Hi Scott, firstly, thanks for your work on this draft RFC. Authenticated access to RDAP would be very useful, not just for access control, but also for rate limiting for example.
I have some questions, apologies if these are OpenID specific rather than your draft. - Section 3.1.2. (Overview) Q. Are all steps performed per-request, or can the RDAP client re-send the Authorization Code on subsequent requests (i.e., can any steps be skipped) ? Q. Is any other information from the OpenID Provider (OP) visible to the client? For example, the Access Token or ID Token (again for use in subsequent requests). Q. Is the Subject Identifier contained in the response from the Token Endpoint? Or is it retrieved using a separate request to the UserInfo Endpoint? - Section 3.1.3.4. Q. "the OP will send a response to the RP" - is this done indirectly, by returning a HTTP redirect to to the RDAP client, back to the RP? - Section 3.1.4 Q. To be clear, the OpenID provider needs to be "RDAP aware", so needs to ask the user's consent, and return the "Purpose" claim to the RDAP server? Q. Since the Purpose Claim is optional, can the RDAP server use an existing (standard) OpenID provider claim instead? - Section 4.2. (Token Request and Response) Q. Is an RDAP client required to request a token, in order to maintain a session with the RDAP server? Versus the process in Section 3.1.2. - Section 5 (Non-Browser Clients) I'm interested in any way to make non-browser client access easier, is an initial browser session required to grant consent and obtain a token? Finally, I look forward to seeing implementations of this draft. Regards Ed Shryane RIPE NCC > On 12 Jul 2016, at 13:15, Hollenbeck, Scott <[email protected]> wrote: > > Folks, with the just-announced publication of RFC 7942/BCP 205, I'm planning > to add an "Implementation Status" section to my RDAP federated authentication > draft*. If you've implemented the protocol specified in the draft and would > like to be listed among the known implementations, please send (private email > is fine) me the information described in Section 2 of RFC 7942. I'll update > the draft after IETF-96. I'll be available in Berlin to talk to anyone who > might be interested in talking about federated authentication for RDAP. > > Scott > > * https://datatracker.ietf.org/doc/draft-hollenbeck-regext-rdap-openid/ > > _______________________________________________ > regext mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/regext
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
