
<div dir="ltr">Sorry for not coming back earlier. <div>I have prepared a folder for this purpose. </div><div><a href="https://bitbucket.org/openid/fapi/src/master/sg_hml/">https://bitbucket.org/openid/fapi/src/master/sg_hml/</a><br></div><div><br></div><div>Hopefully, you can start using it. </div><div><br></div><div>Best, </div><div><br></div><div>Nat</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 11, 2021 at 12:50 AM Travis Spencer via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Thank you all for the discussion today on the meeting. I really<br>

appreciated your time and inputs.<br>

<br>

Here's a nicer formatted version of the preso:<br>

<a href="https://travisspencer.com/articles/fapi-wg-preso/" rel="noreferrer" target="_blank">https://travisspencer.com/articles/fapi-wg-preso/</a> It includes a small<br>

change to the last slide about next steps.<br>

<br>

Nat, you said I had the action item of creating the subgroup within<br>

FAPI to start drafting a doc (or two or three). Can you help me with<br>

the particulars of that?<br>

<br>

On Tue, Feb 9, 2021 at 5:24 PM Travis Spencer <<a href="mailto:travis@curity.io" target="_blank">travis@curity.io</a>> wrote:<br>

><br>

> In the summer, I emailed the list about working on a new protocol that<br>

> would facilitate strong login without requiring a browser[1]. Since<br>

> then, I've been talking with Mike Schwartz, Nat, and others about<br>

> this. To move this conversation forward, I would like to talk through<br>

> the following presentation[2] on tomorrow's Atlantic call. Please have<br>

> a look beforehand if you have a moment.<br>

><br>

> Talk to you all tomorrow.<br>

><br>

> [1] <a href="https://lists.openid.net/pipermail/openid-specs-fapi/2020-August/002037.html" rel="noreferrer" target="_blank">https://lists.openid.net/pipermail/openid-specs-fapi/2020-August/002037.html</a><br>

> [2] It's in Asciidoc format in case the syntax isn't familiar<br>

><br>

> = Hypermedia Authentication API<br>

><br>

> == Agenda<br>

><br>

> * Requirements<br>

> * Brief overview of solution<br>

> * More info<br>

><br>

> [small]#Slide 1#<br>

><br>

> == Our Customers' Demands<br>

><br>

> * Non-browser-based login and authorization<br>

> * Integration between OP and RP on different domains without cookies<br>

> * As secure as browser-based solution (or more so)<br>

> * Existing deployments keep working as-is<br>

><br>

> [small]#Slide 2#<br>

><br>

> == OpenID Connect is a Hypermedia API<br>

><br>

> * All Websites are hypermedia (i.e., REST) APIs, ∴ OpenID Connect is a<br>

> hypermedia API<br>

> * Simplify non-browser-based login and consent by:<br>

> [arabic]<br>

> .. Replace HTML hypermedia representation with JSON<br>

> .. Attest to the client's provenance<br>

><br>

> [small]#Slide 3#<br>

><br>

> == App Provenance<br>

><br>

> * Provenance == origin (i.e., provider) of RP<br>

> * Traditionally verified by control of redirect URI<br>

> * Provenance verification happens at flow's end<br>

> * Deep linking required on mobile (PKCE isn't enough)<br>

> * New tools available to ascertain origin on modern mobile devices<br>

><br>

> [small]#Slide 4#<br>

><br>

> == Proving Provenance<br>

><br>

> * Modern mobile devices have Hardware Security Modules (HSM) built-in<br>

> * Can be used to sign a challenge<br>

> * Verifiable up to trusted root<br>

> * DPoP allows all login API calls to be tied to attested RP<br>

> * Establishes provenance prior to or instead of redirection<br>

><br>

> [small]#Slide 5#<br>

><br>

> == Flow Used to Prove Provenance<br>

><br>

> [ditta]<br>

> ....<br>

>                                                         Get<br>

>                                                +-(A)-Challenge----+<br>

>     Authorization<br>

>                                                |                  |<br>

>        Server<br>

>                                                v                  |<br>

> +-------------------+<br>

> +---------------+   (B) Request   +------------+---+              v<br>

> | +---------------+ |<br>

> |               +<--attestation---+<br>

> +------(D)---->o-----|  CAT endpoint | |<br>

> |  Attestation  |                 |  OAuth Client  |  Attestation |<br>

> | +---------------+ |<br>

> |    System     |                 |  Application   |              |<br>

> |                   |<br>

> |               +-------(C)------>+                +<--(E)-CAT----+<br>

> |                   |<br>

> +---------------+   Attestation   +---+----+---+---+<br>

> |                   |<br>

>                                       |    ^   |<br>

> | +---------------+ |<br>

>                                       |    |<br>

> +---(F)-CAT------>o------|Token endpoint | |<br>

>                                       |    |                     |<br>

> | +---------------+ |<br>

>                                       |    +-(G)-AAT-------------+<br>

> |                   |<br>

>                                       |<br>

> | +---------------+ |<br>

><br>

> +----(H)-AAT-------------->o------|Login endpoints| |<br>

><br>

> | +---------------+ |<br>

><br>

> +-------------------+<br>

> ....<br>

><br>

> * CAT is sent to token endpoint using client assertion framework<br>

> * API calls to login API are protected with sender-constrained access token<br>

><br>

> [small]#Slide 6#<br>

><br>

> == Adapting to First- or Third-party Provenance<br>

><br>

> * Provenance establishes whether RP is from first- or third-party provider<br>

> * OP can adapt login methods based on this<br>

> * Hypermedia allows support for any kind of credential (incl. short-lived ones)<br>

> ** First-party: End user can provide all factors (same as OP in system browser)<br>

> ** Third-party: End user cannot provide all factors, consent may be<br>

> verified out of band<br>

><br>

> [small]#Slide 7#<br>

><br>

> == More Info<br>

><br>

> * Very short summary<br>

> * See <a href="https://travisspencer.com/articles/hypermedia-api-resources/%5Bmy" rel="noreferrer" target="_blank">https://travisspencer.com/articles/hypermedia-api-resources/[my</a><br>

> website] for an ever-growing list of resources<br>

><br>

> [small]#Slide 8#<br>

_______________________________________________<br>

Openid-specs-fapi mailing list<br>

<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>

</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Nat Sakimura<div>NAT.Consulting LLC</div></div></div>