[Openid-specs-fapi] Proposal to use DDA specification in FAPI

Mon Aug 22 16:31:39 UTC 2016

I am new to the group so apologies if I am duplicating something that is
sent earlier to the group.

There is a IETF standard on how to send access token in HTTP headers as
bearer tokens - https://tools.ietf.org/html/rfc6750

May be we can just adopt this standard?

Suhas

On Mon, 22 Aug 2016, 16:23 Nat Sakimura via Openid-specs-fapi, <
openid-specs-fapi at lists.openid.net> wrote:

> We can certainly constrain that it has to be sent in the header.
>
> Sent from iPad
>
> 2016/08/22 23:48、John Bradley via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> のメッセージ:
>
> It is a debate that we keep having, mostly around backwards compatibility
> and people wanting to send the acess token as a paramater rather than in a
> headder.
>
> If we prohibit sending the AT as a query paramater, I am more than happy
> with GET for read only.
>
> John B.
>
> On Aug 22, 2016 10:59 AM, "Luis SAIZ GIMENO via Openid-specs-fapi" <
> openid-specs-fapi at lists.openid.net> wrote:
>
> Hi,
>
> Maybe it's not a subject for this list but it sounds odd to me the use of
> POST for "get" info. In order to be more consistent with REST APIs and to
> avoid mistakes in authorization rules/scopes I think it should be used GET
> for read-only operations and POST(PUT/DELETE) for write operations
> ("transfer" scope)
>
> The use of GET vs POST for security reasons dates from the early HTTP RFC
> when TLS was uncommon (HTTP predates TLS). Nowadays and even more in a
> financial scenario, all transfers must be done under TLS and so no
> sensitive info can be leaked in proxies. Web servers has access to the full
> info regardless GET/POST, it's a server-side responsibility to configure
> web servers audit logs for not logging sensitive information
>
> Recommendations of W3C:
>
> https://www.w3.org/2001/tag/doc/whenToUseGet.html
>
>
> BTW, HEART WG explicitly refers to RESTful APIs but FAPI don't. Should we
> consider and discuss about it?
>
>
> Best,
>
> Luis
>
> -------
> "Crypto can't create trust It merely automates the trust that already
> exists for other reasons" -- John Gilmore
>
> 2016-06-09 2:34 GMT+02:00 Saxena, Anoop <Anoop_Saxena at intuit.com>:
>
>> Hello All,
>>
>>
>>
>> FS-ISAC working group   ratified a solution that will replace credential
>> based aggregation of data via screen scraping bank website with  OAUTH 2.x
>> & DDA (durable data API).
>>
>>
>>
>> Recommendation for Open Id FAPI working group to use Durable Data API as
>> base which defines various entities definition (such as Account,
>> transactions etc.. ).
>>
>> These entities are returned under the scope of OAUTH token.
>>
>>
>>
>>
>>
>> Note: See attachment for detail DDA Specification.
>>
>>
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Anoop Saxena
>>
>> Architect
>> *Intuit |** simplify the business of life**tm*
>>
>>
>>
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>>
>
>
> --
>
> *BBVA*
>
> *Luis Saiz Gimeno*
>
> *Innovation in Security*
>
> Móvil +34 609703264 - Tel. +34 918073152 - luis.saiz at bbva.com
>
> *Engineering - Architecture & Global Deployment *– Monforte de Lemos,
> s/n, 28029
>
> Maps:
> https://www.google.es/maps/place/Av.+de+Monforte+de+Lemos,+28,+28029+Madrid/
>
> Antes de imprimir este mensaje, por favor comprueba que es necesario
> hacerlo. Before you print this message please consider if it is really
> necessary.
>
> "Este mensaje está dirigido de manera exclusiva a su destinatario y puede
> contener información privada y confidencial. No lo reenvíe, copie o
> distribuya a terceros que no deban conocer su contenido. En caso de haberlo
> recibido por error,  rogamos lo notifique al remitente y proceda a su
> borrado, así como al de cualquier documento que pudiera adjuntarse.
>
>  Por favor tenga en cuenta que los correos enviados vía Internet no
> permiten garantizar la confidencialidad de los mensajes ni su transmisión
> de forma íntegra.
>
>  Las opiniones expresadas en el presente correo pertenecen únicamente al
> remitente y no representan necesariamente la opinión del Grupo BBVA."
>
>  "This message is intended exclusively for the adressee and may contain
> privileged and confidential information. Please, do not disseminate, copy
> or distribute it to third parties who should not receive it. In case you
> have received it by mistake, please inform the sender and delete the
> message and attachments from your system.
>
>  Please keep in mind that e-mails sent by Internet do not allow to
> guarantee neither the confidentiality or the integrity of the messages
> sent."
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20160822/2510b047/attachment-0001.html>