Re: [regext] Web Service Client Flow
Pawel Kowalik <kowalik@denic.de> Fri, 02 December 2022 14:45 UTC
Return-Path: <kowalik@denic.de>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D9B5C14F743 for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 06:45:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denic.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8voKiahi143b for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 06:45:22 -0800 (PST)
Received: from mout-b-110.mailbox.org (mout-b-110.mailbox.org [195.10.208.55]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08CD3C14F736 for <regext@ietf.org>; Fri, 2 Dec 2022 06:45:19 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-110.mailbox.org (Postfix) with ESMTPS id 4NNwhm0LVHz9t4l; Fri, 2 Dec 2022 15:45:12 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denic.de; s=MBO0001; t=1669992312; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NRGdadoBKX9NQOXFPK2ljiCvQSHgEuQ0IFvs5GUYfjw=; b=faOdSYKsxVlnf+Ykix3BLz1gIz2evhG8OYWfwyvpELeJl8RinoHsrduQICiPIIjBDQXJ5a t3bihRrc6+PSFpGXH8oVWIG9gp6U1hAWLBKZ0d/3lyVGufNhtzHBSAlGrXCO5mwMrWb5aJ SeCukHpRzCC6bfKPvY3nYT0CpAHPON9P4Q+KbRF4la5K2GxF3itYDKh/+4DE3kX99WqPpl EE0aAJqy/QGRfseTDqteCvqjTQd6d41t4kTalR6LNSjsbT0ZMa7FjkqqM7zPU7+cGkus57 28SVmI8Gla7FzhaRLjEM4lCT5oQ0bRERpesvBcoBwc62Rn4Z4jbG94UMkiRClQ==
Message-ID: <545ab209-e87e-8230-3d32-0c77da048d9e@denic.de>
Date: Fri, 02 Dec 2022 15:45:06 +0100
MIME-Version: 1.0
Content-Language: de-DE, en-US
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>, "mario.loffredo@iit.cnr.it" <mario.loffredo@iit.cnr.it>, "regext@ietf.org" <regext@ietf.org>
References: <c13d400573404ec3bf897feb263d5f3c@verisign.com> <44c38e17-0317-1e43-6531-2de6bf7c3cf9@denic.de> <3697246c04fc49c6a152329822594d4b@verisign.com> <41f8647e-959b-35f9-5414-f031a9b629d8@denic.de> <93a0f79c-6720-0e7f-ae3e-689b52359504@iit.cnr.it> <84a6822ea7234bf093b4af31ef136a2c@verisign.com> <b5ac553b-ab58-9703-2445-1274110f51af@denic.de> <1077c9b84e5c404c8533bf9858befa5e@verisign.com> <cc75203eea1d444a9ef4dc7a6f00322a@verisign.com> <b7561c3e-4e2b-942f-b3c1-2e5f7e650cbe@denic.de> <91fca52f19bf4b888cc7f4f5665e6672@verisign.com>
From: Pawel Kowalik <kowalik@denic.de>
In-Reply-To: <91fca52f19bf4b888cc7f4f5665e6672@verisign.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-MBO-RS-META: ouobweqdki41c91sizhyceagjdmndh7z
X-MBO-RS-ID: 1d3db831f1ba1c3522a
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/ynksP0_JvSwRHnKO3QDlLZrZ8_k>
Subject: Re: [regext] Web Service Client Flow
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 14:45:26 -0000
Hi Scott, Am 30.11.22 um 17:39 schrieb Hollenbeck, Scott: >> -----Original Message----- >> From: Pawel Kowalik <kowalik@denic.de> >> Sent: Wednesday, November 30, 2022 11:15 AM >> To: Hollenbeck, Scott <shollenbeck@verisign.com>; mario.loffredo@iit.cnr.it; >> regext@ietf.org >> Subject: [EXTERNAL] Re: [regext] Web Service Client Flow >> >> Caution: This email originated from outside the organization. Do not click >> links >> or open attachments unless you recognize the sender and know the content is >> safe. >> >> Hi Scott, >> >> I have a bit of difficulty with those definitions. >> >> I think this starts with the definition of a client. >> >> RFC 2616 defines it as follows: >> >> client >> A program that establishes connections for the purpose of sending >> requests. >> >> user agent >> The client which initiates a request. These are often browsers, >> editors, spiders (web-traversing robots), or other end user tools. > [SAH] The draft inherits a definition of "client" from RFC 7480. That's > spelled out in the "terminology" section. [PK2] Indeed I overlooked that. The definition in RFC 7480 actually refers to HTTP user agent, so RFC 2616 definition. >> RFC 6749 has a different definition: >> >> An application making protected resource requests on behalf of the >> resource owner and with its authorization. The term "client" does >> not imply any particular implementation characteristics (e.g., >> whether the application executes on a server, a desktop, or other >> devices). >> >> >> When we now talk of "session-oriented" clients, we actually mean "user >> agent" >> as per RFC 2616 which supports cookies for session management, whereas >> "token-oriented" clients are in fact clients in sense of RFC 6749. > [SAH] OK, so what's the best way to identify these two types of clients in the > draft given the RDAP definition of "client" found in RFC 7480? [PK2] My proposal: Clients that want to delegate OIDC Authentication to RDAP server as part of session-oriented interactions and can accept and process HTTP cookies [RFC6265] to maintain the session are known as "session-oriented" clients. This type of RDAP client performs the role of user agent [RFC2616]. An RDAP server performs the role of an OpenID Connect Core Relying Party (RP). A web browser used to send queries directly to an RDAP server is an example of a session-oriented client. Clients that perform OIDC Authentication directly taking the role of an RP in interactions with an OP and send access tokens [RFC6749] to an RDAP server to authorize RDAP queries are known as "token-oriented" clients. An RDAP server performs resource server functions [RFC6749] to verify the tokens received from the client and RP functions to retrieve information from the OP as necessary to make access control decisions. A web browser running JavaScript received from a web service that sends queries to an RDAP server directly or through its backend web service is an example of a token-oriented client. >> In the definition of "token-oriented" clients there needs to be a >> differentiation >> between OIDC interactions and OAuth2 interactions. >> In our scenario RDAP server is a resource server as per RFC 6749, a role >> which >> does not exist explicitly in OIDC - or to be fully correct is fulfilled by >> OP for its >> own userinfo resource. >> So it's incorrect to say that RDAP server performs RP functions. > [SAH] Note that the OpenID Connect Core specifications says that "OAuth 2.0 > Clients using OpenID Connect are also referred to as Relying Parties (RPs)". > The RDAP server can request claims from an OP using an Access Token. I > described the RDAP server as an RP related to performance of that function. > I'm open to re-wording of the description if it's inaccurate or incomplete. [PK2] See proposal above. Getting information from OP can be seen as RP function whereas token verification isn't. Kind Regards, Pawel
- [regext] Web Service Client Flow Hollenbeck, Scott
- Re: [regext] Web Service Client Flow Pawel Kowalik
- Re: [regext] Web Service Client Flow Hollenbeck, Scott
- Re: [regext] Web Service Client Flow Pawel Kowalik
- Re: [regext] Web Service Client Flow Mario Loffredo
- Re: [regext] Web Service Client Flow Hollenbeck, Scott
- Re: [regext] Web Service Client Flow Pawel Kowalik
- Re: [regext] Web Service Client Flow Hollenbeck, Scott
- Re: [regext] Web Service Client Flow Hollenbeck, Scott
- Re: [regext] Web Service Client Flow Pawel Kowalik
- Re: [regext] Web Service Client Flow Hollenbeck, Scott
- Re: [regext] Web Service Client Flow Pawel Kowalik
- Re: [regext] Web Service Client Flow Hollenbeck, Scott