Hi Scott,
Am 15.11.22 um 17:54 schrieb Hollenbeck, Scott:
[...]
A "pure OAuth2" solution is probably way more warrant of future, IMHO.
Marc.
[SAH] ...but it's not OpenID Connect, which is the focus of the current draft.
Incorporating these concepts into the current draft could mean significant
change to generalize from "Federated Authentication for the Registration Data
Access Protocol (RDAP) using OpenID Connect" to "Federated Authentication for
the Registration Data Access Protocol (RDAP)" or "Federated Authentication for
the Registration Data Access Protocol (RDAP) using <something else>". I'm not
opposed to generalization if it produces a more complete specification, BUT:
OAuth doesn't do identification and authentication [1]. A "pure OAuth2"
solution would require *something else* to provide identification and
authentication. What can we use?
[PK] I think "OpenID Connect" aspect should remain. My focus was more on
the flow,
where RDAP client would interact with IdP directly instead of letting
RDAP server to act as RP.
OAuth2 flows I mentioned are generally the same for OpenID and OAuth2
therefore one does not exclude the other.
But you are right, we should be speaking about OpenID Connect rather
than pure OAuth2 without identity part.
When the identity is concerned I think the important consideration is
whether we strive the model with the Authorization Server
as and integral part of an RDAP server infrastructure (inside the same
security domain), which can use OpenID Connect to authenticate users via
other IdPs
(a.k.a. Federated Identity) - in this case we only need to focus on the
interfaces and flows between RDAP client and RDAP server
and RDAP client and Authorization Server. The integration between the
Authorization Server and RDAP server would be then left out to the RDAP
server operator.
If we also consider "any IdP / OAuth2" server directly making
authorization for the RDAP server, then we would
also need to specify the interface between the RDAP server and the
Authorization server.
I would like to hear other voices from the WG whether "any IdP / OAuth2"
is useful to define.
Kind Regards,
Pawel
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
