[Openid-specs-fapi] Public Client Support

Dave Tonge dave.tonge at momentumft.co.uk
Wed Jan 2 15:26:07 UTC 2019


Dear FAPI WG

We very briefly discussed the issue of Public Client support on the call
today and I said I'd email the list.

We have two issues open:
https://bitbucket.org/openid/fapi/issues/158/fapi-part-2-request-object-for-public
https://bitbucket.org/openid/fapi/issues/170/remove-public-client-support

>From my perspective the key argument to remove support for public clients
is:
*It is harder to implement secure public clients, the spec would be simpler
if we just removed support.*

The key argument to include support is:
*The FAPI specs are not just for use in PSD2 style APIs where a
confidential client is required. Rather the specs are intended to also
support first party clients, for example a bank or TPP implementing its own
app. People will implement such apps using public clients so we should
provide guidance on how to do it securely.*

It would be good to get feedback from the list on this.

Thanks

-- 
Dave Tonge
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190102/bd87db51/attachment.html>


More information about the Openid-specs-fapi mailing list