IETF Logo Mail Archive

Re: [regext] Web Service Client Flow

"Hollenbeck, Scott" <shollenbeck@verisign.com> Fri, 02 December 2022 15:40 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5392C14CF1D for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 07:40:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lhtPy0U4Hnpg for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 07:40:12 -0800 (PST)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F015C14CE29 for <regext@ietf.org>; Fri, 2 Dec 2022 07:37:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=5182; q=dns/txt; s=VRSN; t=1669995456; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=9nH1sUmKtpLBTHR2UXc2LYDbodJ4vUDhvj3B9HSdzkY=; b=nHE3FAkifnFC8tcB0E9kWl8usV22olmlNn6KENqhSNhAuBmtelt+yMZH XSYJbOC20PZrDzOXhapS1Y/70e4V6WTeMVNB2IX9c1EW6itqwIOc8SgUK CbCNFplDhP+jebNjdPIrP7WhE210gxhzBu3C4v/Z2a9e2ZsM6G8YZGKb+ LaWIF/RESC02/0pSwU+ooBU7JsG9fwh/ZnFKx+xUed448I7mL2Y3NGV9f 39db6k5JpK3f/Mplk5M78ziMNv87BnvySwpOHrSrJsI4v8sU+WY0qvgvO UNZk9bZGW/xNsrRPbaGALpLQmsGtu75WCLAAVgVZtptIwaJezPrO0Ockq A==;
IronPort-Data: A9a23:Hx0x6a+LcDfIJB/ms4H7DrUDgX+TJUtcMsCJ2f8bNWPcYEJGY0x3x mtMUGvUOP/eYGD3fIh1YIng/EtTvsCEnIVkTAFkqy8xFiIbosf7XtnIdU2Y0wF+jCHgZBk+s 5hBMImowOQcFCK0SsKFa+C5xZVE/fjUAOC6UIYoAwgpLSd8UiAtlBl/rOAwh49skLCRDhiE0 T/Ii5S31GSNhnglbAr414rZ8Ek15a6q4mtC1rADTasjUGH2xiF94K03ePnZw0vQGuF8AuO8T uDf+7C1lkuxE8AFU47Nfh7TKyXmc5aKVeS8oiM+t5uK23CukhcPPpMTb5LwX28M0mnUwIoho Dl6ncfYpQ8BZsUgkcxDC0UIS3kW0aduoNcrKlDn2SCfItGvn9IBDJyCAWlvVbD09NqbDklE1 uAfBhkHcimI2f28mZiZDc9IiNYaeZyD0IM34hmMzBnzN9B/frbuc/2To8FT2y0owMlCW+jEf MxfYj1qBPjCS0QXfA5IU9Rnwbzu2imXnz5w8Tp5oYIs42/XyAF32rXmM/LLd8aLXsRamACTo WeuE2HRWEtEaoXEk2rtHnSEpd3wjRnmR6EoK6Sbye9OhlKRwDMLF0hDPbe8ibzj4qKkYPpcL FMd/isthaQ/8k2gCNXwNzW9qWSFuVgYXNReCeA27ymMy7aS6ACDQGkYJhZbZdMrpNMeRDE22 BmOhdyBONB0mLePTyuC8LqE9Wr3IjYPa2oDfmoOSk0P+d+65p8plRSJRdFmeEKosuDI9fjL6 2jihEADa3871KbnC43TEYj7vg+R
IronPort-HdrOrdr: A9a23:eHucHate+Y+Tr05q3wqaSHC47skDq9V00zEX/kB9WHVpm6uj5q WTdZUgpH3JYVkqOE3I9ervBEDiexzhHPdOiOEs1NyZLWrbUQWTTb1K3M/NzzrtACXi+uMY/r cIScRDIey1KVRhl8717E2bH8ZI+rO62ZHtoevF1X9iQUVRdqd6425CZzqzCEFsWwVcP5Y/Ga ed4sYvnVGdRUg=
X-IronPort-AV: E=Sophos;i="5.96,212,1665446400"; d="scan'208";a="22661328"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Fri, 2 Dec 2022 10:37:35 -0500
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) by BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) with mapi id 15.01.2507.016; Fri, 2 Dec 2022 10:37:35 -0500
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "kowalik@denic.de" <kowalik@denic.de>, "mario.loffredo@iit.cnr.it" <mario.loffredo@iit.cnr.it>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] Web Service Client Flow
Thread-Index: Adj6ivWSDaZjgU6FRr2zQEt/DdxvSQAVZMYAAAnir9AAGF9lgAABXgcAAAjH9ZAAjMxOgAAGU1/QAVr2kDAAbZSygAAKKxQgAFdEuAAACKsGIA==
Date: Fri, 02 Dec 2022 15:37:35 +0000
Message-ID: <fda773788caa4a3285f75c7d8b8785d8@verisign.com>
References: <c13d400573404ec3bf897feb263d5f3c@verisign.com> <44c38e17-0317-1e43-6531-2de6bf7c3cf9@denic.de> <3697246c04fc49c6a152329822594d4b@verisign.com> <41f8647e-959b-35f9-5414-f031a9b629d8@denic.de> <93a0f79c-6720-0e7f-ae3e-689b52359504@iit.cnr.it> <84a6822ea7234bf093b4af31ef136a2c@verisign.com> <b5ac553b-ab58-9703-2445-1274110f51af@denic.de> <1077c9b84e5c404c8533bf9858befa5e@verisign.com> <cc75203eea1d444a9ef4dc7a6f00322a@verisign.com> <b7561c3e-4e2b-942f-b3c1-2e5f7e650cbe@denic.de> <91fca52f19bf4b888cc7f4f5665e6672@verisign.com> <545ab209-e87e-8230-3d32-0c77da048d9e@denic.de>
In-Reply-To: <545ab209-e87e-8230-3d32-0c77da048d9e@denic.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/5bsXVQCIDFvIKg80JDSbcYQ-Mhg>
Subject: Re: [regext] Web Service Client Flow
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 15:40:16 -0000

> -----Original Message-----
> From: Pawel Kowalik <kowalik@denic.de>
> Sent: Friday, December 2, 2022 9:45 AM
> To: Hollenbeck, Scott <shollenbeck@verisign.com>; mario.loffredo@iit.cnr.it;
> regext@ietf.org
> Subject: [EXTERNAL] Re: [regext] Web Service Client Flow
>
> Caution: This email originated from outside the organization. Do not click links
> or open attachments unless you recognize the sender and know the content is
> safe.
>
> Hi Scott,
>
> Am 30.11.22 um 17:39 schrieb Hollenbeck, Scott:
> >> -----Original Message-----
> >> From: Pawel Kowalik <kowalik@denic.de>
> >> Sent: Wednesday, November 30, 2022 11:15 AM
> >> To: Hollenbeck, Scott <shollenbeck@verisign.com>;
> >> mario.loffredo@iit.cnr.it; regext@ietf.org
> >> Subject: [EXTERNAL] Re: [regext] Web Service Client Flow
> >>
> >> Caution: This email originated from outside the organization. Do not
> >> click links or open attachments unless you recognize the sender and
> >> know the content is safe.
> >>
> >> Hi Scott,
> >>
> >> I have a bit of difficulty with those definitions.
> >>
> >> I think this starts with the definition of a client.
> >>
> >> RFC 2616 defines it as follows:
> >>
> >>      client
> >>         A program that establishes connections for the purpose of sending
> >>         requests.
> >>
> >>      user agent
> >>         The client which initiates a request. These are often browsers,
> >>         editors, spiders (web-traversing robots), or other end user tools.
> > [SAH] The draft inherits a definition of "client" from RFC 7480.
> > That's spelled out in the "terminology" section.
>
> [PK2] Indeed I overlooked that. The definition in RFC 7480 actually refers to
> HTTP user agent, so RFC 2616 definition.
>
>
> >> RFC 6749 has a different definition:
> >>
> >>      An application making protected resource requests on behalf of the
> >>         resource owner and with its authorization.  The term "client" does
> >>         not imply any particular implementation characteristics (e.g.,
> >>         whether the application executes on a server, a desktop, or other
> >>         devices).
> >>
> >>
> >> When we now talk of "session-oriented" clients, we actually mean "user
> >> agent"
> >> as per RFC 2616 which supports cookies for session management, whereas
> >> "token-oriented" clients are in fact clients in sense of RFC 6749.
> > [SAH] OK, so what's the best way to identify these two types of clients in the
> > draft given the RDAP definition of "client" found in RFC 7480?
>
> [PK2] My proposal:
>
> Clients that want to delegate OIDC Authentication to RDAP server as part of
> session-oriented interactions and can accept and process HTTP cookies
> [RFC6265] to maintain the session are known as "session-oriented" clients. This
> type of RDAP client performs the role of user agent [RFC2616]. An RDAP server
> performs the role of an OpenID Connect Core Relying Party (RP). A web
> browser used to send queries directly to an RDAP server is an example of a
> session-oriented client.
>
> Clients that perform OIDC Authentication directly taking the role of an RP in
> interactions with an OP and send access tokens [RFC6749] to an RDAP server to
> authorize RDAP queries are known as "token-oriented" clients. An RDAP server
> performs resource server functions [RFC6749] to verify the tokens received
> from the client and RP functions to retrieve information from the OP as
> necessary to make access control decisions. A web browser running JavaScript
> received from a web service that sends queries to an RDAP server directly or
> through its backend web service is an example of a token-oriented client.

[SAH] Thanks, this works for me. I'll get it into -20.

Scott

v2.23.0 | Report a Bug | By Email