Hi Scott,
I have a bit of difficulty with those definitions.
I think this starts with the definition of a client.
RFC 2616 defines it as follows:
client
A program that establishes connections for the purpose of sending
requests.
user agent
The client which initiates a request. These are often browsers,
editors, spiders (web-traversing robots), or other end user tools.
RFC 6749 has a different definition:
An application making protected resource requests on behalf of the
resource owner and with its authorization. The term "client" does
not imply any particular implementation characteristics (e.g.,
whether the application executes on a server, a desktop, or other
devices).
When we now talk of "session-oriented" clients, we actually mean "user
agent" as per RFC 2616 which supports cookies for session management,
whereas "token-oriented" clients are in fact clients in sense of RFC 6749.
In the definition of "token-oriented" clients there needs to be a
differentiation between OIDC interactions and OAuth2 interactions.
In our scenario RDAP server is a resource server as per RFC 6749, a role
which does not exist explicitly in OIDC - or to be fully correct is
fulfilled by OP for its own userinfo resource.
So it's incorrect to say that RDAP server performs RP functions.
Kind Regards,
Pawel
Am 28.11.22 um 18:07 schrieb Hollenbeck, Scott:
Does this make sense for use as introductory text to appear in new Section
3.1.2 of what will be -19? Please make suggestions for improvement as you see
fit.
3.1.1 Terminology
3.1.2 Client Considerations
Clients that can accept and process HTTP cookies [RFC6265] as part of session-oriented
interactions with an RDAP server are known as "session-oriented" clients. This
type of RDAP client performs the role of an OpenID Connect Core 1.0 [OIDCC] Entity or
End-User. An RDAP server performs the role of an OpenID Connect Core Relying Party (RP).
A web browser used to send queries directly to an RDAP server is an example of a
session-oriented client.
Clients that perform the role of an RP in interactions with an OP and send tokens to an
RDAP server to authorize RDAP queries are known as "token-oriented" clients. An
RDAP server also performs RP functions to verify the tokens received from the client and
to retrieve information from the OP as necessary to make access control decisions. A web
browser running JavaScript received from a web service that sends queries to an RDAP
server is an example of a token-oriented client.
3.1.3 Overview
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
