--- 1/draft-ietf-regext-rdap-openid-03.txt 2020-01-16 05:13:19.349997862 -0800 +++ 2/draft-ietf-regext-rdap-openid-04.txt 2020-01-16 05:13:19.405999288 -0800 @@ -1,19 +1,19 @@ REGEXT Working Group S. Hollenbeck Internet-Draft Verisign Labs -Intended status: Standards Track August 19, 2019 -Expires: February 20, 2020 +Intended status: Standards Track January 16, 2020 +Expires: July 19, 2020 Federated Authentication for the Registration Data Access Protocol (RDAP) using OpenID Connect - draft-ietf-regext-rdap-openid-03 + draft-ietf-regext-rdap-openid-04 Abstract The Registration Data Access Protocol (RDAP) provides "RESTful" web services to retrieve registration metadata from domain name and regional internet registries. RDAP allows a server to make access control decisions based on client identity, and as such it includes support for client identification features provided by the Hypertext Transfer Protocol (HTTP). Identification methods that require clients to obtain and manage credentials from every RDAP server @@ -31,25 +31,25 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on February 20, 2020. + This Internet-Draft will expire on July 19, 2020. Copyright Notice - Copyright (c) 2019 IETF Trust and the persons identified as the + Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -632,22 +632,21 @@ 4.4. Token Exchange ID tokens include an audience parameter that contains the OAuth 2.0 client_id of the RP as an audience value. In some operational scenarios (such as a client that is providing a proxy service), an RP can receive tokens with an audience value that does not include the RP's client_id. These tokens might not be trusted by the RP, and the RP might refuse to accept the tokens. This situation can be remedied by having the RP exchange these tokens with the OP for a set of trusted tokens that reset the audience parameter. This token - exchange protocol is described in RFC TBD - [I-D.ietf-oauth-token-exchange]. + exchange protocol is described in RFC 8693 [RFC8693]. 4.5. Parameter Processing Unrecognized query parameters MUST be ignored. An RDAP request that does not include an "id" query component MUST be processed as an unauthenticated query. An RDAP server that processes an authenticated query MUST determine if the identifier is associated with an OP that is recognized and supported by the server. Servers MUST reject queries that include an identifier associated with an unsupported OP with an HTTP 501 (Not Implemented) response. An RDAP @@ -767,26 +766,26 @@ wish to continue a session without explicitly re-authenticating an end user. See Section 4.3 for more information. 6. IANA Considerations 6.1. RDAP Extensions Registry IANA is requested to register the following value in the RDAP Extensions Registry: - Extension identifier: rdap_openidc + Extension identifier: rdap_openidc_level_0 Registry operator: Any Published specification: This document. Contact: IESG - Intended usage: This extension includes response information - required for federated authentication using OpenID Connect. + Intended usage: This extension describes a federated + authentication method for RDAP using OAuth 2.0 and OpenID Connect. 6.2. JSON Web Token Claims Registry IANA is requested to register the following values in the JSON Web Token Claims Registry: Claim Name: "purpose" Claim Description: This claim describes the stated purpose for submitting a request to access a protected RDAP resource. Change Controller: IESG @@ -1024,41 +1023,36 @@ Vesely. In addition, the Verisign Registry Services Lab development team of Joseph Harvey, Andrew Kaizer, Sai Mogali, Anurag Saxena, Swapneel Sheth, Nitin Singh, and Zhao Zhao provided critical "proof of concept" implementation experience that helped demonstrate the validity of the concepts described in this document. 10. References 10.1. Normative References - [I-D.ietf-oauth-token-exchange] - Jones, M., Nadalin, A., Campbell, B., Bradley, J., and C. - Mortimore, "OAuth 2.0 Token Exchange", draft-ietf-oauth- - token-exchange-19 (work in progress), July 2019. - [OIDC] OpenID Foundation, "OpenID Connect", . [OIDCC] OpenID Foundation, "OpenID Connect Core incorporating errata set 1", November 2014, . [OIDCD] OpenID Foundation, "OpenID Connect Discovery 1.0 incorporating errata set 1", November 2014, - . + . [OIDCR] OpenID Foundation, "OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1", November - 2014, . + 2014, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . @@ -1121,20 +1115,25 @@ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8628] Denniss, W., Bradley, J., Jones, M., and H. Tschofenig, "OAuth 2.0 Device Authorization Grant", RFC 8628, DOI 10.17487/RFC8628, August 2019, . + [RFC8693] Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J., + and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693, + DOI 10.17487/RFC8693, January 2020, + . + 10.2. Informative References [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, . [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016, . @@ -1152,20 +1151,23 @@ 00: Initial working group version ported from draft-hollenbeck- regext-rdap-openid-10. 01: Modified ID Token delivery approach to note proper use of an HTTP bearer authorization header. 02: Modified token delivery approach (access token is the bearer token) to note proper use of an HTTP bearer authorization header, fixing the change made in -01. 03: Updated OAuth 2.0 Device Authorization Grant description and reference due to publication of RFC 8628. + 04: Updated OAuth 2.0 token exchange description and reference due + to publication of RFC 8693. Corrected the RDAP conformance + identifier to be registered with IANA. Author's Address Scott Hollenbeck Verisign Labs 12061 Bluemont Way Reston, VA 20190 USA Email: shollenbeck@verisign.com