Re: [regext] Web Service Client Flow

Mon, 21 Nov 2022 03:22:05 -0800 

Hi Scott,

Am 18.11.22 um 14:01 schrieb Hollenbeck, Scott:

[...]

I would strongly opt for this scenario, as most of the frameworks for
resource server do not go well with multiple token issuer schema, so
the implementation would be a way more complex RDAP server side.

+ 1

[SAH] Me too. This is MUCH easier if we don't have to worry about remote OPs.


[PK] Great, this simplifies a lot of things down the line.



Revised flow:

The RDAP Web Service Client sends an RDAP "help" query to an RDAP server to
determine the type and capabilities of the OpenID Providers (OPs) that are
used by the RDAP server.
The RDAP Web Service Client determines the End-User's OP and confirms that
it's supported by the RDAP server.
The RDAP Web Service Client sends an Authentication Request to the OP.
The OP authenticates the End-User.
The OP obtains End-User consent/authorization.
The OP returns an Authorization Code to the RDAP Web Service Client.
The RDAP Web Service Client requests tokens using the Authorization Code at
the OP's Token Endpoint.
The RDAP Web Service Client receives a response that contains an ID Token and
an Access Token in the response body.
The RDAP Web Service Client monitors the token validity period and either
refreshes the token or requests new tokens as necessary.
The RDAP Web Service Client sends queries that require user identification,
authentication, and authorization to an RDAP server that include a JWT Access
Token [RFC9068] in an HTTP bearer authorization header.

[PK] In this scenario the access token does not need to be always "JWT 
Access Token"
if the assumptions is that it is up to RDAP server to integrate with 
their local OP.

The RDAP server validates the Access Token and retrieves the claims associated
with the End-User's identity from the Access Token or the local OP.

[PK] Just a remark not to limit the text to JWT access token. Opaque 
tokens can also carry data obtainable through token introspection. This 
is again local integration issue RDAP server - local OP which I see out 
of scope for our draft.

The RDAP server determines the End-User's authorization level and processes
the query in accordance with the End-User's authorization level.



Kind Regards,

Pawel

_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext






















					Reply via email to