Re: [regext] WGLC: draft-ietf-regext-rdap-openid-17

Tue, 11 Oct 2022 01:59:29 -0700 

Hi Scott and Tom,

would like to add something to the points below.

Section 4.8 has:

     If a client sends any request that includes an unknown HTTP
     cookie, the server MUST return an HTTP 409 (Conflict) error.

What is an "unknown HTTP cookie"?

[SAH] It's a cookie that isn't associated with a known session.
Would "request that includes an HTTP cookie that isn't associated
with a known session" be better?

Yep, I think that would be better.

[ML] Should we add that the session must be live, i.e. not expired ?



Is there any way to signal the result of an implicit token refresh
operation?

[SAH] The tokenExpiration value will be updated as sessions are
refreshed, but I don't see a way of pushing that information a
client directly. The updated value will be returned in a
"farv1_session/status" response, so if the client is proactively
monitoring the session as described above it'll be able to detect
implicit refresh successes.

The problem here is similar to that where an end user's session
expires and it's not possible for the end user to distinguish an
authenticated response from an unauthenticated response.  Assuming a
401 can be returned in that other case, then returning a 401 here when
implicit token refresh fails might work?
[ML] For what's worth, .it RDAP server signals that the the response is unauthenticated by adding the following notice: 

{

  "title": "Anonymous Response",

  "description": [

      "This is a response for an anonymous user"

   ]

}
As opposed to or in addition to what is returned by my current implementation, could this document recommend servers to provide a similar notice for the authenticated responses: 

{

  "title": "Authenticated Response",

  "description": [

      "This is a response for an authenticated user"

   ]

}


Best,

Mario




-Tom

_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext


--
Dr. Mario Loffredo
Technological Unit “Digital Innovation”
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Web:http://www.iit.cnr.it/mario.loffredo

_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Reply via email to