<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Amen.<div class=""><br class=""></div><div class="">We’re looking at using gluu:<div class=""><br class=""></div><div class=""><a href="https://gluu.org/docs/ce/3.1.3.1/" class="">https://gluu.org/docs/ce/3.1.3.1/</a></div><div class=""><br class=""></div><div class="">Seems to tick all our boxes… fully OpenID certified, open source, Java, containerised, with a scalable support model. Anyone have any views on this?</div><div class=""><br class=""></div><div class="">Best Regards</div><div class=""><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">-- </span></div><div class=""><div class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div class="m_-2507129821098308568gmail_signature" data-smartmail="gmail_signature" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);"><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px;" class=""><div style="color: rgb(80, 0, 80); font-family: arial, sans-serif; font-size: 12.8px;" class=""><b style="background-color: rgba(255, 255, 255, 0);" class="">Chas Coppard</b></div><div style="color: rgb(80, 0, 80); font-family: arial, sans-serif; font-size: 12.8px;" class=""><span style="background-color: rgba(255, 255, 255, 0);" class="">Co-Founder/CTO</span></div><div style="color: rgb(80, 0, 80); font-family: arial, sans-serif; font-size: 12.8px;" class=""><font color="#000000" style="background-color: rgba(255, 255, 255, 0);" class=""><a href="http://www.ducit.ai/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en-GB&q=http://www.ducit.ai/&source=gmail&ust=1534948362551000&usg=AFQjCNGflE1IJS5HNpM10SOfa6Yse556xA" style="color: rgb(17, 85, 204); background-color: rgba(255, 255, 255, 0);" class="">www.ducit.ai</a></font></div></div></div></div></div></div></div></div><span><img apple-inline="yes" id="0651178C-265E-47F2-9CA5-111CF590FC3E" src="cid:1A4628F8-5105-4D70-9510-F479B54A92DF@home" class=""></span>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 27 Sep 2018, at 12:05, Joseph Heenan via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" class="">openid-specs-fapi@lists.openid.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">New issue 178: Editorial: Specs should explain the risks of writing an RP library from scratch<br class=""><a href="https://bitbucket.org/openid/fapi/issues/178/editorial-specs-should-explain-the-risks" class="">https://bitbucket.org/openid/fapi/issues/178/editorial-specs-should-explain-the-risks</a><br class=""><br class="">Joseph Heenan:<br class=""><br class="">We're seeing in the UK OpenBanking community that people are again and again writing their own RP libraries from scratch. This is obvious from the number of very basic openid connect questions that a significant number of TPPs have asked.<br class=""><br class="">I think to a lesser extent we also see this from the banks, at least one UK bank has created a AS from scratch, and another one has built on top of a product that doesn't support openid connect. (Thankfully the majority of banks used existing products that are already openid connect certified, and the were generally rewarded with much smoother rollouts.)<br class=""><br class="">I think it's a significant risk to the whole ecosystem. I'm pretty certain that every TPP that has created their own RP code will have a significant number of security issues. TPPs are also not usually running conformance tests.<br class=""><br class="">I think we should add to either the introduction or the security considerations (or both) some clear statements that these specs are not intended for people to follow to create clients from scratch, and that they are intended for a guide for people to use to create certified libraries, or something along those lines - and that there are definite risks associated with trying to roll your own openid client.<br class=""><br class="">We can also emphasise the openid foundation / google efforts to create certified client libraries for many languages.<br class=""><br class="">I think the OpenID Foundation should also be creating a separate list of FAPI supporting RP libraries. (which wouldn't form part of the FAPI specs, but the specs could perhaps link to.)<br class=""><br class=""><br class="">_______________________________________________<br class="">Openid-specs-fapi mailing list<br class="">Openid-specs-fapi@lists.openid.net<br class="">http://lists.openid.net/mailman/listinfo/openid-specs-fapi<br class=""></div></div></blockquote></div><br class=""></div></div></body></html>