[Openid-specs-fapi] Issue #547: Make clear if there's items where we would expect ecosystems to make choices? (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Tue Oct 11 09:11:51 UTC 2022
New issue 547: Make clear if there's items where we would expect ecosystems to make choices?
https://bitbucket.org/openid/fapi/issues/547/make-clear-if-theres-items-where-we-would
Joseph Heenan:
I recently had a conversation with an ecosystem using FAPI1 \(and issuing very long lived grants, i.e. years\) about whether they mandated the use of refresh tokens.
The answer was that they felt such items were part of the security profile and hence up to the FAPI standard to define and they shouldn’t get involved, or at least not to the point of making ‘must’/'shall' level declarations.
It may be worth adding some text, perhaps in the introduction, to say something like FAPI is a general purpose spec, and there are further restrictions ecosystems targeting specific use cases may/should make?
More information about the Openid-specs-fapi
mailing list