Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-19.txt
Pawel Kowalik <pawel.kowalik@denic.de> Tue, 06 December 2022 09:12 UTC
Return-Path: <pawel.kowalik@denic.de>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 879DCC157B5B for <regext@ietfa.amsl.com>; Tue, 6 Dec 2022 01:12:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denic.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id th6DdEdQkNVo for <regext@ietfa.amsl.com>; Tue, 6 Dec 2022 01:12:08 -0800 (PST)
Received: from mout-b-110.mailbox.org (mout-b-110.mailbox.org [IPv6:2001:67c:2050:102:465::110]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93443C14CE45 for <regext@ietf.org>; Tue, 6 Dec 2022 01:12:08 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-110.mailbox.org (Postfix) with ESMTPS id 4NRF6P5VxYz9t8D; Tue, 6 Dec 2022 10:11:57 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denic.de; s=MBO0001; t=1670317917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uG15d6dmejX5YcHzTGgFPs/eiox78/Z1mnChDbySPOE=; b=gz81snslaHiqHxjLkC5rkqKi4Gv+nG9LhFFIAAcB2d0eMJLBXC6NM8ORHoVfwX5k6IsnqQ jndrAjymFprQquu3HV4rrjxOZuGDL5DgH/XExeij1yiJth+hI9dMHf2pUdf+kMVg2Dun3/ gjGclAHKY85SmuEZdVpkG679oTftrB+Z/AIWsNSdv+nNTM56+F92xsGy07f69YZ+TNedXG 345n2K2vYP4Z+9il23y6FGyrxqIaWMlQy9CIJ6h8Z1Yn6jqyHxNmkn7H9hRyvd/Ewo+v2J rwEXEd8Zwx4GlURbamUJ1rPAMTB/XGya88hVIKrxAw/16i1PGnrZHJUZIzXGkA==
Message-ID: <c0b80021-b79d-7d4f-a8ba-0da171c4a381@denic.de>
Date: Tue, 06 Dec 2022 10:11:52 +0100
MIME-Version: 1.0
Content-Language: en-US
To: "Hollenbeck, Scott" <shollenbeck=40verisign.com@dmarc.ietf.org>, "regext@ietf.org" <regext@ietf.org>
References: <166999115592.50686.10179207835682222803@ietfa.amsl.com> <9bab275f5714470fa5b0db29eed137e5@verisign.com>
From: Pawel Kowalik <pawel.kowalik@denic.de>
Organization: Denic
In-Reply-To: <9bab275f5714470fa5b0db29eed137e5@verisign.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-MBO-RS-ID: 552568556cb231a286e
X-MBO-RS-META: offf9dnm394w7bzw48m4hr9acd79xja1
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/ffXRq8kcgaAgyFIPbYphEChvpMc>
Subject: Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-19.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2022 09:12:12 -0000
Hi Scott, Thanks for the progress on that. I have the following remarks: - 3.1.1 refers to "Access Token" in RFC9068 instead of RFC6749. I think this might be misleading to exclude opaque access tokens just by redefining it in the terminology. If the intention is to limit to "JWT Access Token" then I would state it in explicit way. If it was not the intention then I would define a second term "JWT Access Token" and then refer to it where appropriate (see remarks to Section 6 below). - I would rename the section 3.1.5. "Specialized Claims for RDAP" to "Specialized Claims and Authorization Scope for RDAP" (see below remarks to section 6.1) - in the Section 3.1.3 the Sequence diagram for session-oriented client should also contain RDAP server <-> OP interactions to correspond to the sequence diagram of token-oriented clients - in the Section 4.1 I propose to add an additional member to the object in openidcProviders array: - "additionalAuthorizationQueryParams" being an object where each member represents query parameter name and value is the query parameter value This metadata will allow Token-Oriented Client to trigger authorization with a specified OP through Proxy OP, even if the iss and authorization endpoints are same. With Keycloak as example this can be controlled with "kc_idp_hint" parameter, so the example configuration would be: "openidcProviders": [ { "iss": "https://local-idp.rdap.example.com", "name": "Example Public IDP", "additionalAuthorizationQueryParams": { "kc_idp_hint": "examplepublicidp" } } ] - the Section 5.3 is generic, not depending on client type, so it should move to Section 4 - same applies to Section 5.7 - in OAuth2 the authorization is done using scopes. I think in the Section 6.1 the RP should always require scope "rdap". Also the usage of additionalAuthorizationQueryParams shall be added here. - in 6.1 it may be necessary to add also that the OP SHOULD include the RDAP server in the "aud" claim of the issued token. Alternatively RDAP server may choose to ignore the "aud" claim or exchange the token (as described in the section 7) - we discussed that we do not care that much about remote OPs, however the issue of access_token coming from an unknown OP remains. My proposal for a simple solution would be just to require a query parameter "OP Issuer Identifier" with each RDAP query for non-default OP server. This would be an add to 6.2 - the section 6 should have a subsection about access token validation including: - processing of "OP Issuer Identifier" query parameter and (optional) token introspection with OP or validation of the JWT access token - this would be mainly reference to OAuth2 RFCs - checking "rdap" scope in the access token - optional request for User Claim (as needed by the RDAP server) with an indication about performance implications and hint for caching - I would also add token refresh consideration to the Section 6, namely that the RP needs to take care about refreshing the token as necessary before sending requests to RDAP server - Section 7 only applies to Token-Oriented Clients, so it belongs under Section 6 Kind Regards, Pawel Am 02.12.22 um 15:27 schrieb Hollenbeck, Scott: >> -----Original Message----- >> From: regext <regext-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org >> Sent: Friday, December 2, 2022 9:26 AM >> To: i-d-announce@ietf.org >> Cc: regext@ietf.org >> Subject: [EXTERNAL] [regext] I-D Action: draft-ietf-regext-rdap-openid-19.txt >> >> Caution: This email originated from outside the organization. Do not click links >> or open attachments unless you recognize the sender and know the content is >> safe. >> >> A New Internet-Draft is available from the on-line Internet-Drafts directories. >> This draft is a work item of the Registration Protocols Extensions WG of the >> IETF. >> >> Title : Federated Authentication for the Registration Data Access >> Protocol (RDAP) using OpenID Connect >> Author : Scott Hollenbeck >> Filename : draft-ietf-regext-rdap-openid-19.txt >> Pages : 46 >> Date : 2022-12-02 >> >> Abstract: >> The Registration Data Access Protocol (RDAP) provides "RESTful" web >> services to retrieve registration metadata from domain name and >> regional internet registries. RDAP allows a server to make access >> control decisions based on client identity, and as such it includes >> support for client identification features provided by the Hypertext >> Transfer Protocol (HTTP). Identification methods that require >> clients to obtain and manage credentials from every RDAP server >> operator present management challenges for both clients and servers, >> whereas a federated authentication system would make it easier to >> operate and use RDAP without the need to maintain server-specific >> client credentials. This document describes a federated >> authentication system for RDAP based on OpenID Connect. > [SAH] This is my first attempt for text that addresses token-oriented clients. I'd greatly appreciate review and feedback. > > Scott > > _______________________________________________ > regext mailing list > regext@ietf.org > https://www.ietf.org/mailman/listinfo/regext -- Pawel Kowalik Head of Product Management -- DENIC eG, Kaiserstraße 75 - 77, 60329 Frankfurt am Main, GERMANY E-Mail: pawel.kowalik@denic.de, Fon: +49 173 3087096 https://www.denic.de Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Thomas Keller, Martin Küchenthal, Andreas Musielak, Sebastian Röthler Vorsitzender des Aufsichtsrats: Daniel Rink Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main Allgemeiner Hinweis zur Erfüllung unserer Informationspflichten gemäß Art. 13, Art. 14 DS-GVO: Informationen zur Verarbeitung personenbezogener Daten durch DENIC finden Sie unter https://www.denic.de/datenverarbeitung-allgemein/
- [regext] I-D Action: draft-ietf-regext-rdap-openi… internet-drafts
- Re: [regext] I-D Action: draft-ietf-regext-rdap-o… Hollenbeck, Scott
- Re: [regext] I-D Action: draft-ietf-regext-rdap-o… Pawel Kowalik
- Re: [regext] I-D Action: draft-ietf-regext-rdap-o… Hollenbeck, Scott
- Re: [regext] I-D Action: draft-ietf-regext-rdap-o… Pawel Kowalik
- Re: [regext] I-D Action: draft-ietf-regext-rdap-o… Hollenbeck, Scott
- Re: [regext] I-D Action: draft-ietf-regext-rdap-o… Pawel Kowalik