Hi Scott,
I read the full draft recently and I have a couple of comments related
to -20 and older versions as well. Sorry if those have already been
discussed previously on the mailing list.
- section 3.1.2: "Servers MUST support both types of client."
Is there a reason for this to be a MUST? I think it could prevent people
from implementing the spec (or a part of it) as this is a pretty huge
requirement.
- section 3.1.4.2
OAuth 2.0 implicit flow is deprecated and the specification recommends
using authorization code with PKCE instead.
- section 4.1
I'm not that familiar with OIDC and that's might be the issue but I
don't really understand the need for additionalAuthorizationQueryParams.
Is there a way to clarify this or a reference that would help? I think
this might be a question for Pawel.
- sections 4.1, 5.2.1 and 5.2.2
If I understood correctly, farv1_id and farv1_iss query parameters can
only be used if providerDiscoverySupported and issuerIdentifierSupported
are true. IMHO it would ease the understanding to add a reference to
those server capabilities in the query parameters sections.
Best regards,
Julien
On 10/01/2023 10:08, Hollenbeck, Scott wrote:
-----Original Message-----
From: regext <[email protected]> On Behalf Of [email protected]
Sent: Tuesday, January 10, 2023 10:03 AM
To: [email protected]
Cc: [email protected]
Subject: [EXTERNAL] [regext] I-D Action: draft-ietf-regext-rdap-openid-20.txt
Caution: This email originated from outside the organization. Do not click links
or open attachments unless you recognize the sender and know the content is
safe.
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Registration Protocols Extensions WG of the
IETF.
Title : Federated Authentication for the Registration Data
Access
Protocol (RDAP) using OpenID Connect
Author : Scott Hollenbeck
Filename : draft-ietf-regext-rdap-openid-20.txt
Pages : 47
Date : 2023-01-10
Abstract:
The Registration Data Access Protocol (RDAP) provides "RESTful" web
services to retrieve registration metadata from domain name and
regional internet registries. RDAP allows a server to make access
control decisions based on client identity, and as such it includes
support for client identification features provided by the Hypertext
Transfer Protocol (HTTP). Identification methods that require
clients to obtain and manage credentials from every RDAP server
operator present management challenges for both clients and servers,
whereas a federated authentication system would make it easier to
operate and use RDAP without the need to maintain server-specific
client credentials. This document describes a federated
authentication system for RDAP based on OpenID Connect.
[SAH] This version address Pawel's feedback from December. Is there anything
else that needs work?
Scott
_______________________________________________
regext mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/regext
