Federated Authentication for the Registration Data Access Protocol (RDAP) using OpenID Connect
draft-ietf-regext-rdap-openid-26
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 9560.
|
|
---|---|---|---|
Author | Scott Hollenbeck | ||
Last updated | 2023-10-13 (Latest revision 2023-09-05) | ||
Replaces | draft-hollenbeck-regext-rdap-openid | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
INTDIR Last Call review
(of
-25)
by Dirk Von Hugo
Ready w/nits
ARTART Last Call review
(of
-24)
by Valery Smyslov
Ready w/nits
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | Submitted to IESG for Publication | |
Associated WG milestone |
|
||
Document shepherd | Zaid AlBanna | ||
Shepherd write-up | Show Last changed 2023-08-21 | ||
IESG | IESG state | Became RFC 9560 (Proposed Standard) | |
Consensus boilerplate | Yes | ||
Telechat date |
(None)
Has enough positions to pass. |
||
Responsible AD | Murray Kucherawy | ||
Send notices to | Zaid AlBanna <zalbanna@verisign.com> | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA expert review state | Expert Reviews OK | ||
IANA expert review comments | Experts have approved both the RDAP Extensions and the JSON Web Token Claims registrations. |
draft-ietf-regext-rdap-openid-26
gt;. [RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, June 2022, <https://www.rfc-editor.org/info/rfc9110>. [RFC9325] Sheffer, Y., Saint-Andre, P., and T. Fossati, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 9325, DOI 10.17487/RFC9325, November 2022, <https://www.rfc-editor.org/info/rfc9325>. 13.2. Informative References [I-D.ietf-oauth-security-topics] Lodderstedt, T., Bradley, J., Labunets, A., and D. Fett, "OAuth 2.0 Security Best Current Practice", Work in Progress, Internet-Draft, draft-ietf-oauth-security- topics-23, 5 June 2023, <https://datatracker.ietf.org/doc/html/draft-ietf-oauth- security-topics-23>. [OIDC] OpenID Foundation, "What is OpenID Connect", <https://openid.net/developers/how-connect-works/>. Hollenbeck Expires 15 April 2024 [Page 47] Internet-Draft OpenID Connect for RDAP October 2023 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, <https://www.rfc-editor.org/info/rfc4949>. [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016, <https://www.rfc-editor.org/info/rfc7942>. [RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 Authorization Server Metadata", RFC 8414, DOI 10.17487/RFC8414, June 2018, <https://www.rfc-editor.org/info/rfc8414>. [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, "Handling Long Lines in Content of Internet-Drafts and RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, <https://www.rfc-editor.org/info/rfc8792>. Appendix A. Change Log 00: Initial working group version ported from draft-hollenbeck- regext-rdap-openid-10. 01: Modified ID Token delivery approach to note proper use of an HTTP bearer authorization header. 02: Modified token delivery approach (Access Token is the bearer token) to note proper use of an HTTP bearer authorization header, fixing the change made in -01. 03: Updated OAuth 2.0 Device Authorization Grant description and reference due to publication of RFC 8628. 04: Updated OAuth 2.0 token exchange description and reference due to publication of RFC 8693. Corrected the RDAP conformance identifier to be registered with IANA. 05: Keepalive refresh. 06: Keepalive refresh. 07: Added "login_hint" description to Section 3.1.4.2. Added some text to Section 3.1.5.2 to note that "do not track" requires compliance with local regulations. 08: Rework of token management processing in Sections 4 and 5. 09: Updated RDAP specification references. Added text to describe both default and remote OpenID Provider processing. Removed text that described passing of ID Tokens as query parameters. 10: Updated Section 3.1.4.1. Replaced token processing queries with "login", "session", and "logout" queries. 11: Replaced queries with "session/*" queries. Added description of "rdap" OAuth scope. Added implementation status information. 12: Updated data structure descriptions. Updated Section 9. Minor formatting changes due to a move to xml2rfc-v3 markup. Hollenbeck Expires 15 April 2024 [Page 48] Internet-Draft OpenID Connect for RDAP October 2023 13: Added support for OP discovery via OP's Issuer Identifier. Modified the RDAP conformance text to use "roidc1", and added that value to extension path segments, data structures, and query parameters. Changed the "purpose" and "dnt" claims to "rdap_allowed_purposes" (making it an array) and "rdap_dnt_allowed". Added the "roidc1_qp" and "roidc1_dnt" query parameters. Changed the descriptions of "local" OPs to "default" OPs. 14: Fixed a few instances of "id" that were changed to "roidc1_id" and "session" that were changed to "roidc1_session". Added "implicitTokenRefreshSupported". 15: Fixed an instance of openidcConfiguration that was missing the "roidc1" prefix. Changed SHOULD to MUST to describe the need to return the roidc1_openidcConfiguration data structure in a "help" response. 16: Changed the "roidc1" prefix to "farv1". Added additional terminology text. Added RFC 8996 as a normative reference. Multiple clarifications in Sections 3, 4, and 5. Added login/refresh/logout sequence and conflict response text. Added "clientID" and "iss" to the "farv1_session" data structure. Made the "userClaims" and "sessionInfo" objects OPTIONAL in the "farv1_session" data structure. Fixed the curl example in Section 5.2.4.1. Modified the "/device" and "/devicepoll" requests to include query parameters. Added "device_code" to the "farv1_deviceInfo" data structure. Added the "farv1_dc" query parameter. 17: Changed string "true" to boolean true in Figure 3. Fixed the reference to RFC 8996. Updated references for RFCs 5226 (to 8126) and 7230 (to 9110). 18 Addressed WG last call feedback for which we had agreed-upon updates. 19 Updated Security Considerations. Updated response processing text. Added and changed text to describe support for session- oriented and token-oriented clients. Added reference to RFC 9068. 20 Updated text to describe support for session-oriented and token- oriented clients. 21 Changed "Servers MUST support both types of client" to "SHOULD". Added "sessionClientSupported" and "tokenClientSupported" as a consequence. Noted that the OIDCC Implicit Flow is being deprecated due to security concerns. Added additional text to describe the relationship between "providerDiscoverySupported" and "farv1_id", and "issuerIdentifierSupported" and "farv1_iss". Restructured Section 5.6 and Section 7. Replaced the reference to RFC 2616 (obsolete) with RFC 9110. Replaced the reference to RFC 7231 (obsolete) with RFC 9110. 22 Changed MANDATORY to REQUIRED for BCP 14 alignment. Updated Section 3.1.2, Section 11, and Section 12. 23 Changed "IESG" to "IETF" in Section 9 at IANA's request. Hollenbeck Expires 15 April 2024 [Page 49] Internet-Draft OpenID Connect for RDAP October 2023 24 AD evaluation edits. 25 IETF last call edits. 26 IESG evaluation edits. Author's Address Scott Hollenbeck Verisign Labs 12061 Bluemont Way Reston, VA 20190 United States of America Email: shollenbeck@verisign.com URI: https://www.verisignlabs.com/ Hollenbeck Expires 15 April 2024 [Page 50]