Federated Authentication for the Registration Data Access Protocol (RDAP) using OpenID Connect
draft-ietf-regext-rdap-openid-26
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 9560.
|
|
|---|---|---|---|
| Author | Scott Hollenbeck | ||
| Last updated | 2023-10-13 (Latest revision 2023-09-05) | ||
| Replaces | draft-hollenbeck-regext-rdap-openid | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews |
INTDIR Last Call review
(of
-25)
by Dirk Von Hugo
Ready w/nits
ARTART Last Call review
(of
-24)
by Valery Smyslov
Ready w/nits
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Submitted to IESG for Publication | |
| Associated WG milestone |
|
||
| Document shepherd | Zaid AlBanna | ||
| Shepherd write-up | Show Last changed 2023-08-21 | ||
| IESG | IESG state | Became RFC 9560 (Proposed Standard) | |
| Consensus boilerplate | Yes | ||
| Telechat date |
(None)
Has enough positions to pass. |
||
| Responsible AD | Murray Kucherawy | ||
| Send notices to | Zaid AlBanna <zalbanna@verisign.com> | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA expert review state | Expert Reviews OK | ||
| IANA expert review comments | Experts have approved both the RDAP Extensions and the JSON Web Token Claims registrations. |
draft-ietf-regext-rdap-openid-26
gt;.
[RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022,
<https://www.rfc-editor.org/info/rfc9110>.
[RFC9325] Sheffer, Y., Saint-Andre, P., and T. Fossati,
"Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security
(DTLS)", BCP 195, RFC 9325, DOI 10.17487/RFC9325, November
2022, <https://www.rfc-editor.org/info/rfc9325>.
13.2. Informative References
[I-D.ietf-oauth-security-topics]
Lodderstedt, T., Bradley, J., Labunets, A., and D. Fett,
"OAuth 2.0 Security Best Current Practice", Work in
Progress, Internet-Draft, draft-ietf-oauth-security-
topics-23, 5 June 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-oauth-
security-topics-23>.
[OIDC] OpenID Foundation, "What is OpenID Connect",
<https://openid.net/developers/how-connect-works/>.
Hollenbeck Expires 15 April 2024 [Page 47]
Internet-Draft OpenID Connect for RDAP October 2023
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016,
<https://www.rfc-editor.org/info/rfc7942>.
[RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0
Authorization Server Metadata", RFC 8414,
DOI 10.17487/RFC8414, June 2018,
<https://www.rfc-editor.org/info/rfc8414>.
[RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu,
"Handling Long Lines in Content of Internet-Drafts and
RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020,
<https://www.rfc-editor.org/info/rfc8792>.
Appendix A. Change Log
00: Initial working group version ported from draft-hollenbeck-
regext-rdap-openid-10.
01: Modified ID Token delivery approach to note proper use of an
HTTP bearer authorization header.
02: Modified token delivery approach (Access Token is the bearer
token) to note proper use of an HTTP bearer authorization header,
fixing the change made in -01.
03: Updated OAuth 2.0 Device Authorization Grant description and
reference due to publication of RFC 8628.
04: Updated OAuth 2.0 token exchange description and reference due
to publication of RFC 8693. Corrected the RDAP conformance
identifier to be registered with IANA.
05: Keepalive refresh.
06: Keepalive refresh.
07: Added "login_hint" description to Section 3.1.4.2. Added some
text to Section 3.1.5.2 to note that "do not track" requires
compliance with local regulations.
08: Rework of token management processing in Sections 4 and 5.
09: Updated RDAP specification references. Added text to describe
both default and remote OpenID Provider processing. Removed text
that described passing of ID Tokens as query parameters.
10: Updated Section 3.1.4.1. Replaced token processing queries with
"login", "session", and "logout" queries.
11: Replaced queries with "session/*" queries. Added description of
"rdap" OAuth scope. Added implementation status information.
12: Updated data structure descriptions. Updated Section 9. Minor
formatting changes due to a move to xml2rfc-v3 markup.
Hollenbeck Expires 15 April 2024 [Page 48]
Internet-Draft OpenID Connect for RDAP October 2023
13: Added support for OP discovery via OP's Issuer Identifier.
Modified the RDAP conformance text to use "roidc1", and added that
value to extension path segments, data structures, and query
parameters. Changed the "purpose" and "dnt" claims to
"rdap_allowed_purposes" (making it an array) and
"rdap_dnt_allowed". Added the "roidc1_qp" and "roidc1_dnt" query
parameters. Changed the descriptions of "local" OPs to "default"
OPs.
14: Fixed a few instances of "id" that were changed to "roidc1_id"
and "session" that were changed to "roidc1_session". Added
"implicitTokenRefreshSupported".
15: Fixed an instance of openidcConfiguration that was missing the
"roidc1" prefix. Changed SHOULD to MUST to describe the need to
return the roidc1_openidcConfiguration data structure in a "help"
response.
16: Changed the "roidc1" prefix to "farv1". Added additional
terminology text. Added RFC 8996 as a normative reference.
Multiple clarifications in Sections 3, 4, and 5. Added
login/refresh/logout sequence and conflict response text. Added
"clientID" and "iss" to the "farv1_session" data structure. Made
the "userClaims" and "sessionInfo" objects OPTIONAL in the
"farv1_session" data structure. Fixed the curl example in
Section 5.2.4.1. Modified the "/device" and "/devicepoll"
requests to include query parameters. Added "device_code" to the
"farv1_deviceInfo" data structure. Added the "farv1_dc" query
parameter.
17: Changed string "true" to boolean true in Figure 3. Fixed the
reference to RFC 8996. Updated references for RFCs 5226 (to 8126)
and 7230 (to 9110).
18 Addressed WG last call feedback for which we had agreed-upon
updates.
19 Updated Security Considerations. Updated response processing
text. Added and changed text to describe support for session-
oriented and token-oriented clients. Added reference to RFC 9068.
20 Updated text to describe support for session-oriented and token-
oriented clients.
21 Changed "Servers MUST support both types of client" to "SHOULD".
Added "sessionClientSupported" and "tokenClientSupported" as a
consequence. Noted that the OIDCC Implicit Flow is being
deprecated due to security concerns. Added additional text to
describe the relationship between "providerDiscoverySupported" and
"farv1_id", and "issuerIdentifierSupported" and "farv1_iss".
Restructured Section 5.6 and Section 7. Replaced the reference to
RFC 2616 (obsolete) with RFC 9110. Replaced the reference to RFC
7231 (obsolete) with RFC 9110.
22 Changed MANDATORY to REQUIRED for BCP 14 alignment. Updated
Section 3.1.2, Section 11, and Section 12.
23 Changed "IESG" to "IETF" in Section 9 at IANA's request.
Hollenbeck Expires 15 April 2024 [Page 49]
Internet-Draft OpenID Connect for RDAP October 2023
24 AD evaluation edits.
25 IETF last call edits.
26 IESG evaluation edits.
Author's Address
Scott Hollenbeck
Verisign Labs
12061 Bluemont Way
Reston, VA 20190
United States of America
Email: shollenbeck@verisign.com
URI: https://www.verisignlabs.com/
Hollenbeck Expires 15 April 2024 [Page 50]