IETF Logo Mail Archive

Re: [regext] WGLC: draft-ietf-regext-rdap-openid-17

Pawel Kowalik <kowalik@denic.de> Thu, 06 October 2022 13:19 UTC

Return-Path: <kowalik@denic.de>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71831C14CF03 for <regext@ietfa.amsl.com>; Thu, 6 Oct 2022 06:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denic.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xOJkJHhhQPvs for <regext@ietfa.amsl.com>; Thu, 6 Oct 2022 06:19:38 -0700 (PDT)
Received: from mout-b-206.mailbox.org (mout-b-206.mailbox.org [IPv6:2001:67c:2050:102:465::206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFC51C14F737 for <regext@ietf.org>; Thu, 6 Oct 2022 06:19:38 -0700 (PDT)
Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-206.mailbox.org (Postfix) with ESMTPS id 4MjsVC3Mp0z9sQp for <regext@ietf.org>; Thu, 6 Oct 2022 15:19:31 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denic.de; s=MBO0001; t=1665062371; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=L+vjMUEVP92IZlxc5/Puu4wXug9TBpQygPLSLS8W6s0=; b=PVVohO6UJAaXiQ/slH/EnsGO53UaS3fbQ3ljKuf7MyiWSBpLFswqJG9ui8ABMg/5ymV0A7 jqItVFVYh7q72O3arjDdDen1r3m0fufn89+EzfcqSoqLBG5QJ47MUPCp7qogoRuAh5WGKc AoNpHFcuGu2QorOlC58ynmvrebQA1EbUHUS8eZlgstnlau7dEGe2WUGVaNM2y29fJdy/T1 9Cby4dSZ6UNTMsDUFHjI+croixdYPQ0VBui9q5lBbzVAJ8FGFdvEh1hsgShJVrWtKLswNu Smn0yzMtDmtl07dLwoaWi+nygZwQCE+3a5qIC/ZRSa35hbMCqe7/6U33O3mr1Q==
Message-ID: <0ec039c2-7cc0-7dfa-262a-b5c5c37c2987@denic.de>
Date: Thu, 06 Oct 2022 15:19:29 +0200
MIME-Version: 1.0
Content-Language: en-GB, de-DE
To: regext@ietf.org
References: <696A1066-D07F-4DCD-9894-9D7B8BDEAE38@elistx.com> <08EA70BF-CD18-484A-9458-9A61275C0E45@elistx.com> <fbd102ecce0248648fe06a10be2c0762@verisign.com> <9d1054a6-8094-b297-f551-59f8f9e0254c@denic.de> <db20582886ff47e193ecc7561ad3ba7b@verisign.com>
From: Pawel Kowalik <kowalik@denic.de>
In-Reply-To: <db20582886ff47e193ecc7561ad3ba7b@verisign.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-MBO-RS-META: us568u9c3gtzzg6ym4kbdaitfoic4mqg
X-MBO-RS-ID: e8e0086ecfac0b8fc93
X-Rspamd-Queue-Id: 4MjsVC3Mp0z9sQp
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/Dk5-oRckwEWiqNKfulRlh7I6vYE>
Subject: Re: [regext] WGLC: draft-ietf-regext-rdap-openid-17
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2022 13:19:44 -0000

Hi Scott,


redirect_uri and state will allow the login flow to finish on a page of 
the web application initiating the login flow, instead of displaying a 
JSON output as the current draft specifies.

The web application user does not expect to see JSON output, rather 
expect to continue interaction with the application, like doing the 
domain query he started with.


Cookie issues:

- for the front-end type of client - with current CORS settings as 
recommended by section 5.6 of RFC7480 (setting "*" for 
Access-Control-Allow-Origin and no Access-Control-Allow-Credentials 
header) is blocking the cross-origin session cookies coming from the 
user agent to the RDAP server, effectively making the use case broken.

- for the back-end type of client - the login session and the session 
cookie is created between the user agent and the RDAP server. This 
cookie will not be passed to the backend system because the web 
application would typically another domain than the RDAP server. In 
effect the backend system won't be able to access protected resources of 
the RDAP server.


Kind Regards,

Pawel

Am 06.10.22 um 14:57 schrieb Hollenbeck, Scott:
> Pawel, would you please explain these issues in a bit more detail? For
> example, how does adding support for the redirect_uri and state query
> parameters help? What do they do? What's the cookie issue?
>
> Scott
>
>> -----Original Message-----
>> From: regext <regext-bounces@ietf.org> On Behalf Of Pawel Kowalik
>> Sent: Thursday, October 6, 2022 8:22 AM
>> To: regext@ietf.org
>> Subject: [EXTERNAL] Re: [regext] WGLC: draft-ietf-regext-rdap-openid-17
>>
>> Caution: This email originated from outside the organization. Do not click
>> links
>> or open attachments unless you recognize the sender and know the content is
>> safe.
>>
>> Hi,
>>
>>
>> The discussion is ongoing but I will try to summarise the status.
>>
>>
>> In the current state the draft is supporting pretty good the use cases of
>> RDAP
>> user interacting directly with RDAP server via the browser or using command
>> line tools.
>>
>> The draft is not supporting the use cases of RDAP user interacting with RDAP
>> server via web application, neither client side nor server side.
>>
>> Client side application support can be added pretty straightforward to the
>> specification with added language of redirect_uri and state (analogue to the
>> same features of OAuth2) and by specifying the necessary behaviour in terms
>> of CORS and appropriate Security Considerations.
>>
>> Server side applications are not supported by the current draft and not
>> really
>> possible to add the support without a major change to the specification. The
>> main issue is the usage of the cookies, which cannot be passed cross domain
>> between the front-end doing the authorisation with the RDAP server and the
>> back-end doing the actual RDAP API interactions.
>>
>> In my opinion the WG shall get the consensus around whether these web
>> application related use-cases shall be supported in order to move forward
>> with
>> the WGLC.
>>
>>
>> Kind regards,
>>
>> Pawel
>>
>>
>> Am 04.10.22 um 15:42 schrieb Hollenbeck, Scott:
>>>> -----Original Message-----
>>>> From: regext <regext-bounces@ietf.org> On Behalf Of James Galvin
>>>> Sent: Monday, October 3, 2022 8:40 AM
>>>> To: REGEXT WG <regext@ietf.org>
>>>> Subject: [EXTERNAL] Re: [regext] WGLC:
>>>> draft-ietf-regext-rdap-openid-17
>>>>
>>>> Caution: This email originated from outside the organization. Do not
>>>> click links or open attachments unless you recognize the sender and
>>>> know the content is safe.
>>>>
>>>> REMINDER:
>>>>
>>>> This document is in WGLC and has only received support from its
>>>> Editor and its Document Shepherd.
>>>>
>>>> To advance this document we need expressions of support from others
>>>> to advance this document to the IESG to be considered for publication
>>>> as a Proposed Standard.
>>>>
>>>> WGLC remains open through Monday, 10 October.  This document can not
>>>> advance without support.
>>> [SAH] I'm currently having an off-list exchange with someone that might
>> produce changes to the draft. I'll encourage that reviewer to provide a
>> summary once he's comfortable doing so.
>>> Scott
>>> _______________________________________________
>>> regext mailing list
>>> regext@ietf.org
>>> https://secure-web.cisco.com/1zU1MYveTuBh9US9H88-
>> KwanCz9Jm5AUkv3Qpuu9r
>> bKowPbfig9_o0Wb_b8TEYITFDuWKq3JuH8aOMkNI4nXlp19GH6vgkYD7JMeeBG
>> a09cR_Sa
>> OpAxe92RHqwpZRaZhiCsI7QDzc0wt9i6MpMLzHPNxv6kebSP1A2Bd3hb5U4N32J
>> u4X4pRm
>>> j9aD5rXHgsMO7ZDlsuJkHLnBVBzfMzyyx4lPHpRBsNYfw7-SizhHxsb_s-
>> Mf9ihZBIN-Oh
>>> 6nkmZx/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fregext
>> _______________________________________________
>> regext mailing list
>> regext@ietf.org
>> https://secure-web.cisco.com/1zU1MYveTuBh9US9H88-
>> KwanCz9Jm5AUkv3Qpuu9rbKowPbfig9_o0Wb_b8TEYITFDuWKq3JuH8aOMkNI4
>> nXlp19GH6vgkYD7JMeeBGa09cR_SaOpAxe92RHqwpZRaZhiCsI7QDzc0wt9i6Mp
>> MLzHPNxv6kebSP1A2Bd3hb5U4N32Ju4X4pRmj9aD5rXHgsMO7ZDlsuJkHLnBVBz
>> fMzyyx4lPHpRBsNYfw7-SizhHxsb_s-Mf9ihZBIN-
>> Oh6nkmZx/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fregext
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email