IETF Logo Mail Archive

Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-19.txt

Pawel Kowalik <pawel.kowalik@denic.de> Tue, 06 December 2022 09:12 UTC

Return-Path: <pawel.kowalik@denic.de>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 879DCC157B5B for <regext@ietfa.amsl.com>; Tue, 6 Dec 2022 01:12:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denic.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id th6DdEdQkNVo for <regext@ietfa.amsl.com>; Tue, 6 Dec 2022 01:12:08 -0800 (PST)
Received: from mout-b-110.mailbox.org (mout-b-110.mailbox.org [IPv6:2001:67c:2050:102:465::110]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93443C14CE45 for <regext@ietf.org>; Tue, 6 Dec 2022 01:12:08 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-110.mailbox.org (Postfix) with ESMTPS id 4NRF6P5VxYz9t8D; Tue, 6 Dec 2022 10:11:57 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denic.de; s=MBO0001; t=1670317917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uG15d6dmejX5YcHzTGgFPs/eiox78/Z1mnChDbySPOE=; b=gz81snslaHiqHxjLkC5rkqKi4Gv+nG9LhFFIAAcB2d0eMJLBXC6NM8ORHoVfwX5k6IsnqQ jndrAjymFprQquu3HV4rrjxOZuGDL5DgH/XExeij1yiJth+hI9dMHf2pUdf+kMVg2Dun3/ gjGclAHKY85SmuEZdVpkG679oTftrB+Z/AIWsNSdv+nNTM56+F92xsGy07f69YZ+TNedXG 345n2K2vYP4Z+9il23y6FGyrxqIaWMlQy9CIJ6h8Z1Yn6jqyHxNmkn7H9hRyvd/Ewo+v2J rwEXEd8Zwx4GlURbamUJ1rPAMTB/XGya88hVIKrxAw/16i1PGnrZHJUZIzXGkA==
Message-ID: <c0b80021-b79d-7d4f-a8ba-0da171c4a381@denic.de>
Date: Tue, 06 Dec 2022 10:11:52 +0100
MIME-Version: 1.0
Content-Language: en-US
To: "Hollenbeck, Scott" <shollenbeck=40verisign.com@dmarc.ietf.org>, "regext@ietf.org" <regext@ietf.org>
References: <166999115592.50686.10179207835682222803@ietfa.amsl.com> <9bab275f5714470fa5b0db29eed137e5@verisign.com>
From: Pawel Kowalik <pawel.kowalik@denic.de>
Organization: Denic
In-Reply-To: <9bab275f5714470fa5b0db29eed137e5@verisign.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-MBO-RS-ID: 552568556cb231a286e
X-MBO-RS-META: offf9dnm394w7bzw48m4hr9acd79xja1
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/ffXRq8kcgaAgyFIPbYphEChvpMc>
Subject: Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-19.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2022 09:12:12 -0000

Hi Scott,

Thanks for the progress on that.


I have the following remarks:

- 3.1.1 refers to "Access Token" in RFC9068 instead of RFC6749. I think 
this might be misleading to exclude opaque access tokens just by 
redefining it in the terminology. If the intention is to limit to "JWT 
Access Token" then I would state it in explicit way. If it was not the 
intention then I would define a second term "JWT Access Token" and then 
refer to it where appropriate (see remarks to Section 6 below).

- I would rename the section 3.1.5.  "Specialized Claims for RDAP" to 
"Specialized Claims and Authorization Scope for RDAP" (see below remarks 
to section 6.1)

- in the Section 3.1.3 the Sequence diagram for session-oriented client 
should also contain RDAP server <-> OP interactions to correspond to the 
sequence diagram of token-oriented clients

- in the Section 4.1 I propose to add an additional member to the object 
in openidcProviders array:

   - "additionalAuthorizationQueryParams" being an object where each 
member represents query parameter name and value is the query parameter 
value
   This metadata will allow Token-Oriented Client to trigger 
authorization with a specified OP through Proxy OP, even if the iss and 
authorization endpoints are same. With Keycloak as example this can be 
controlled with "kc_idp_hint" parameter, so the example configuration 
would be:

    "openidcProviders":
             [
               {
                 "iss": "https://local-idp.rdap.example.com",
                 "name": "Example Public IDP",
                 "additionalAuthorizationQueryParams": {
                    "kc_idp_hint": "examplepublicidp"
                 }

               }

             ]

- the Section 5.3 is generic, not depending on client type, so it should 
move to Section 4

- same applies to Section 5.7

- in OAuth2 the authorization is done using scopes. I think in the 
Section 6.1 the RP should always require scope "rdap". Also the usage of 
additionalAuthorizationQueryParams shall be added here.

- in 6.1 it may be necessary to  add also that the OP SHOULD include the 
RDAP server in the "aud" claim of the issued token. Alternatively RDAP 
server may choose to ignore the "aud" claim or exchange the token (as 
described in the section 7)

- we discussed that we do not care that much about remote OPs, however 
the issue of access_token coming from an unknown OP remains. My proposal 
for a simple solution would be just to require a query parameter "OP 
Issuer Identifier" with each RDAP query for non-default OP server. This 
would be an add to 6.2

- the section 6 should have a subsection about access token validation 
including:

   - processing of "OP Issuer Identifier" query parameter and (optional) 
token introspection with OP or validation of the JWT access token - this 
would be mainly reference to OAuth2 RFCs

   - checking "rdap" scope in the access token

   - optional request for User Claim (as needed by the RDAP server) with 
an indication about performance implications and hint for caching

- I would also add token refresh consideration to the Section 6, namely 
that the RP needs to take care about refreshing the token as necessary 
before sending requests to RDAP server

- Section 7 only applies to Token-Oriented Clients, so it belongs under 
Section 6


Kind Regards,

Pawel

Am 02.12.22 um 15:27 schrieb Hollenbeck, Scott:
>> -----Original Message-----
>> From: regext <regext-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org
>> Sent: Friday, December 2, 2022 9:26 AM
>> To: i-d-announce@ietf.org
>> Cc: regext@ietf.org
>> Subject: [EXTERNAL] [regext] I-D Action: draft-ietf-regext-rdap-openid-19.txt
>>
>> Caution: This email originated from outside the organization. Do not click links
>> or open attachments unless you recognize the sender and know the content is
>> safe.
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Registration Protocols Extensions WG of the
>> IETF.
>>
>>          Title           : Federated Authentication for the Registration Data Access
>> Protocol (RDAP) using OpenID Connect
>>          Author          : Scott Hollenbeck
>>    Filename        : draft-ietf-regext-rdap-openid-19.txt
>>    Pages           : 46
>>    Date            : 2022-12-02
>>
>> Abstract:
>>     The Registration Data Access Protocol (RDAP) provides "RESTful" web
>>     services to retrieve registration metadata from domain name and
>>     regional internet registries.  RDAP allows a server to make access
>>     control decisions based on client identity, and as such it includes
>>     support for client identification features provided by the Hypertext
>>     Transfer Protocol (HTTP).  Identification methods that require
>>     clients to obtain and manage credentials from every RDAP server
>>     operator present management challenges for both clients and servers,
>>     whereas a federated authentication system would make it easier to
>>     operate and use RDAP without the need to maintain server-specific
>>     client credentials.  This document describes a federated
>>     authentication system for RDAP based on OpenID Connect.
> [SAH] This is my first attempt for text that addresses token-oriented clients. I'd greatly appreciate review and feedback.
>
> Scott
>
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext

-- 
Pawel Kowalik
Head of Product Management
--
DENIC eG, Kaiserstraße 75 - 77, 60329 Frankfurt am Main, GERMANY
E-Mail: pawel.kowalik@denic.de, Fon: ‭+49 173 3087096‬
https://www.denic.de

Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Thomas Keller, Martin Küchenthal, Andreas Musielak, Sebastian Röthler
Vorsitzender des Aufsichtsrats: Daniel Rink
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main

Allgemeiner Hinweis zur Erfüllung unserer Informationspflichten gemäß Art. 13, Art. 14 DS-GVO: Informationen zur Verarbeitung personenbezogener Daten durch DENIC finden Sie unter https://www.denic.de/datenverarbeitung-allgemein/

v2.23.0 | Report a Bug | By Email