| draft-ietf-regext-rdap-openid-00.txt | draft-ietf-regext-rdap-openid-01.txt | |||
|---|---|---|---|---|
| REGEXT Working Group S. Hollenbeck | REGEXT Working Group S. Hollenbeck | |||
| Internet-Draft Verisign Labs | Internet-Draft Verisign Labs | |||
| Intended status: Standards Track February 1, 2019 | Intended status: Standards Track May 28, 2019 | |||
| Expires: August 5, 2019 | Expires: November 29, 2019 | |||
| Federated Authentication for the Registration Data Access Protocol | Federated Authentication for the Registration Data Access Protocol | |||
| (RDAP) using OpenID Connect | (RDAP) using OpenID Connect | |||
| draft-ietf-regext-rdap-openid-00 | draft-ietf-regext-rdap-openid-01 | |||
| Abstract | Abstract | |||
| The Registration Data Access Protocol (RDAP) provides "RESTful" web | The Registration Data Access Protocol (RDAP) provides "RESTful" web | |||
| services to retrieve registration metadata from domain name and | services to retrieve registration metadata from domain name and | |||
| regional internet registries. RDAP allows a server to make access | regional internet registries. RDAP allows a server to make access | |||
| control decisions based on client identity, and as such it includes | control decisions based on client identity, and as such it includes | |||
| support for client identification features provided by the Hypertext | support for client identification features provided by the Hypertext | |||
| Transfer Protocol (HTTP). Identification methods that require | Transfer Protocol (HTTP). Identification methods that require | |||
| clients to obtain and manage credentials from every RDAP server | clients to obtain and manage credentials from every RDAP server | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 5, 2019. | This Internet-Draft will expire on November 29, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 11, line 29 ¶ | skipping to change at page 11, line 29 ¶ | |||
| identifier associated with an unsupported OP with an HTTP 501 (Not | identifier associated with an unsupported OP with an HTTP 501 (Not | |||
| Implemented) response. An RDAP server that receives a query | Implemented) response. An RDAP server that receives a query | |||
| containing an identifier associated with a recognized OP MUST perform | containing an identifier associated with a recognized OP MUST perform | |||
| the steps required to authenticate the user with the OP using a | the steps required to authenticate the user with the OP using a | |||
| browser or browser-like client and return encoded tokens to the | browser or browser-like client and return encoded tokens to the | |||
| client. Note that tokens are typically valid for a limited period of | client. Note that tokens are typically valid for a limited period of | |||
| time and new tokens will be required when an existing token's | time and new tokens will be required when an existing token's | |||
| validity period has expired. | validity period has expired. | |||
| The tokens can then be passed to the server for use with an RDAP | The tokens can then be passed to the server for use with an RDAP | |||
| query using a query parameter with key values of "id_token" and | query by passing the encoded Access Token as a query parameter with a | |||
| "access_token" and values that represent the encoded tokens. An | key value of "access_token" and the encoded ID Token in an HTTP | |||
| example (the encoded tokens have been abbreviated and the URI split | Bearer authorization header [RFC6750]. An example (the encoded | |||
| across multiple lines for clarity): | tokens have been abbreviated and the URI split across multiple lines | |||
| for clarity): | ||||
| https://example.com/rdap/domain/example.com | https://example.com/rdap/domain/example.com?access_token=eyJ0...NiJ9 | |||
| ?id_token=eyJ0...EjXk | ||||
| &access_token=eyJ0...NiJ9 | Authorization: Bearer eyJ0...EjXk | |||
| The response to an authenticated query MUST use the response | The response to an authenticated query MUST use the response | |||
| structures specified in RFC 7483 [RFC7483]. Information that the | structures specified in RFC 7483 [RFC7483]. Information that the | |||
| end-user is not authorized to receive MUST be omitted from the | end-user is not authorized to receive MUST be omitted from the | |||
| response. | response. | |||
| 4.3. Token Refresh and Revocation | 4.3. Token Refresh and Revocation | |||
| An access token can be refreshed as described in Section 12 of the | An access token can be refreshed as described in Section 12 of the | |||
| OpenID Connect Core protocol [OIDCC] and Section 6 of OAuth 2.0 | OpenID Connect Core protocol [OIDCC] and Section 6 of OAuth 2.0 | |||
| skipping to change at page 22, line 44 ¶ | skipping to change at page 22, line 44 ¶ | |||
| Swapneel Sheth, Nitin Singh, and Zhao Zhao provided critical "proof | Swapneel Sheth, Nitin Singh, and Zhao Zhao provided critical "proof | |||
| of concept" implementation experience that helped demonstrate the | of concept" implementation experience that helped demonstrate the | |||
| validity of the concepts described in this document. | validity of the concepts described in this document. | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [I-D.ietf-oauth-device-flow] | [I-D.ietf-oauth-device-flow] | |||
| Denniss, W., Bradley, J., Jones, M., and H. Tschofenig, | Denniss, W., Bradley, J., Jones, M., and H. Tschofenig, | |||
| "OAuth 2.0 Device Flow for Browserless and Input | "OAuth 2.0 Device Authorization Grant", draft-ietf-oauth- | |||
| Constrained Devices", draft-ietf-oauth-device-flow-14 | device-flow-15 (work in progress), March 2019. | |||
| (work in progress), January 2019. | ||||
| [I-D.ietf-oauth-token-exchange] | [I-D.ietf-oauth-token-exchange] | |||
| Jones, M., Nadalin, A., Campbell, B., Bradley, J., and C. | Jones, M., Nadalin, A., Campbell, B., Bradley, J., and C. | |||
| Mortimore, "OAuth 2.0 Token Exchange", draft-ietf-oauth- | Mortimore, "OAuth 2.0 Token Exchange", draft-ietf-oauth- | |||
| token-exchange-16 (work in progress), October 2018. | token-exchange-16 (work in progress), October 2018. | |||
| [OIDC] OpenID Foundation, "OpenID Connect", | [OIDC] OpenID Foundation, "OpenID Connect", | |||
| <http://openid.net/connect/>. | <http://openid.net/connect/>. | |||
| [OIDCC] OpenID Foundation, "OpenID Connect Core incorporating | [OIDCC] OpenID Foundation, "OpenID Connect Core incorporating | |||
| skipping to change at page 25, line 23 ¶ | skipping to change at page 25, line 23 ¶ | |||
| 06jun14-en.pdf | 06jun14-en.pdf | |||
| [2] http://curl.haxx.se/ | [2] http://curl.haxx.se/ | |||
| [3] https://www.gnu.org/software/wget/ | [3] https://www.gnu.org/software/wget/ | |||
| Appendix A. Change Log | Appendix A. Change Log | |||
| 00: Initial working group version ported from draft-hollenbeck- | 00: Initial working group version ported from draft-hollenbeck- | |||
| regext-rdap-openid-10. | regext-rdap-openid-10. | |||
| 01: Modified ID Token delivery approach to note proper use of an | ||||
| HTTP bearer authorization header. | ||||
| Author's Address | Author's Address | |||
| Scott Hollenbeck | Scott Hollenbeck | |||
| Verisign Labs | Verisign Labs | |||
| 12061 Bluemont Way | 12061 Bluemont Way | |||
| Reston, VA 20190 | Reston, VA 20190 | |||
| USA | USA | |||
| Email: shollenbeck@verisign.com | Email: shollenbeck@verisign.com | |||
| End of changes. 7 change blocks. | ||||
| 14 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||