draft-ietf-regext-rdap-openid-03.txt   draft-ietf-regext-rdap-openid-04.txt 
REGEXT Working Group S. Hollenbeck REGEXT Working Group S. Hollenbeck
Internet-Draft Verisign Labs Internet-Draft Verisign Labs
Intended status: Standards Track August 19, 2019 Intended status: Standards Track January 16, 2020
Expires: February 20, 2020 Expires: July 19, 2020
Federated Authentication for the Registration Data Access Protocol Federated Authentication for the Registration Data Access Protocol
(RDAP) using OpenID Connect (RDAP) using OpenID Connect
draft-ietf-regext-rdap-openid-03 draft-ietf-regext-rdap-openid-04
Abstract Abstract
The Registration Data Access Protocol (RDAP) provides "RESTful" web The Registration Data Access Protocol (RDAP) provides "RESTful" web
services to retrieve registration metadata from domain name and services to retrieve registration metadata from domain name and
regional internet registries. RDAP allows a server to make access regional internet registries. RDAP allows a server to make access
control decisions based on client identity, and as such it includes control decisions based on client identity, and as such it includes
support for client identification features provided by the Hypertext support for client identification features provided by the Hypertext
Transfer Protocol (HTTP). Identification methods that require Transfer Protocol (HTTP). Identification methods that require
clients to obtain and manage credentials from every RDAP server clients to obtain and manage credentials from every RDAP server
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 20, 2020. This Internet-Draft will expire on July 19, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 14, line 29 skipping to change at page 14, line 29
4.4. Token Exchange 4.4. Token Exchange
ID tokens include an audience parameter that contains the OAuth 2.0 ID tokens include an audience parameter that contains the OAuth 2.0
client_id of the RP as an audience value. In some operational client_id of the RP as an audience value. In some operational
scenarios (such as a client that is providing a proxy service), an RP scenarios (such as a client that is providing a proxy service), an RP
can receive tokens with an audience value that does not include the can receive tokens with an audience value that does not include the
RP's client_id. These tokens might not be trusted by the RP, and the RP's client_id. These tokens might not be trusted by the RP, and the
RP might refuse to accept the tokens. This situation can be remedied RP might refuse to accept the tokens. This situation can be remedied
by having the RP exchange these tokens with the OP for a set of by having the RP exchange these tokens with the OP for a set of
trusted tokens that reset the audience parameter. This token trusted tokens that reset the audience parameter. This token
exchange protocol is described in RFC TBD exchange protocol is described in RFC 8693 [RFC8693].
[I-D.ietf-oauth-token-exchange].
4.5. Parameter Processing 4.5. Parameter Processing
Unrecognized query parameters MUST be ignored. An RDAP request that Unrecognized query parameters MUST be ignored. An RDAP request that
does not include an "id" query component MUST be processed as an does not include an "id" query component MUST be processed as an
unauthenticated query. An RDAP server that processes an unauthenticated query. An RDAP server that processes an
authenticated query MUST determine if the identifier is associated authenticated query MUST determine if the identifier is associated
with an OP that is recognized and supported by the server. Servers with an OP that is recognized and supported by the server. Servers
MUST reject queries that include an identifier associated with an MUST reject queries that include an identifier associated with an
unsupported OP with an HTTP 501 (Not Implemented) response. An RDAP unsupported OP with an HTTP 501 (Not Implemented) response. An RDAP
skipping to change at page 17, line 20 skipping to change at page 17, line 20
wish to continue a session without explicitly re-authenticating an wish to continue a session without explicitly re-authenticating an
end user. See Section 4.3 for more information. end user. See Section 4.3 for more information.
6. IANA Considerations 6. IANA Considerations
6.1. RDAP Extensions Registry 6.1. RDAP Extensions Registry
IANA is requested to register the following value in the RDAP IANA is requested to register the following value in the RDAP
Extensions Registry: Extensions Registry:
Extension identifier: rdap_openidc Extension identifier: rdap_openidc_level_0
Registry operator: Any Registry operator: Any
Published specification: This document. Published specification: This document.
Contact: IESG <iesg@ietf.org> Contact: IESG <iesg@ietf.org>
Intended usage: This extension includes response information Intended usage: This extension describes a federated
required for federated authentication using OpenID Connect. authentication method for RDAP using OAuth 2.0 and OpenID Connect.
6.2. JSON Web Token Claims Registry 6.2. JSON Web Token Claims Registry
IANA is requested to register the following values in the JSON Web IANA is requested to register the following values in the JSON Web
Token Claims Registry: Token Claims Registry:
Claim Name: "purpose" Claim Name: "purpose"
Claim Description: This claim describes the stated purpose for Claim Description: This claim describes the stated purpose for
submitting a request to access a protected RDAP resource. submitting a request to access a protected RDAP resource.
Change Controller: IESG Change Controller: IESG
skipping to change at page 22, line 42 skipping to change at page 22, line 42
Vesely. In addition, the Verisign Registry Services Lab development Vesely. In addition, the Verisign Registry Services Lab development
team of Joseph Harvey, Andrew Kaizer, Sai Mogali, Anurag Saxena, team of Joseph Harvey, Andrew Kaizer, Sai Mogali, Anurag Saxena,
Swapneel Sheth, Nitin Singh, and Zhao Zhao provided critical "proof Swapneel Sheth, Nitin Singh, and Zhao Zhao provided critical "proof
of concept" implementation experience that helped demonstrate the of concept" implementation experience that helped demonstrate the
validity of the concepts described in this document. validity of the concepts described in this document.
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-oauth-token-exchange]
Jones, M., Nadalin, A., Campbell, B., Bradley, J., and C.
Mortimore, "OAuth 2.0 Token Exchange", draft-ietf-oauth-
token-exchange-19 (work in progress), July 2019.
[OIDC] OpenID Foundation, "OpenID Connect", [OIDC] OpenID Foundation, "OpenID Connect",
<http://openid.net/connect/>. <http://openid.net/connect/>.
[OIDCC] OpenID Foundation, "OpenID Connect Core incorporating [OIDCC] OpenID Foundation, "OpenID Connect Core incorporating
errata set 1", November 2014, errata set 1", November 2014,
<http://openid.net/specs/openid-connect-core-1_0.html>. <http://openid.net/specs/openid-connect-core-1_0.html>.
[OIDCD] OpenID Foundation, "OpenID Connect Discovery 1.0 [OIDCD] OpenID Foundation, "OpenID Connect Discovery 1.0
incorporating errata set 1", November 2014, incorporating errata set 1", November 2014,
<http://openid.net/specs/ <http://openid.net/specs/openid-connect-discovery-
openid-connect-discovery-1_0.html>. 1_0.html>.
[OIDCR] OpenID Foundation, "OpenID Connect Dynamic Client [OIDCR] OpenID Foundation, "OpenID Connect Dynamic Client
Registration 1.0 incorporating errata set 1", November Registration 1.0 incorporating errata set 1", November
2014, <http://openid.net/specs/ 2014, <http://openid.net/specs/openid-connect-
openid-connect-registration-1_0.html>. registration-1_0.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>. <https://www.rfc-editor.org/info/rfc3986>.
skipping to change at page 24, line 42 skipping to change at page 24, line 37
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8628] Denniss, W., Bradley, J., Jones, M., and H. Tschofenig, [RFC8628] Denniss, W., Bradley, J., Jones, M., and H. Tschofenig,
"OAuth 2.0 Device Authorization Grant", RFC 8628, "OAuth 2.0 Device Authorization Grant", RFC 8628,
DOI 10.17487/RFC8628, August 2019, DOI 10.17487/RFC8628, August 2019,
<https://www.rfc-editor.org/info/rfc8628>. <https://www.rfc-editor.org/info/rfc8628>.
[RFC8693] Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J.,
and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693,
DOI 10.17487/RFC8693, January 2020,
<https://www.rfc-editor.org/info/rfc8693>.
10.2. Informative References 10.2. Informative References
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205, Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016, RFC 7942, DOI 10.17487/RFC7942, July 2016,
<https://www.rfc-editor.org/info/rfc7942>. <https://www.rfc-editor.org/info/rfc7942>.
skipping to change at page 25, line 25 skipping to change at page 25, line 25
00: Initial working group version ported from draft-hollenbeck- 00: Initial working group version ported from draft-hollenbeck-
regext-rdap-openid-10. regext-rdap-openid-10.
01: Modified ID Token delivery approach to note proper use of an 01: Modified ID Token delivery approach to note proper use of an
HTTP bearer authorization header. HTTP bearer authorization header.
02: Modified token delivery approach (access token is the bearer 02: Modified token delivery approach (access token is the bearer
token) to note proper use of an HTTP bearer authorization header, token) to note proper use of an HTTP bearer authorization header,
fixing the change made in -01. fixing the change made in -01.
03: Updated OAuth 2.0 Device Authorization Grant description and 03: Updated OAuth 2.0 Device Authorization Grant description and
reference due to publication of RFC 8628. reference due to publication of RFC 8628.
04: Updated OAuth 2.0 token exchange description and reference due
to publication of RFC 8693. Corrected the RDAP conformance
identifier to be registered with IANA.
Author's Address Author's Address
Scott Hollenbeck Scott Hollenbeck
Verisign Labs Verisign Labs
12061 Bluemont Way 12061 Bluemont Way
Reston, VA 20190 Reston, VA 20190
USA USA
Email: shollenbeck@verisign.com Email: shollenbeck@verisign.com
 End of changes. 12 change blocks. 
19 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/