Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-19.txt

Wed, 04 Jan 2023 08:13:06 -0800 

Hi Scott,

Responses below.

Am 04.01.23 um 13:58 schrieb Hollenbeck, Scott:



- in the Section 3.1.3 the Sequence diagram for session-oriented client
should
also contain RDAP server <-> OP interactions to correspond to the sequence
diagram of token-oriented clients

[SAH] What exactly is missing that needs to be there? I see a number of RDAP
Server interactions with the OP in the existing diagram.
[PK] Reviewed it again and indeed the only flow missing is "RDAP Query" flow, which may be added for completeness.
Also just noticed, that the order of entities is different with "RDAP Server" and "RDAP Client" being swapped between the two. Maybe this is what confused me initially. 




- in the Section 4.1 I propose to add an additional member to the object in
openidcProviders array:

    - "additionalAuthorizationQueryParams" being an object where each member
represents query parameter name and value is the query parameter value
    This metadata will allow Token-Oriented Client to trigger authorization
with a
specified OP through Proxy OP, even if the iss and authorization endpoints
are
same. With Keycloak as example this can be controlled with "kc_idp_hint"
parameter, so the example configuration would be:

     "openidcProviders":
              [
                {
                  "iss": "https://secure-
web.cisco.com/1qTpGgvOW0O1IaI0PV07VJOt4JaNNTkdi-
AvAhv3Wp4mF7rRuTcjEJ_leMZoez112c1Atkf2PO3rgB4na-
Z5QDbPI5VqhnmYMV0ZW4XrWDJbweHswBJkznKyK3pY8PN8-fx-Bm9EnN-
5sKFRu35KKGIlU2masFNMkcEcqVzNugSp9lmz_-
0k5eydMRr5Co4TIFhwzWJNkSVXc85nyOazgjgK2vrbF88bIKCirXHUujUQ4XzZkJXW
B1ehJ9ZZflrTQlqSpaBKl_9XPJ7ZsdAiYrHEHgSntsTbZBhZnFTchaDaAfdPhjwkiMv3
AE1v21nXS/https%3A%2F%2Flocal-idp.rdap.example.com",
                  "name": "Example Public IDP",
                  "additionalAuthorizationQueryParams": {
                     "kc_idp_hint": "examplepublicidp"
                  }

                }

              ]

[SAH] The RDAP server publishes support for
"additionalAuthorizationQueryParams". How would a client use this information,
or tell the RDAP server to do something with it as part of a query, Pawel?
[PK] This would be my proposal including the intended handling for the RDAP Client.
- "additionalAuthorizationQueryParams" - an object where each member represents a query parameter name and value. Token-oriented RDAP Client SHOULD add these query parameters with their corresponding values to the Authentication Request URL when requesting authorization from OP. 

Kind Regards,

Pawel

_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Reply via email to