[Openid-specs-fapi] FAPI Security Profile 1.0 Parts 1 & 2 Final Preview #3

Edmund Jay ejay at mgi1.com
Sat Feb 27 16:46:03 UTC 2021


Hi Natalie,

I believe you may be talking about about 5.2.2 - 14

   shall authenticate the confidential client using one of the following
methods (this overrides FAPI Security Profile 1.0 - Part 1: Baseline
<https://openid.net/specs/openid-financial-api-part-1-1_0.html> clause
5.2.2-4):

   1. tls_client_auth or self_signed_tls_client_auth as specified in
   section 2 of MTLS <https://tools.ietf.org/html/rfc8705>, *OR*
   2. private_key_jwt as specified in section 9 of OIDC
   <http://openid.net/specs/openid-connect-core-1_0.html>;


So it's an OR situation, you don't need to support both for client
authentication. But Part 2 does require MTLS for sender constrained access
tokens in 5.2.2 - 6

      shall support MTLS <https://tools.ietf.org/html/rfc8705> as mechanism
for constraining the legitimate senders of access tokens;


Per RFC8705:

Mutual-TLS certificate-bound access tokens and mutual-TLS client
   authentication are distinct mechanisms that are complementary but
   don't necessarily need to be deployed or used together


-- Edmund

On Sat, Feb 27, 2021 at 8:07 AM Natalie Cuthbert <natalie at stitch.money>
wrote:

> Hi Edmund,
>
> Haven't been following a huge amount of the preceding discussions, so
> forgive me if this is a question asked out of ignorance, but what is the
> motivation behind requiring both private_key_jwt  AND mTLS in the advanced
> profile?
>
> The latter in particular would be particularly hard to implement  for us
> due to our reliance on Cloudflare proxy for some of our security needs.
> Other companies that rely on middleware for additional security would
> probably face similar challenges.
>
>
>
>
>
>
>
>
>
>
>
> On Sat, Feb 27, 2021 at 1:52 AM Edmund Jay via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>
>> Dear WG members,
>>
>> Attached  are the Final preview #4 version of the rendered HTML of the
>> FAPI
>> Security Profile 1.0 Parts 1 and 2 with all issues resolved.
>>
>> Your comments and feedback are much appreciated.
>>
>> Thank you.
>>
>> -- Edmund
>>
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20210227/7b92580c/attachment.html>


More information about the Openid-specs-fapi mailing list