<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Excellent points, we need to say
something about metadata and discovery.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I also found that not all clients
support the "infix"-type RFC8414 OAuth server discovery document
URLs (Issuer <a class="moz-txt-link-freetext" href="https://example.com/foo/bar">https://example.com/foo/bar</a> →Metadata URL
<a class="moz-txt-link-freetext" href="https://example.com">https://example.com</a><b>/.well-known/oauth-authorization-server/</b>foo/bar)
and that the "postfix" style seems to be perceived as the default
(Issuer <a class="moz-txt-link-freetext" href="https://example.com/foo/bar">https://example.com/foo/bar</a> →Metadata URL
<a class="moz-txt-link-freetext" href="https://example.com/foo/bar">https://example.com/foo/bar</a><b>/.well-known/oauth-authorization-server</b>)
although RFC8414 says otherwise.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">If we want on-the-wire interop, we need
to give more guidance on this.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Does anybody have specific experience
with this from practice?<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">-Daniel<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Am 07.06.20 um 15:18 schrieb Stuart
Low:<br>
</div>
<blockquote type="cite"
cite="mid:D042EC60-1DC6-4310-925E-30159F0F249E@biza.io">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
What about discovery documents? Are these in scope?
<div class=""><br class="">
</div>
<div class="">Wondering if we should be aligning to <a
href="https://tools.ietf.org/html/rfc8414" class=""
moz-do-not-send="true">https://tools.ietf.org/html/rfc8414</a> and
perhaps mandating Signed Metadata for Advanced?</div>
<div class=""><br class="">
</div>
<div class="">Stu<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 6 Jun 2020, at 7:40 pm, Ralph Bragg via
Openid-specs-fapi <<a
href="mailto:openid-specs-fapi@lists.openid.net"
class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" style="caret-color: rgb(0, 0, 0);
font-family: Helvetica; font-size: 12px; font-style:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">
<div data-ogsc="" class="">
<div dir="ltr" class="">Another quick one, in the
bottom Section on Cryptography and Secrets In bass
line there is mention of “symmetric credentials”
being permitted. But I couldn’t see anywhere in the
requirements for AS that they should be supported. </div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class="">If there’s a need can it be
stated? (I’ll raise a ticket). Additionally for
advanced profile this clause, if it’s still
required, should be assymetric only no?</div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class="">Will raise a ticket on
advanced for that decision as well.</div>
<div class=""><br class="">
</div>
</div>
</div>
<hr tabindex="-1" style="caret-color: rgb(0, 0, 0);
font-family: Helvetica; font-size: 12px; font-style:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; display: inline-block; width:
748.71875px;" class=""><span style="caret-color: rgb(0,
0, 0); font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;
float: none; display: inline !important;" class=""></span>
<div id="divRplyFwdMsg" dir="ltr" style="caret-color:
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;"
class=""><font style="font-size: 11pt;" class=""
face="Calibri, sans-serif"><b class="">From:</b><span
class="Apple-converted-space"> </span>Torsten
Lodderstedt <<a
href="mailto:torsten@lodderstedt.net" class=""
moz-do-not-send="true">torsten@lodderstedt.net</a>><br
class="">
<b class="">Sent:</b><span
class="Apple-converted-space"> </span>Saturday, June
6, 2020 10:09:22 AM<br class="">
<b class="">To:</b><span class="Apple-converted-space"> </span>Ralph
Bragg <<a href="mailto:ralph.bragg@raidiam.com"
class="" moz-do-not-send="true">ralph.bragg@raidiam.com</a>><br
class="">
<b class="">Cc:</b><span class="Apple-converted-space"> </span>Financial
API Working Group List <<a
href="mailto:openid-specs-fapi@lists.openid.net"
class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>><br
class="">
<b class="">Subject:</b><span
class="Apple-converted-space"> </span>Re:
[Openid-specs-fapi] FAPI 2 Advanced Profile /
Recommendations for signing resource
requests/responses</font>
<div class=""> </div>
</div>
<div dir="auto" style="caret-color: rgb(0, 0, 0);
font-family: Helvetica; font-size: 12px; font-style:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">
<div dir="ltr" class="">I also suggest we document what
metadata values AS and client are supposed to use,
e.g. there will be the metadata parameter <span
style="color: rgb(33, 37, 41); font-family:
SFMono-Regular, Menlo, Monaco, Consolas,
"Liberation Mono", "Courier
New", monospace; font-size: 12.25px;" class="">require_pushed_authorization_requests </span>to
let the AS indicate it supports pushed authorization
requests only (<a
href="https://mailarchive.ietf.org/arch/msg/oauth/S76ODyZkHPSA6L69yyx08BuEP5M/"
style="color: blue; text-decoration: underline;"
class="" moz-do-not-send="true">https://mailarchive.ietf.org/arch/msg/oauth/S76ODyZkHPSA6L69yyx08BuEP5M/</a>).</div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class="">A FAPI2 compliant AS must set
this value to true.</div>
<div dir="ltr" class=""><br class="">
<blockquote type="cite" class="">Am 06.06.2020 um
10:55 schrieb Ralph Bragg <<a
href="mailto:ralph.bragg@raidiam.com" class=""
moz-do-not-send="true">ralph.bragg@raidiam.com</a>>:<br
class="">
<br class="">
</blockquote>
</div>
<blockquote type="cite" class="">
<div dir="ltr" class="">
<div class="x_WordSection1">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><span class="">Hi Daniel,</span></div>
<p class="x_MsoNormal" style="margin: 0cm 0cm
0.0001pt; font-size: 11pt; font-family: Calibri,
sans-serif;"><span class=""> </span></p>
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><span class="">In addition to Torstens
comments, and if we’re looking for backwards
combability, do we care or want to mandate
that the id_token from the front channel is
ONLY used for code binding. Sub is a mandatory
property of the id_token and as such required,
to prevent any leakage of any information
useful to a potential attacker should the sub
property explicitly be made pairwise or some
other value deliberately not related to the
resource owner / subject.</span></div>
<p class="x_MsoNormal" style="margin: 0cm 0cm
0.0001pt; font-size: 11pt; font-family: Calibri,
sans-serif;"><span class=""> </span></p>
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><span class="">Kind Regards,</span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><span class="">Ralph</span></div>
<p class="x_MsoNormal" style="margin: 0cm 0cm
0.0001pt; font-size: 11pt; font-family: Calibri,
sans-serif;"><span class=""> </span></p>
<p class="x_MsoNormal" style="margin: 0cm 0cm
0.0001pt; font-size: 11pt; font-family: Calibri,
sans-serif;"><span class=""> </span></p>
<p class="x_MsoNormal" style="margin: 0cm 0cm
0.0001pt; font-size: 11pt; font-family: Calibri,
sans-serif;"><span class=""> </span></p>
<div style="border-style: solid none none;
border-top-width: 1pt; border-top-color:
rgb(181, 196, 223); padding: 3pt 0cm 0cm;"
class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><b class=""><span style="font-size:
12pt;" class="">From:<span
class="Apple-converted-space"> </span></span></b><span
style="font-size: 12pt;" class="">Openid-specs-fapi
<<a
href="mailto:openid-specs-fapi-bounces@lists.openid.net"
class="" moz-do-not-send="true">openid-specs-fapi-bounces@lists.openid.net</a>>
on behalf of Torsten Lodderstedt via
Openid-specs-fapi <<a
href="mailto:openid-specs-fapi@lists.openid.net"
class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>><br
class="">
<b class="">Reply to:<span
class="Apple-converted-space"> </span></b>Financial
API Working Group List <<a
href="mailto:openid-specs-fapi@lists.openid.net"
class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>><br
class="">
<b class="">Date:<span
class="Apple-converted-space"> </span></b>Saturday,
6 June 2020 at 09:36<br class="">
<b class="">To:<span
class="Apple-converted-space"> </span></b>Financial
API Working Group List <<a
href="mailto:openid-specs-fapi@lists.openid.net"
class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>><br
class="">
<b class="">Cc:<span
class="Apple-converted-space"> </span></b>Torsten
Lodderstedt <<a
href="mailto:torsten@lodderstedt.net"
class="" moz-do-not-send="true">torsten@lodderstedt.net</a>><br
class="">
<b class="">Subject:<span
class="Apple-converted-space"> </span></b>Re:
[Openid-specs-fapi] FAPI 2 Advanced Profile
/ Recommendations for signing resource
requests/responses</span></div>
</div>
<div class="">
<p class="x_MsoNormal" style="margin: 0cm 0cm
0.0001pt; font-size: 11pt; font-family:
Calibri, sans-serif;"> </p>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class="">Hi Daniel,</div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><br class="">
<br class="">
</div>
<blockquote style="margin-top: 5pt;
margin-bottom: 5pt;" class="">
<p class="x_MsoNormal" style="margin: 0cm 0cm
12pt; font-size: 11pt; font-family: Calibri,
sans-serif;">Am 05.06.2020 um 10:20 schrieb
Daniel Fett via Openid-specs-fapi <<a
href="mailto:openid-specs-fapi@lists.openid.net"
class="" moz-do-not-send="true">openid-specs-fapi@lists.openid.net</a>>:</p>
</blockquote>
</div>
<blockquote style="margin-top: 5pt; margin-bottom:
5pt;" class="">
<div class="">
<p class="">Hi all,</p>
<p class="">I prepared a first (rough) draft
of the FAPI 2 Advanced profile and would
welcome your feedback:<a
href="https://bitbucket.org/openid/fapi/src/c28fc020e7ab9377d96501f2b4daa9a9da8f2128/FAPI_2_0_Advanced_Profile.md?at=danielfett%2Ffapi2%2Fadvanced"
style="color: blue; text-decoration:
underline;" class=""
moz-do-not-send="true">https://bitbucket.org/openid/fapi/src/c28fc020e7ab9377d96501f2b4daa9a9da8f2128/FAPI_2_0_Advanced_Profile.md?at=danielfett%2Ffapi2%2Fadvanced</a></p>
</div>
</blockquote>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class="">thanks for preparing the draft!</div>
</div>
<div class="">
<p class="x_MsoNormal" style="margin: 0cm 0cm
0.0001pt; font-size: 11pt; font-family:
Calibri, sans-serif;"> </p>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class="">Here are my comments:</div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class="">- <span style="font-size: 10.5pt;
font-family: "Helvetica Neue";
color: rgb(23, 43, 77); background-color:
white; background-position: initial initial;
background-repeat: initial initial;"
class="">[@I-D.lodderstedt-oauth-par] should
refer to the WG draft</span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><span style="font-size: 10.5pt;
font-family: "Helvetica Neue";
color: rgb(23, 43, 77); background-color:
white; background-position: initial initial;
background-repeat: initial initial;"
class="">- „ shall support at least one of
the following methods to sign the
authorization response:“</span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><span style="font-size: 10.5pt;
font-family: "Helvetica Neue";
color: rgb(23, 43, 77); background-color:
white; background-position: initial initial;
background-repeat: initial initial;"
class="">I think the AS must support at
least one mode for interoperability reasons.
I think this should be JARM and ID token may
be supported (for the purpose of this
profile) for backward compatibility reasons.</span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><span style="font-size: 10.5pt;
font-family: "Helvetica Neue";
color: rgb(23, 43, 77); background-color:
white; background-position: initial initial;
background-repeat: initial initial;"
class="">„</span><span style="font-size:
10.5pt; font-family: "Helvetica
Neue"; color: rgb(23, 43, 77);"
class="">OPEN QUESTION: how to handle
userinfo response type selection? OIDC core
says: depends on client registration“ I
think that's fine. We use the same
philosophy for all sorts of request and
response signing. It’s determined by client
registration parameters + general deployment
metadata (what is generally
supported/expected).</span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><span style="font-size: 10.5pt;
font-family: "Helvetica Neue";
color: rgb(23, 43, 77);" class="">- „<span
style="background-color: white;
background-position: initial initial;
background-repeat: initial initial;"
class="">The FAPI 2.0 endpoints are OAuth
2.0 protected resource endpoints that
return protected information for the
resource owner associated with the
submitted access token.“ - RSs also
initiate actions (eg payments), that’s one
important reason for requiring
non-repudiation. I suggest to add
something like „.... that perform
sensitive actions and return protected
information for the resource owner ...“</span></span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><span style="font-size: 10.5pt;
font-family: "Helvetica Neue";
color: rgb(23, 43, 77); background-color:
white; background-position: initial initial;
background-repeat: initial initial;"
class=""><br class="">
<br class="">
</span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><span style="font-size: 10.5pt;
font-family: "Helvetica Neue";
color: rgb(23, 43, 77); background-color:
white; background-position: initial initial;
background-repeat: initial initial;"
class="">best regards,</span></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
11pt; font-family: Calibri, sans-serif;"
class=""><span style="font-size: 10.5pt;
font-family: "Helvetica Neue";
color: rgb(23, 43, 77); background-color:
white; background-position: initial initial;
background-repeat: initial initial;"
class="">Torsten.</span></div>
</div>
<blockquote style="margin-top: 5pt; margin-bottom:
5pt;" class="">
<div class="">
<p class="">One open question is whether we
can give recommendations regarding resource
request and response signing. We currently
have<span class="Apple-converted-space"> </span><a
href="https://bitbucket.org/openid/fapi/src/master/Financial_API_HTTP_Signing.md"
style="color: blue; text-decoration:
underline;" class=""
moz-do-not-send="true">https://bitbucket.org/openid/fapi/src/master/Financial_API_HTTP_Signing.md</a><span
class="Apple-converted-space"> </span>which
lists "typical requirements" but does not
give concrete advice.</p>
<p class="">eTSI is developding JAdES and
there is some work ongoing in the IETF HTTP
group as well.</p>
<p class="">What are other options that we
should take a look at?</p>
<p class="">-Daniel</p>
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 11pt; font-family: Calibri,
sans-serif;" class="">_______________________________________________<br
class="">
Openid-specs-fapi mailing list<br class="">
<a
href="mailto:Openid-specs-fapi@lists.openid.net"
class="" moz-do-not-send="true">Openid-specs-fapi@lists.openid.net</a><br
class="">
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a></div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<span style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; float: none; display: inline
!important;" class="">_______________________________________________</span><br
style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">
<span style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; float: none; display: inline
!important;" class="">Openid-specs-fapi mailing list</span><br
style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">
<span style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; float: none; display: inline
!important;" class=""><a
href="mailto:Openid-specs-fapi@lists.openid.net"
class="" moz-do-not-send="true">Openid-specs-fapi@lists.openid.net</a></span><br
style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">
<span style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; float: none; display: inline
!important;" class=""><a
href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi"
class="" moz-do-not-send="true">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a></span></div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<p><br>
</p>
</body>
</html>