[Openid-specs-fapi] FAPI 2.0
Daniel Fett
fett at danielfett.de
Thu Feb 27 15:17:21 UTC 2020
Good point!
What about this?
AS...
" * MUST provide a means for resource servers to verify the validity,
integrity, expiration and revocation status of access tokens, either by
providing an introspection endpoint [@!RFC7662], by exposing signature
verification keys, or by deployment-specific means."
Regarding Joseph's point of short-lived, unrevocable ATs, I propose to
add a note:
"Note: In deployments using exclusively short-lived access tokens that
cannot be revoked, RS and AS do not need to use or provide means for
checking the revocation status."
What do you think?
-Daniel
Am 27.02.20 um 14:09 schrieb Ralph Bragg:
>
> Small one from me Daniel
>
> *Requirements for Authorization Servers*
>
> Doesn’t include explicitly the requirement to support a means of
> validating that an access token is still valid. I had to add this to
> the Open Banking security profile to force banks to either share the
> keys with their RS’s or expose an introspection endpoint. I know it’s
> stupid but can we please make sure that if there is an explicit
> requirement to validate an access token on the RS then there is an
> explicit obligation to provide a means to do so on the AS.
>
>
>
> *From: *Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net>
> on behalf of Joseph Heenan via Openid-specs-fapi
> <openid-specs-fapi at lists.openid.net>
> *Reply to: *Financial API Working Group List
> <openid-specs-fapi at lists.openid.net>
> *Date: *Thursday, 27 February 2020 at 10:37
> *To: *Daniel Fett <fett at danielfett.de>
> *Cc: *Joseph Heenan <joseph at authlete.com>, Openid-specs-fapi
> <openid-specs-fapi at lists.openid.net>
> *Subject: *Re: [Openid-specs-fapi] FAPI 2.0
>
>
>
> Thanks Daniel - a few responses inline:
>
>
>
> (Any points I removed I agree with your response - thanks!)
>
>
>
> On 27 Feb 2020, at 08:12, Daniel Fett <fett at danielfett.de
> <mailto:fett at danielfett.de>> wrote:
>
>
>
> Thanks for the feedback, Joseph! Answers inline.
>
>
>
> Am 26.02.20 um 17:23 schrieb Joseph Heenan:
>
> Thanks Daniel!
>
>
>
> A few quick initial thoughts:
>
>
>
> "2.4. Differences to FAPI 1.0” the first column doesn’t seem
> quite right - as this is the base line profile should it be
> comparing against FAPI-R rather than FAPI-RW?
>
> It is based off FAPI-RW. To reach the security goals, it is easier
> to start from RW. If we find that we can give some leeway, we can
> reintroduce features from R. (Baseline and Advanced are not just
> new names for R and RW.)
>
> Good answer :-) I think it’s also a reasonable position given I
> believe we’re not aware of deployments of FAPI-R.
>
>
>
>
>
> I have some concerns about FAPI 2.0 baseline only allowing
> MTLS for client authentication.As it stands today this still
> adds quite a burden on RPs, compared to FAPI-R which did allow
> simple RP credentials.
>
> Currently, RPs need MTLS anyway for sender-constraining of the AT.
> Therefore I'm not sure if RP credentials would actually make
> things easier.
>
> Good point.
>
>
>
> I think it would be interesting to discuss whether dPoP would meet the
> goals and is something we could include as an alternative. DPoP feels
> to me to be easier for clients than MTLS (and potentially servers too
> - the certification team has seen a LOT of people struggle to get MTLS
> working on production systems due to issues with WAFs and similar that
> are required for PCI compliance).
>
>
>
>
>
> RS Checking access tokens are not revoked ("MUST verify that
> the access token is neither expired nor revoked;”) is also
> very strong language in a baseline profile, and appears to
> rule out the implementation choice of having short lived JWT
> access tokens that cannot be revoked.
>
> That is actually taken from the current R spec. How I read it, it
> still allows for unrevokable short-lived JWTs, since if they are
> never revoked, the check always passes.
>
> Interesting, I never noticed that before. We may want to make the
> language a little clearer in both places I guess.
>
>
>
> Joseph
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200227/6eb50a1f/attachment-0001.html>
More information about the Openid-specs-fapi
mailing list