybody when being in front of a browser.

Sascha

From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net<mailto:openid-specs-fapi-bounces at lists.openid.net>> on behalf of John Bradley via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Reply-To: John Bradley <jbradley at pingidentity.com<mailto:jbradley at pingidentity.com>>, Financial API Working Group List <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Date: Monday, August 22, 2016 at 2:40 PM
To: Suhas Chatekar <suhas.chatekar at gmail.com<mailto:suhas.chatekar at gmail.com>>
Cc: Financial API Working Group List <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Subject: Re: [Openid-specs-fapi] Proposal to use DDA specification in FAPI

Yes RFC 6750 recommends sending the AT in the header.  It however also allows some backwarrds compatibility modes such as passing it as a query parameter.

Mostly this is used by lazy developers these days.   I think Nat and I are recommending only allowing the header option, and by doing that using GET is not such an issue.

John B.

On Mon, Aug 22, 2016 at 1:31 PM, Suhas Chatekar <suhas.chatekar at gmail.com<mailto:suhas.chatekar at gmail.com>> wrote:

I am new to the group so apologies if I am duplicating something that is sent earlier to the group.

There is a IETF standard on how to send access token in HTTP headers as bearer tokens - https://tools.ietf.org/html/rfc6750<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc6750&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=-PlgNtYyTH-wVrRKa4NYpirnUOA2u7vdVsQdTQg2XeU&e=>

May be we can just adopt this standard?

Suhas

On Mon, 22 Aug 2016, 16:23 Nat Sakimura via Openid-specs-fapi, <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:
We can certainly constrain that it has to be sent in the header.

Sent from iPad

2016/08/22 23:48、John Bradley via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> のメッセージ:

It is a debate that we keep having, mostly around backwards compatibility and people wanting to send the acess token as a paramater rather than in a headder.

If we prohibit sending the AT as a query paramater, I am more than happy with GET for read only.

John B.

On Aug 22, 2016 10:59 AM, "Luis SAIZ GIMENO via Openid-specs-fapi" <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:
Hi,

Maybe it's not a subject for this list but it sounds odd to me the use of POST for "get" info. In order to be more consistent with REST APIs and to avoid mistakes in authorization rules/scopes I think it should be used GET for read-only operations and POST(PUT/DELETE) for write operations ("transfer" scope)

The use of GET vs POST for security reasons dates from the early HTTP RFC when TLS was uncommon (HTTP predates TLS). Nowadays and even more in a financial scenario, all transfers must be done under TLS and so no sensitive info can be leaked in proxies. Web servers has access to the full info regardless GET/POST, it's a server-side responsibility to configure web servers audit logs for not logging sensitive information

Recommendations of W3C:

https://www.w3.org/2001/tag/doc/whenToUseGet.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.w3.org_2001_tag_doc_whenToUseGet.html&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=mRUcmZ-pW0zyv3xocmascLFuQEO2Aq2J_vTZFz0gQ1k&e=>

BTW, HEART WG explicitly refers to RESTful APIs but FAPI don't. Should we consider and discuss about it?

Best,

Luis

-------
"Crypto can't create trust It merely automates the trust that already exists for other reasons" -- John Gilmore

2016-06-09 2:34 GMT+02:00 Saxena, Anoop <Anoop_Saxena at intuit.com<mailto:Anoop_Saxena at intuit.com>>:
Hello All,

FS-ISAC working group   ratified a solution that will replace credential based aggregation of data via screen scraping bank website with  OAUTH 2.x & DDA (durable data API).

Recommendation for Open Id FAPI working group to use Durable Data API as base which defines various entities definition (such as Account, transactions etc.. ).
These entities are returned under the scope of OAUTH token.

Note: See attachment for detail DDA Specification.

Thanks,

Anoop Saxena
Architect
Intuit | simplify the business of lifetm

_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fapi<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=OxU88Yoaza6iwupZJpdBGJKWpEHSD3z07lNohEjq8lk&e=>

--

BBVA

Luis Saiz Gimeno

Innovation in Security

Móvil +34 609703264<tel:%2B34%C2%A0609703264> - Tel. +34 918073152<tel:%2B34%C2%A0918073152> - luis.saiz at bbva.com<mailto:luis.saiz at bbva.com>

Engineering - Architecture & Global Deployment – Monforte de Lemos, s/n, 28029

Maps: https://www.google.es/maps/place/Av.+de+Monforte+de+Lemos,+28,+28029+Madrid/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.google.es_maps_place_Av.-2Bde-2BMonforte-2Bde-2BLemos-2C-2B28-2C-2B28029-2BMadrid_&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=vaitlrZb8eJhUuiVyBxeBIECO3PSzeOPTKrdGGdLFvU&e=>

Antes de imprimir este mensaje, por favor comprueba que es necesario hacerlo. Before you print this message please consider if it is really necessary.

"Este mensaje está dirigido de manera exclusiva a su destinatario y puede contener información privada y confidencial. No lo reenvíe, copie o distribuya a terceros que no deban conocer su contenido. En caso de haberlo recibido por error,  rogamos lo notifique al remitente y proceda a su borrado, así como al de cualquier documento que pudiera adjuntarse.

 Por favor tenga en cuenta que los correos enviados vía Internet no permiten garantizar la confidencialidad de los mensajes ni su transmisión de forma íntegra.

 Las opiniones expresadas en el presente correo pertenecen únicamente al remitente y no representan necesariamente la opinión del Grupo BBVA."

 "This message is intended exclusively for the adressee and may contain privileged and confidential information. Please, do not disseminate, copy or distribute it to third parties who should not receive it. In case you have received it by mistake, please inform the sender and delete the message and attachments from your system.

 Please keep in mind that e-mails sent by Internet do not allow to guarantee neither the confidentiality or the integrity of the messages sent."

_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fapi<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=OxU88Yoaza6iwupZJpdBGJKWpEHSD3z07lNohEjq8lk&e=>

_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fapi<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=OxU88Yoaza6iwupZJpdBGJKWpEHSD3z07lNohEjq8lk&e=>
_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fapi<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=OxU88Yoaza6iwupZJpdBGJKWpEHSD3z07lNohEjq8lk&e=>

--
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=kX9YMc9bHJieQZvW5XXfNlv9-HSUsg16tyweuW60-R8&e=>[Ping Identity]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=kX9YMc9bHJieQZvW5XXfNlv9-HSUsg16tyweuW60-R8&e=>
John Bradley
Sr Technical Architect
jbradley at pingidentity.com<mailto:jbradley at pingidentity.com>
w:
c: +1 202.630.5272

Connect with us:        [Glassdoor logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.glassdoor.com_Overview_Working-2Dat-2DPing-2DIdentity-2DEI-5FIE380907.11-2C24.htm&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=PD9315f6kW9bfb6_G2q9q-uA8VPfuAqLr_aS-UVKOOI&e=> [LinkedIn logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_21870&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=KJihPz8jzRH6HwzxvoqQxAJE9Nfmde3zXO_tHw_1PQ8&e=> [twitter logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_pingidentity&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=Ke6hIQ9k9koR9epgEE6JFTBmZot_aaT4jYOioGSF3QY&e=> [facebook logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_pingidentitypage&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=33aG4dKuS2A33uDgS3q_kW1lD1WdC4Hj_0mr362_MZQ&e=> [youtube logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_user_PingIdentityTV&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=-gVTCHbgO66E2c03WWWG4asrAKbkFfZ40-6rW02GW4A&e=> [Google+ logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__plus.google.com_u_0_114266977739397708540&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=A8-cUg_bVSaGE0-g7uzk3A3M3GfWQdB1kLUFy1WDf-c&e=> [Blog logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com_en_blog.html&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=mM1GN701RJiAVHfv8G1aDzNyvi-IsAr4cOBvyYfL7uU&s=oYyJ-X5rpFfML9k3daNkZ1VMFzTViMp1ValAjajeA6o&e=>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20160823/7396b061/attachment-0001.html>