#fapi

10 años de FAPI y 40 años de Democracia. Folklore y Arte Popular por la Identidad Sábado 11 de noviembre a partir de las 18 h en Sánchez de Loria 443. Feria de artesanos, artistas invitados y cierre con Sudor Marika.  Hace ya una década que el Departamento de Folklore de la Universidad Nacional de las Artes junto con Abuelas de Plaza de Mayo, las Madres de Plaza de Mayo Línea Fundadora y la…

code id_token で fragment

The main modifications related to the new security profile (private_key + PAR) are:

Mandatory of encryption of id_token;

Mandatory of use of the Proof Key for Code Exchange (PKCE);

Removal of CPF claims and CNPJ;

Prohibition of registration rotation_access_token in DCR/DCM;

Restriction of response_type for only "code id_token";

Restriction of the response_mode to only "fragment";

Restriction of subject_type to only "public ".

Action initiation in the CDR

How it should be: The x-fapi-interaction-ID must be generated and sent by the receiver (client) and its value must be "reproduced" by the transmitter (server) in the response header

Telco系特有の話いろいろ

Please see comments/queries in the attached from Optus.

Decision.Proposal.275.-.Holistic.Feedback.Telco.Standards with feedback.pdf

Thanks for your feedback. I have summarised your comments from the PDF in the points below.

Product Types. Please refer response

Decision Proposal 275 - Holistic Feedback on Telco Standards #275 (comment)

Network Sub Types. Please refer

Decision Proposal 275 - Holistic Feedback on Telco Standards #275 (comment)

Service ID's

Decision Proposal 275 - Holistic Feedback on Telco Standards #275 (comment)

Payment Schedules. Noted. For adhoc payments for pre paid services. The payment would be captured under account transactions. For prepaid services where there are scheduled topup payments or triggered payment events such as a balance thresholds these may be able to be captured as payments in the paymentScheduleUType. Further feedback would be helpful.

Concessions. Correct at Federal and state level. Will look to provide more specific examples. Can you provide details on the RSP discount your referring too? Please also refer

Decision Proposal 275 - Holistic Feedback on Telco Standards #275 (comment)

Endpoints. Thanks. Telco endpoints are intended to be specific to Telco, with commonality across the CDR a design principle as documented in the noting paper. Banking endpoints differ significantly from Telco. We have been through a 3 month consultation on the Telco Endpoints. Please refer 256. 262, 263, 264, 265, 266

Customer Data. Wrt Customer Data are you able to detail anything specific to telco in describing any customer data that is not covered in DP 257

Balance and Usage: Please refer DP266

Incentives and Discounts: This refers to product data payloads. Please refer DP 262

Minimum and Maximum Values. These refer to min and max charges on a plan. https://consumerdatastandardsaustralia.github.io/standards/#get-telco-account-detail

Rebates. Rebates have been considered a "type" of concession. Please confirm if this is not correct.  https://consumerdatastandardsaustralia.github.io/standards/#tocStelcoconcession

Authorised Contacts: Noted

paymentStatus is described as "Indicator of the payment status for the invoice" which is either PAID, PARTIALLY_PAID or NOT PAID. Please provide more clarity to the question if this is unclear https://consumerdatastandardsaustralia.github.io/standards/#tocStelcoinvoice

Other charges. They are optional. You are correct that further descriptions of the ENUM values would be helpful. They were intended to be indicative to guide consumers on charges that were not part of their plan.

Transaction Type. Other as the transaction type is to identify other types of charges such as a service call out and once off charges. This is indicative, welcome to feedback on an indicate list of types

Vouchers. Noted

Account level vs. Service Level  Usage. Conditionality is included in the proposal. Please refer DP266 for supported, unlimited, limited and unsupported features

フローによってIDトークンを暗号化したかったりしたくなかったり

ID Token encryption only applies to the OIDC Hybrid Flow. If the ADR is registered for both Hybrid Flow and Authorization Code Flow, the ID Token encryption algorithms shall apply to Hybrid Flow but be ignored for ACF.

If the ADR is registered for both Hybrid Flow and ACF, the ID token encryption attributes become mandatory in the DCR JWT sent to DH for registration. This will encrypt the id_token in both the flow as the id_token encryption values will be added under the registered client in DH. Is there a necessity for ADR to register with both Hybrid and ACF. Can the ADR be restricted to register with only one type for flow?

+1 to 60 seconds. It is in line with the timeout defaults of many HTTP libraries, which are often between 15 and 60 seconds.

cf. https://bitbucket.org/openid/fapi/issues/526/decide-on-b-access-token-injection-with-id “The attacker A5 required for this attack is not applicable when we trust that metadata is used and correct, as is now mandated by FAPI2.”

the FAPI 2.0 Security Profile mandates that the token endpoint address is obtained from an authoritative source and via a protected channel, i.e., through OAuth Metadata obtained from the honest AS