Is this a correct sequence of steps for a web service client flow? The RDAP Web Service Client sends an RDAP "help" query to an RDAP server to determine the type and capabilities of the OpenID Providers (Ops) that are used by the RDAP server. The RDAP Web Service Client determines the End-User's OP and confirms that it's supported by the RDAP server. The RDAP Web Service Client sends an Authentication Request to the OP. The OP authenticates the End-User. The OP obtains End-User consent/authorization. The OP returns an Authorization Code to the RDAP Web Service Client. The RDAP Web Service Client requests tokens using the Authorization Code at the OP's Token Endpoint. The RDAP Web Service Client receives a response that contains an ID Token and an Access Token in the response body. The RDAP Web Service Client monitors the token validity period and either refreshes the token or requests new tokens as necessary. The RDAP Web Service Client sends queries that require user identification, authentication, and authorization to an RDAP server that include the ID Token in an HTTP bearer authorization header. The RDAP server validates the ID Token, exchanges it for an Access Token, and retrieves the claims associated with the End-User's identity from the OP. The RDAP server determines the End-User's authorization level and processes the query in accordance with the End-User's authorization level.
Note that this requires the RDAP server to contact the OP as part of processing every query that requires authorization. Scott _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
