<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE rfc [ <!ENTITYRFC2119 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml'>nbsp " "> <!ENTITYRFC4949 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4949.xml'>zwsp "​"> <!ENTITYRFC6265 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6265.xml'>nbhy "‑"> <!ENTITYRFC6749 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml'> <!ENTITY RFC6750 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6750.xml'> <!ENTITY RFC7009 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7009.xml'> <!ENTITY RFC7480 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7480.xml'> <!ENTITY RFC7481 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7481.xml'> <!ENTITY RFC7519 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7519.xml'> <!ENTITY RFC7617 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7617.xml'> <!ENTITY RFC7662 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7662.xml'> <!ENTITY RFC7942 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7942.xml'> <!ENTITY RFC8126 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml'> <!ENTITY RFC8174 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml'> <!ENTITY RFC8414 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8414.xml'> <!ENTITY RFC8628 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8628.xml'> <!ENTITY RFC8693 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8693.xml'> <!ENTITY RFC8792 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8792.xml'> <!ENTITY RFC9068 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9068.xml'> <!ENTITY RFC9082 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9082.xml'> <!ENTITY RFC9083 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9083.xml'> <!ENTITY RFC9110 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9110.xml'> <!ENTITY RFC9325 PUBLIC '' 'https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9325.xml'> <!ENTITY I-D.ietf-oauth-security-topics PUBLIC '' 'https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-oauth-security-topics.xml'>wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt"?> <?rfc toc="yes"?> <?rfc tocompact="yes"?> <?rfc tocdepth="4"?> <?rfc compact="yes"?> <?rfc subcompact="yes"?> <?rfc sortrefs="yes"?> <?rfc symrefs="yes"?> <?rfc iprnotified="no"?><rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="std" consensus="true" docName="draft-ietf-regext-rdap-openid-27" number="9560" ipr="trust200902"submissionType="IETF" consensus="true">tocInclude="true" tocDepth="4" sortRefs="true" symRefs="true" updates="" obsoletes="" xml:lang="en" version="3"> <front> <titleabbrev="OpenID Connectabbrev="OIDC for RDAP">Federated Authentication for the Registration Data Access Protocol (RDAP)usingUsing OpenID Connect</title> <seriesInfo name="RFC" value="9560"/> <author initials="S." surname="Hollenbeck" fullname="Scott Hollenbeck"> <organization>Verisign Labs</organization> <address> <postal> <street>12061 Bluemont Way</street> <city>Reston</city> <region>VA</region> <code>20190</code><country>USA</country><country>United States of America</country> </postal> <email>shollenbeck@verisign.com</email> <uri>https://www.verisignlabs.com/</uri> </address> </author><date/> <area>Applications</area> <workgroup>REGEXT Working Group</workgroup><date year="2024" month="April"/> <area>art</area> <workgroup>regext</workgroup> <keyword>RDAP</keyword> <keyword>Federated</keyword> <keyword>Authentication</keyword> <abstract> <t>The Registration Data Access Protocol (RDAP) provides"RESTful"Representational State Transfer (RESTful) web services to retrieve registration metadata from domain name and regional internet registries. RDAP allows a server to make access control decisions based on client identity, and assuchsuch, it includes support for client identification features provided by the Hypertext Transfer Protocol (HTTP). Identification methods that require clients to obtain and manage credentials from every RDAP server operator present management challenges for both clients and servers, whereas a federated authentication system would make it easier to operate and use RDAP without the need to maintain server-specific client credentials. This document describes a federated authentication system for RDAP based on OpenID Connect.</t> </abstract> </front> <middle><section title="Introduction"><section> <name>Introduction</name> <t>The Registration Data Access Protocol (RDAP) provides"RESTful"Representational State Transfer (RESTful) web services to retrieve registration metadata from domain name and regional internet registries. RDAP allows a server to make access control decisions based on client identity, and assuchsuch, it includes support for client identification features provided by the Hypertext Transfer Protocol (HTTP) <xref target="RFC9110"/>.</t> <t>RDAP is specified in multiple documents, including"HTTP Usage in the Registration Data Access Protocol (RDAP)""<xref target="RFC7480" format="title"/>" <xref target="RFC7480"/>,"Security Services for the Registration Data Access Protocol (RDAP)""<xref target="RFC7481" format="title"/>" <xref target="RFC7481"/>,"Registration Data Access Protocol Query Format""<xref target="RFC9082" format="title"/>" <xref target="RFC9082"/>, and"JSON Responses for the Registration Data Access Protocol (RDAP)""<xref target="RFC9083" format="title"/>" <xref target="RFC9083"/>.RFC 7481<xref target="RFC7481"/> describes client identification and authentication services that can be used with RDAP, but it does not specify how any of these services can (or should) be used with RDAP.</t> <sectionanchor="problem" title="Problem Statement">anchor="problem"> <name>Problem Statement</name> <t>The conventional"user name"username and password" authentication method does not scale well in the RDAP ecosystem. Assuming that all domain name and address registries will eventually provide RDAP service, it is impractical and inefficient for users to secure login credentials from the hundreds of different server operators. Authentication methods based onuser namesusernames and passwords do not provide information that describes the user in sufficient detail (while protecting the personal privacy of the user) for server operators to make fine-grained access control decisions based on the user's identity. The authentication system used for RDAP needs to address all of these needs.</t> </section><section title="Approach"><section> <name>Approach</name> <t>A basic level of RDAP service can be provided to users who possess an identifier issued by a recognized provider who can authenticate and validate the user.TheFor example, the identifiers issued by social mediaservices, for example,services can be used. Users who require higher levels of service (and who are willing to share more information about themselves to gain access to that service) can secure identifiers from specialized providers who are or will be able to provide more detailed information about the user. Server operators can then make access control decisions based on the identification information provided by the user.</t> <t>A federated authentication system in which an RDAP server outsources identification and authentication services to a trusted identity provider would make it easier to operate and use RDAP by reusing existing identifiers to provide a basic level of access. It can also provide the ability to collect additional user identification information, and that information can be shared with the RDAP server operator with the consent of the user in order to help the server operator make access control decisions. This type of system allows an RDAP server to make access control decisions based on the nature of a query and the identity, authentication, and authorization information that is received from the identity provider. This document describes a federated authentication system for RDAP based on OpenID Connect <xref target="OIDC"/> that meets these needs.</t> </section> </section><section title="Conventions<section> <name>Conventions Used in ThisDocument">Document</name> <t>The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t> <t>All of the HTTP requests described in this document that are sent from an RDAP client to an RDAP server use the HTTP GET method as specified in <xref target="RFC9110"/>.</t> <t>Long lines in examples are wrapped usingthe"The Single Backslash Strategy" described inRFC 8792<xref target="RFC8792"/>.</t> </section> <sectionanchor="RDAP-FedAuth" title="Federatedanchor="RDAP-FedAuth"> <name>Federated Authentication forRDAP">RDAP</name> <t>RDAP itself does not include built-in security services. Instead, RDAP relies on features that are available in other protocol layers to provide needed security services including access control, authentication, authorization, availability, data confidentiality, data integrity, and identification. A description of each of these security services can be found in"Internet Security Glossary, Version 2""<xref target="RFC4949" format="title"/>" <xref target="RFC4949"/>. This document focuses on a federated authentication system for RDAP that provides services for authentication, authorization, and identification, allowing a server operator to make access control decisions.Section 3 of RFC 7481<xreftarget="RFC7481"/>section="3" target="RFC7481" sectionFormat="of"/> describes general considerations for RDAP access control, authentication, and authorization.</t> <t>The conventional client-server authentication model requires clients to maintain distinct credentials for every RDAP server. This situation can become unwieldy as the number of RDAP servers increases. Federated authentication mechanisms allow clients to use one credential to access multiple RDAP servers and reduce client credential management complexity.</t> <sectionanchor="RDAP-OIDC" title="RDAPanchor="RDAP-OIDC"> <name>RDAP and OpenIDConnect">Connect</name> <t>OpenID Connect 1.0 <xref target="OIDCC"/> is a decentralized,single sign-onSingle Sign-On (SSO) federated authentication system that allows users to access multiple web resources with one identifier instead of having to create multiple server-specific identifiers. Users acquire identifiers from OpenIDProviders, or OPs.Providers (OPs). RelyingParties, or RPs,Parties (RPs) are applications (such as RDAP) that outsource their user authentication function to an OP. OpenID Connect is built on top of the authorization framework provided by the OAuth 2.0 protocol <xreftarget="RFC6749"/> protocol.</t>target="RFC6749"/>.</t> <t>The OAuth authorization framework describes a method for users to access protected web resources without having to hand out their credentials. Instead, clients are issuedAccess Tokensaccess tokens byOpenID ProvidersOPs with the permission of the resource owners. Using OpenID Connect and OAuth, multiple RDAP servers can form afederationfederation, and clients can access any server in the federation by providing one credential registered with any OP in that federation. The OAuth authorization framework is designed for use with HTTP and thus can be used with RDAP.</t> <sectionanchor="terms" title="Terminology">anchor="terms"> <name>Terminology</name> <t>This document uses theterms "client" and "server" asfollowing terminology.</t> <t>Terms defined byRDAP<xreftarget="RFC7480"/>.</t> <t>This document uses the terms "Access Token", "Authorization Code", "Authorization Endpoint", "Authorization Grant", "Client Authentication", "Client Identifier", "Protected Resource", "Refresh Token", "Resource Owner", "Resource Server", and "Token Endpoint"target="RFC7480" format="default"/>:</t> <ul spacing="normal"> <li>client</li> <li>server</li> </ul> <t>Terms defined byOAuth 2.0<xreftarget="RFC6749"/>; the terms "Claim Name", "Claim Value", and "JSON Web Token (JWT)"target="RFC6749" format="default"/>:</t> <ul spacing="normal"> <li>access token</li> <li>authorization code</li> <li>authorization endpoint</li> <li>authorization grant</li> <li>client authentication</li> <li>client identifier</li> <li>protected resource</li> <li>refresh token</li> <li>resource owner</li> <li>resource server</li> <li>token endpoint</li> </ul> <t>Terms defined byJSON<xref target="RFC7519" format="default"/>:</t> <ul spacing="normal"> <li>claim name</li> <li>claim value</li> <li>JSON Web Token(JWT) <xref target="RFC7519"/>; the terms "ID Token" and "UserInfo Endpoint"(JWT)</li> </ul> <t>Terms defined byOpenID Connect Core 1.0<xreftarget="OIDCC"/>; and the term "JWT Access Token"target="OIDCC" format="default"/>:</t> <ul spacing="normal"> <li>ID Token</li> <li>UserInfo Endpoint</li> </ul> <t>Term defined byRFC 9068<xreftarget="RFC9068"/>. Additionaltarget="RFC9068" format="default"/>:</t> <ul spacing="normal"> <li>JWT access token</li> </ul> <t>Additional terms from Section 1.2 of the OpenID Connect Core specification are incorporated by reference.</t> <t>This document uses the terms "remote" and "default" to describe the relationship between an RDAP server and theOpenID ProvidersOPs that it interacts with. A "remote"OpenID ProviderOP is one that is identified by the RDAPClientclient by providing either an Issuer Identifier or anEnd-User Identifierend-user identifier in a login request. Whether an Issuer Identifier orEnd-User Identifierend-user identifier can be provided in the login request for the purposes of selecting anOpenID ProviderOP can be determined by retrieving the RDAPServer'sserver's OIDC configuration details (see <xref target="openidcConfiguration"/>). A "default"OpenID ProviderOP is one that the RDAPServerserver will use when the RDAPClientclient does not provide an Issuer Identifier or anEnd-User Identifierend-user identifier in the login request.</t> <t>This document uses the term "session" to describe a set of interactions between an RDAP client and an RDAP server during a given period of time. For session-oriented clients (see <xref target="client-cons"/>), the RDAP session is a typical HTTP session starting with a farv1_session/login request and ending with either a farv1_session/logout request (see <xref target="protocol"/> for a description of both path segments) or a timeout. For token-oriented clients (see Sections <xreftarget="client-cons"/>target="client-cons" format="counter"/> and <xreftarget="protocol-tokens"/>),target="protocol-tokens" format="counter"/>), the RDAP session corresponds to the lifespan of an authorization obtained from an OP and the correspondingAccess Token,access token, including any refreshedAccess Token.</t>access tokens.</t> </section> <sectionanchor="client-cons" title="Client Considerations">anchor="client-cons"> <name>Client Considerations</name> <t>Clients that delegate OIDCAuthenticationauthentication to an RDAP server as part of session-orientedinteractions,interactions and can accept and process HTTP cookies <xref target="RFC6265"/> to maintain thesession,session are known as "session-oriented" clients. This type of RDAP client performs the role of a user agent <xref target="RFC9110"/>. An RDAP server performs the role of an OpenID Connect Core Relying Party (RP). A web browser used to send queries directly to an RDAP server is an example of a session-oriented client. Specifications for this type of client can be found in <xref target="protocol"/>.</t> <t>Clients that perform OIDCAuthenticationauthentication directly, taking the role of an RP in interactions with an OP and sendingAccess Tokensaccess tokens <xref target="RFC6749"/> to an RDAP server to authorize RDAP queries, are known as "token-oriented" clients. An RDAP server performs resource server <xref target="RFC6749"/> functions to verify the tokens received from theclient,client and RP functions to retrieve information from the OP as necessary to make access control decisions. A web browser running JavaScript received from a web service that sends queries to an RDAP server directly or through its back-end web service is an example of a token-oriented client. Specifications for this type of client can be found in <xref target="protocol-tokens"/>.</t> <t>ClientsMAY<bcp14>MAY</bcp14> operate as either session-oriented or token-oriented clients, but theyMUST<bcp14>MUST</bcp14> do so consistently by not mixing token-oriented and session-oriented requests while interacting with an OP. ServersSHOULD<bcp14>SHOULD</bcp14> support both types of client to maximizeinteroperability,interoperability butMAY<bcp14>MAY</bcp14> choose to support only one type of client as required by local policy or operating conditions. A server that does not support a particular client type will not support the protocol features (the data structures, path segments, parameters, and interactions) specified for that client type. Server signaling of supported client types is described in <xref target="openidcConfiguration"/>.</t> </section> <sectionanchor="overview" title="Overview">anchor="overview"> <name>Overview</name> <t>At a high level, RDAP authentication of a session-oriented client using OpenID Connect requires completion of the following steps:</t><t><list style="numbers"><ol spacing="normal" type="1"> <li> <t>An RDAP client sends an RDAP "help" query to an RDAP server to determine thetypetypes and capabilities of theOpenID ProvidersOPs that are used by the RDAP server. This information is returned in therdapConformance"rdapConformance" section of the response. A value of "farv1" indicates support for the extension described in this specification. If one or more remoteOpenID ProvidersOPs are supported, the RDAP clientSHOULD<bcp14>SHOULD</bcp14> evaluate the additional information described in <xref target="openidcConfiguration"/> in order to discover the capabilities of the RDAP server and optionally obtain the set of supported OPs unless that information is available from a trusted out-of-band source and has already been processed.</t> </li> <li> <t>An RDAP client sends an RDAP "login" request to an RDAP server as described in <xref target="client-login"/>.</t> </li> <li> <t>The RDAP server prepares an Authentication Request containing the desired request parameters.</t> </li> <li> <t>The RDAP server sends an Authentication Request to anOpenID Provider (OP) Authorization EndpointOP authorization endpoint and redirects the RDAP client to theOpenID ProviderOP using an HTTP redirect.</t> </li> <li> <t>TheOpenID ProviderOP authenticates theEnd-User.</t>end user.</t> </li> <li> <t>TheOpenID ProviderOP obtainsEnd-User consent/authorization.</t>end-user consent and authorization.</t> </li> <li> <t>TheOpenID ProviderOP sends the RDAPClientclient back to the RDAP server with anAuthorization Codeauthorization code using an HTTP redirect.</t> </li> <li> <t>The RDAP server requests tokens using theAuthorization Codeauthorization code at theOpenID Provider's Token Endpoint.</t>OP's token endpoint.</t> </li> <li> <t>The RDAP server receives a response that contains an ID Token andAccess Tokenaccess token in the response body.</t> </li> <li> <t>The RDAP server validates the tokens as described in <xref target="OIDCC"/> and retrieves the claims associated with theEnd-User'send user's identity from theOpenID Provider'sOP's UserInfo Endpoint.</t></list> </t> <figure anchor="sequence_diagram_session"> <preamble>The</li> </ol> <t keepWithNext="true">The steps above can be described in a sequencediagram:</preamble> <artwork xml:space="preserve">diagram:</t> <figure anchor="sequence_diagram_session"> <artwork><![CDATA[ End OpenID RDAP RDAP User Provider Client Server | | | | | | |-----HelpQuery---->|Query---->| | | | | | ||<---Help|<---Help Response---| | | | | |-------LoginRequest------>|Request------>| | | | | | | | |---LoginRequest--->|Request--->| | | | | ||<-----Authentication|<-----Authentication Request------| | | | | | Credential--| | ||<--Request|<--Request | | | | | | | |--Credential | | | |Response->|Response->| | | | | | | | |-----AuthenticationResponse----->|Response----->| | | | | ||<----------Token|<----------Token Request----------| | | | | | |-----------TokenResponse-------->|Response-------->| | | | | ||<----------Claim|<----------Claim Request----------| | | | | | |-----------ClaimResponse-------->|Response-------->| | | | | | ||<--Login|<--Login Response---| | | | ||<------Login|<------Login Response------| | | | | | |----------RDAPQuery------>|Query------>| | | | | | | | |-----RDAPQuery---->|Query---->| | | | | | ||<---RDAP|<---RDAP Response---| | | | ||<------RDAP|<------RDAP Response-------|| </artwork>|]]></artwork> </figure> <t>The RDAP server can then make identification, authorization, and access control decisions based onEnd-Userend-user identity information and local policies. Note that OpenID Connect describes different process flows for other types of clients, such as script-based orcommand linecommand-line clients.</t> <t>RDAP authentication of a token-oriented client using OpenID Connect requires completion of the following steps:</t><t><list style="numbers"><ol spacing="normal" type="1"><li> <t>An RDAP client sends an RDAP "help" query to an RDAP server to determine the type and capabilities of theOpenID Providers (OPs)OPs that are used by the RDAP server. This information is returned in therdapConformance"rdapConformance" section of the response. A value of "farv1" indicates support for the extension described in this specification. If one or more remoteOpenID ProvidersOPs are supported, the RDAP clientSHOULD<bcp14>SHOULD</bcp14> evaluate the additional information described in <xref target="openidcConfiguration"/> in order to discover the capabilities of the RDAP server and optionally obtain the set of supported OPs. Support for token-oriented clients requires a default OP.</t> </li> <li> <t>The RDAP client determines theEnd-User'send user's OP and confirms that it's supported by the RDAP server.</t> </li> <li> <t>The RDAP client sends an Authentication Request to the OP'sAuthorization Endpoint.</t>authorization endpoint.</t> </li> <li> <t>The OP authenticates theEnd-User.</t>end user.</t> </li> <li> <t>The OP obtainsEnd-User consent/authorization.</t>end-user consent or authorization.</t> </li> <li> <t>The OP returns anAuthorization Codeauthorization code to the RDAP client.</t> </li> <li> <t>The RDAP client requests tokens using theAuthorization Codeauthorization code at the OP'sToken Endpoint.</t>token endpoint.</t> </li> <li> <t>The RDAP client receives a response that contains an ID Token and anAccess Tokenaccess token in the response body.</t> </li> <li> <t>The RDAP client monitors the token validity period and either refreshes the token or requests new tokens as necessary.</t> </li> <li> <t>The RDAP client sends queries that require user identification, authentication, and authorization to an RDAP server that include anAccess Tokenaccess token in an HTTP"Authorization""authorization" header using the"Bearer""bearer" authentication scheme described inRFC 6750<xref target="RFC6750"/>.</t> </li> <li> <t>The RDAP server validates theAccess Tokenaccess token and retrieves the claims associated with theEnd-User'send user's identity from the OP's UserInfo Endpoint.</t> </li> <li> <t>The RDAP server determines theEnd-User'send user's authorization level and processes the query in accordance with server policies.</t></list> </t> <figure anchor="sequence_diagram_token"> <preamble>The</li> </ol> <t keepWithNext="true">The steps above can be described in a sequencediagram:</preamble> <artwork xml:space="preserve">diagram:</t> <figure anchor="sequence_diagram_token"> <artwork><![CDATA[ End OpenID RDAP RDAP User Provider Client Server | | | | | | |-----HelpQuery---->|Query---->| | | | | | ||<----Help|<----Help Response--| | | | | |-------LoginRequest------>|Request------>| | | | | | ||<-Authentication|<-Authentication | | | Request---| | | | | ||<-Credential|<-Credential | | | | Request---| | | | | | | |--Credential | | | |Response->|Response->| | | | | | | | |--Authentication | | |Response--->|Response--->| | | | | | ||<-Token|<-Token | | | | Request----| | | | | | | |--Token | | | |Response-->|Response-->| | | | | ||<------Login|<------Login Response------| | | | | | |-----RDAPQuery----------->|Query----------->| | | | | | | | |----RDAPQuery----->|Query----->| | | | | ||<------------Claim|<------------Claim | | | Request---------------| | | | | | |-------------Claim | | |Response------------->|Response------------->| | | | | | ||<---RDAP|<---RDAP Response---| | | | ||<----RDAP|<----RDAP Response---------|| </artwork>|]]></artwork> </figure> </section> <sectionanchor="process" title="RDAPanchor="process"> <name>RDAP Authentication and AuthorizationSteps"> <t>End-Users MAYSteps</name> <t>End users <bcp14>MAY</bcp14> present an identifier (an OpenID) issued by an OP to use OpenID Connect with RDAP. If the RDAP server supports a defaultOpenID ProviderOP or if provider discovery is not supported, theEnd-Userend-user identifierMAY<bcp14>MAY</bcp14> be omitted. An OPSHOULD<bcp14>SHOULD</bcp14> include support for the claims described in <xref target="rdap-claims"/> to provide additional information needed for RDAPEnd-Userend-user authorization; in the absence of theseclaimsclaims, clients and serversMAY<bcp14>MAY</bcp14> make authorization and access control decisions as appropriate given any other information returned from the OP. OpenID Connect requires RPs to register with OPs to use OpenID Connect services for anEnd-User.end user. The registration process is often completed using out-of-band methods, but it is also possible to use the automated method described by the"OpenIDOpenID Connect Dynamic ClientRegistration"Registration protocol <xref target="OIDCR"/>. The parties involved can use any method that is mutually acceptable.</t> <sectionanchor="discovery" title="Provider Discovery">anchor="discovery"> <name>Provider Discovery</name> <t>An RDAPserver/RPserver acting as an RP needs to be able to map anEnd-User'send user's identifier to an OP. This can be accomplished using theOPTIONAL "OpenID<bcp14>OPTIONAL</bcp14> OpenID ConnectDiscovery"Discovery protocol <xref target="OIDCD"/>, but that protocol is not widely implemented. Out-of-band methods are also possible and can be more dependable. For example, an RP can support a limited number of OPs and maintain internal associations of those identifiers with the OPs that issued them.</t> <t>Alternatively, if mappingofanEnd-User'send user's identifier is not possible, or not supported by the RDAP server, the RDAP serverSHOULD<bcp14>SHOULD</bcp14> support explicit specification of a remote OP by the RDAP client in the form of a query parameter as described in <xref target="issuer-identifier"/> unless the remote OP has been identified using an out-of-band mechanism. An RDAP serverMUST<bcp14>MUST</bcp14> provide information about its capabilities and supported OPs in the "help" query response in the "farv1_openidcConfiguration" data structure described in <xref target="openidcConfiguration"/>. An RDAPserver/RP MUSTserver acting as an RP <bcp14>MUST</bcp14> support at least one of these methods of OP discovery.</t> </section> <sectionanchor="auth-request" title="Authentication Request">anchor="auth-request"> <name>Authentication Request</name> <t>Once the OP is known, an RPMUST<bcp14>MUST</bcp14> form an Authentication Request and send it to the OP as described in Section 3 ofthe OpenID Connect Core protocol<xref target="OIDCC"/>. The authentication path followed (authorization, implicit, or hybrid) will depend on the Authentication Request response_type set by the RP. The remainder of the processing steps described here assume that theAuthorization Code Flowauthorization code flow is being used by setting "response_type=code" in the Authentication Request.</t> <t>The benefits of using theAuthorization Code Flowauthorization code flow for authenticating a human user are described in Section 3.1 ofthe OpenID Connect Core protocol.<xref target="OIDCC"/>. The Implicit Flow is more commonly used by clients implemented in a web browser using a scripting language; it is described in Section 3.2 ofthe OpenID Connect Core protocol.<xref target="OIDCC"/>. At the time of this writing, the Implicit Flow is considered insecure and efforts are being made to deprecate the flow. The Hybrid Flow (described in Section 3.3 ofthe OpenID Connect Core protocol)<xref target="OIDCC"/>) combines elements of theAuthorization Codeauthorization code and Implicit Flows by returning some tokens from theAuthorization Endpointauthorization endpoint and others from theToken Endpoint.</t>token endpoint.</t> <t>An Authentication Request can contain several parameters.REQUIRED<bcp14>REQUIRED</bcp14> parameters are specified in Section 3.1.2.1 ofthe OpenID Connect Core protocol<xref target="OIDCC"/>. Apart from these parameters, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that the RP include the optional "login_hint" parameter in the request, with the value being that of the "farv1_id" query parameter of theEnd-User'send user's RDAP "login" request, if provided. Passing the "login_hint" parameter allows a client to pre-fill login form information, so logging in can be more convenient for users. Other parametersMAY<bcp14>MAY</bcp14> be included.</t> <t>The OP receives the Authentication Request and attempts to validate it as described in Section 3.1.2.2 ofthe OpenID Connect Core protocol<xref target="OIDCC"/>. If the request is valid, the OP attempts to authenticate theEnd-Userend user as described in Section 3.1.2.3 ofthe OpenID Connect Core protocol<xref target="OIDCC"/>. The OP returns an error response if the request is not valid or if any error is encountered.</t> </section> <sectionanchor="End-User-auth" title="End-User Authorization">anchor="End-User-auth"> <name>End User Authorization</name> <t>After theEnd-Userend user is authenticated, the OPMUST<bcp14>MUST</bcp14> obtain consent from theEnd-Userend user to release authorization information to the RDAPServer/RP.server acting as an RP. This process is described in Section 3.1.2.4 ofthe OpenID Connect Core protocol<xref target="OIDCC"/>.</t> </section> <sectionanchor="auth-valid" title="Authorizationanchor="auth-valid"> <name>Authorization Response andValidation">Validation</name> <t>After obtaining an authorization result, the OP will send a response to the RP that provides the result of the authorization process using anAuthorization Code.authorization code. The RPMUST<bcp14>MUST</bcp14> validate the response. This process is described in Sections 3.1.2.5 - 3.1.2.7 ofthe OpenID Connect Core protocol<xref target="OIDCC"/>.</t> </section> <sectionanchor="tokens" title="Token Processing">anchor="tokens"> <name>Token Processing</name> <t>The RP sends aToken Requesttoken request using theAuthorization Grantauthorization grant to aToken Endpointtoken endpoint to obtain aToken Responsetoken response containing anAccess Token,access token, ID Token, and anOPTIONAL Refresh Token.<bcp14>OPTIONAL</bcp14> refresh token. The RPMUST<bcp14>MUST</bcp14> validate theToken Response.token response. This process is described in Section 3.1.3.5of the OpenID Connect Core protocol<xref target="OIDCC"/>.</t> </section> <sectionanchor="user-info" title="Deliveryanchor="user-info"> <name>Delivery of UserInformation">Information</name> <t>The set of claims can be retrieved by sending a request to a UserInfo Endpoint using theAccess Token.access token. The claims are returned in the ID Token. The process of retrieving claims from a UserInfo Endpoint is described in Section 5.3 ofthe OpenID Connect Core protocol<xref target="OIDCC"/>.</t> <t>OpenID Connect specifies a set of standard claims in Section 5.1 ofthe OpenID Connect Core protocol<xref target="OIDCC"/>. Additional claims for RDAP are described in <xref target="rdap-claims"/>.</t> </section> </section> <sectionanchor="rdap-claims" title="Specializedanchor="rdap-claims"> <name>Specialized Claims and Authorization Scope forRDAP">RDAP</name> <t>OpenID Connect claims are pieces of information used to make assertions about an entity. Section 5 ofthe OpenID Connect Core protocol<xref target="OIDCC"/> describes a set of standard claims. Section 5.1.2 of <xref target="OIDCC"/> notes that additional claimsMAY<bcp14>MAY</bcp14> be used, and it describes a method to create them. The set of claims that are specific to RDAP are associated with an OAuth scope request parameter value (seeSection 3.3 of RFC 6749 (<xref target="RFC6749"/>))<xref section="3.3" target="RFC6749" sectionFormat="of"/>) of "rdap".</t> <sectionanchor="stated-purposes" title="Stated Purposes">anchor="stated-purposes"> <name>Stated Purposes</name> <t>Communities of RDAP users and operators may wish to make and validate claims about a user's "need to know" when it comes to requesting access to a protected resource. For example, a law enforcement agent or a trademark attorney may wish to be able to assert that they have a legal right to access a protected resource, and a server operator may need to be able to receive and validate that claim. These needs can be met by defining and using an additional "rdap_allowed_purposes" claim.</t> <t>The "rdap_allowed_purposes" claim identifies the purposes for which access to a protected resource can be requested by anEnd-User.end user. Use of the "rdap_allowed_purposes" claim isOPTIONAL;<bcp14>OPTIONAL</bcp14>; processing of this claim is subject to server acceptance of the purposes, the trust level assigned to this claim by the server, and successful authentication of theEnd-User.end user. Unrecognized purpose valuesMUST<bcp14>MUST</bcp14> beignoredignored, and the associated queryMUST<bcp14>MUST</bcp14> be processed as if the unrecognized purpose value was not present at all. See <xref target="purpose-registry"/> for a description of the IANA considerations associated with this claim.</t> <t>The "rdap_allowed_purposes" claim is represented as an array of case-sensitive StringOrURI values as specified inSection 2 of the JSON Web Token (JWT) specification (<xref target="RFC7519"/>).<xref section="2" target="RFC7519" sectionFormat="of"/>. An example:</t> <t>"rdap_allowed_purposes": ["domainNameControl","dnsTransparency"]</t> <t>Purpose values are assigned to anEnd User'send user's credential by an identity provider. IdentityProvider. Identity Providers MUSTproviders <bcp14>MUST</bcp14> ensure that appropriate purpose values are only assigned toEnd Userend user identities that are authorized to use them.</t> </section> <sectionanchor="rdap_dnt_allowed" title="Doanchor="rdap_dnt_allowed"> <name>Do NotTrack">Track</name> <t>Communities of RDAP users and operators may wish to make and validate claims about a user's wish to not have their queries logged, tracked, or recorded. For example, a law enforcement agent may wish to assert that their queries are part of a criminal investigation and should not be tracked due to a risk of query exposure compromising the investigation, and a server operator may need to be able to receive and validate that claim. These needs can be met by defining and using an additional "do not track" claim.</t> <t>The "do not track" ("rdap_dnt_allowed") claim can be used to identify anEnd-Userend user that is authorized to perform queries without theEnd-User'send user's association with those queries being logged, tracked, or recorded by the server. Client use of the "rdap_dnt_allowed" claim isOPTIONAL.<bcp14>OPTIONAL</bcp14>. Server operatorsMUST NOT<bcp14>MUST NOT</bcp14> log, track, or record any association of the query and theEnd-User'send user's identity if theEnd-Userend user is successfully identified and authorized, if the "rdap_dnt_allowed" claim is present, if the value of the claim is "true", and if accepting the claim complies with local regulations regarding logging and tracking.</t> <t>The "rdap_dnt_allowed" value is represented as a JSON boolean literal. An example:</t> <t>rdap_dnt_allowed: true</t> <t>No special query tracking processing is required if this claim is not present or if the value of the claim is "false". Use of this claimMUST<bcp14>MUST</bcp14> be limited toEnd-Usersend users who are granted "do not track" privileges in accordance with service policies and regulations. Specification of these policies and regulations is beyond the scope of this document.</t> </section> </section> </section> </section> <sectionanchor="protocol-common" title="Commonanchor="protocol-common"> <name>Common ProtocolFeatures">Features</name> <t>As described in <xref target="discovery"/>, an RDAP serverMUST<bcp14>MUST</bcp14> provide information about its capabilities and supported OPs in a "help" query response. This specification describes a new "farv1_openidcConfiguration" data structure that describes the OpenID Connect configuration and related extension features supported by the RDAP server. This data structure is returned to all client types.</t> <sectionanchor="openidcConfiguration" title="OpenIDanchor="openidcConfiguration"> <name>OpenID ConnectConfiguration">Configuration</name> <t>The "farv1_openidcConfiguration" data structure is an object with the following members:</t><t><list style="numbers"> <t>"sessionClientSupported": (REQUIRED)<dl spacing="normal" newline="false"> <dt>"sessionClientSupported":</dt> <dd>(<bcp14>REQUIRED</bcp14>) a boolean value that describes RDAP server support for session-oriented clients (see <xreftarget="client-cons"/>).</t> <t>"tokenClientSupported": (REQUIRED)target="client-cons"/>).</dd> <dt>"tokenClientSupported":</dt> <dd>(<bcp14>REQUIRED</bcp14>) a boolean value that describes RDAP server support for token-oriented clients (see <xreftarget="client-cons"/>).</t> <t>"dntSupported": (REQUIRED)target="client-cons"/>).</dd> <dt>"dntSupported":</dt> <dd>(<bcp14>REQUIRED</bcp14>) a boolean value that describes RDAP server support for the "farv1_dnt" query parameter (see <xreftarget="rdap-do-not-track"/>).</t> <t>"providerDiscoverySupported": (OPTIONAL)target="rdap-do-not-track"/>).</dd> <dt>"providerDiscoverySupported":</dt> <dd>(<bcp14>OPTIONAL</bcp14>) a boolean value that describes RDAP server support for discovery of providers ofEnd-Userend-user identifiers. The default value is"true".</t> <t>"issuerIdentifierSupported": (OPTIONAL)"true".</dd> <dt>"issuerIdentifierSupported":</dt> <dd>(<bcp14>OPTIONAL</bcp14>) a boolean value that describes RDAP server support for explicit client specification of an Issuer Identifier. The default value is"true".</t> <t>"implicitTokenRefreshSupported": (OPTIONAL)"true".</dd> <dt>"implicitTokenRefreshSupported":</dt> <dd>(<bcp14>OPTIONAL</bcp14>) a boolean value that describes RDAP server support for implicit token refresh. The default value is"false".</t> <t>"openidcProviders": (OPTIONAL)"false".</dd> <dt>"openidcProviders":</dt> <dd><t>(<bcp14>OPTIONAL</bcp14>) a list of objects with the following members that describes the set of OPs that are supported by the RDAP server. This data isRECOMMENDED<bcp14>RECOMMENDED</bcp14> if the value of issuerIdentifierSupported is"true": <list style="letters"> <t>"iss": (REQUIRED)"true":</t> <dl spacing="normal" newline="false"> <dt>"iss":</dt> <dd>(<bcp14>REQUIRED</bcp14>) a URI value that represents the Issuer Identifier of the OP as per the OpenID Connect Core specification <xreftarget="OIDCC"/></t> <t>"name": (REQUIRED)target="OIDCC"/>.</dd> <dt>"name":</dt> <dd>(<bcp14>REQUIRED</bcp14>) a string value representing the human-friendly name of theOP.</t> <t>"default": (OPTIONAL)OP.</dd> <dt>"default":</dt> <dd>(<bcp14>OPTIONAL</bcp14>) a boolean value that describes RDAP server support for anOPTIONAL<bcp14>OPTIONAL</bcp14> default OP that will be used when a client omits the "farv1_id" and "farv1_iss" query parameters from a "farv1_session/login" request. Only one member of this set can be identified as the default OP by setting a value of "true". The default value is"false".</t> <t>"additionalAuthorizationQueryParams": (OPTIONAL)"false".</dd> <dt>"additionalAuthorizationQueryParams":</dt> <dd>(<bcp14>OPTIONAL</bcp14>) an object where each member represents an OAuth authorization request parameter name-value pair supported by the OP. The name represents an OAuth queryparameterparameter, and the value is the query parameter value. A token-oriented RDAP clientSHOULD<bcp14>SHOULD</bcp14> add these query parameters and their corresponding values to the Authentication Request URL when requesting authorization by a specified OP through a proxyOP.</t> </list></t> </list></t>OP.</dd> </dl> </dd> </dl> <t>An RDAP serverMUST<bcp14>MUST</bcp14> set either the "sessionClientSupported" or the "tokenClientSupported" value to "true". Both valuesMAY<bcp14>MAY</bcp14> be set to "true" if an RDAP server supports both types ofclient.</t>clients.</t> <t>The "providerDiscoverySupported" value has a direct impact on the use of the "farv1_id" query parameter described in Sections <xreftarget="auth-request"/>target="auth-request" format="counter"/> and <xreftarget="end-user-identifier"/>.target="end-user-identifier" format="counter"/>. The value of "providerDiscoverySupported"MUST<bcp14>MUST</bcp14> be "true" for an RDAP server to properly accept and process "farv1_id" query parameters. Similarly,Thethe "issuerIdentifierSupported" value has a direct impact on the use of the "farv1_iss" query parameter described in <xref target="issuer-identifier"/>. The value of "issuerIdentifierSupported"MUST<bcp14>MUST</bcp14> be "true" for an RDAP server to properly accept and process "farv1_iss" query parameters.</t><figure anchor="example_openidcConfiguration_structure"> <preamble>An<t keepWithNext="true">An example of a "farv1_openidcConfiguration" datastructure:</preamble> <artwork xml:space="preserve">structure:</t> <figure anchor="example_openidcConfiguration_structure"> <artwork><![CDATA[ "farv1_openidcConfiguration": { "sessionClientSupported": true, "tokenClientSupported": true, "dntSupported": false, "providerDiscoverySupported": true, "issuerIdentifierSupported": true, "openidcProviders": [ { "iss": "https://idp.example.com", "name": "Example IDP" }, { "iss": "https://accounts.example.net", "name": "Login with EXAMPLE", "additionalAuthorizationQueryParams": { "kc_idp_hint": "examplePublicIDP" } }, { "iss": "https://auth.nic.example/auth/realms/rdap", "name": "Default OP for the Example RDAP server", "default": true } ]} </artwork>}]]></artwork> </figure> </section> <sectionanchor="rdap-query-parameters" title="RDAPanchor="rdap-query-parameters"> <name>RDAP QueryParameters">Parameters</name> <t>This specification describes twoOPTIONAL<bcp14>OPTIONAL</bcp14> query parameters for use with RDAP queries that request access to information associated with protected resources:</t><t><list style="numbers"> <t>"farv1_qp": A<dl spacing="normal" newline="false"> <dt>"farv1_qp":</dt> <dd>A query parameter to identify the purpose of thequery.</t> <t>"farv1_dnt": Aquery.</dd> <dt>"farv1_dnt":</dt> <dd>A query parameter to request that the server not log or otherwise record information about the identity associated with aquery.</t> </list> </t>query.</dd> </dl> <t>One or both parametersMAY<bcp14>MAY</bcp14> be added to an RDAP request URI using the syntax described intheSection "application/x-www-form-urlencoded"sectionofthe WHATWG URL Standard<xref target="HTMLURL"/>.</t> <sectionanchor="rdap-query-purpose" title="RDAPanchor="rdap-query-purpose"> <name>RDAP QueryPurpose">Purpose</name> <t>This query is represented as a "key=value" pair using a key value of "farv1_qp" and a value component that contains a single query purpose string from the set of allowed purposes associated with theEnd-User'send user's identity (see <xref target="stated-purposes"/>). If present, the serverSHOULD<bcp14>SHOULD</bcp14> compare the value of the parameter to the "rdap_allowed_purposes" claim values associated with theEnd-User'send user's identity and ensure that the requested purpose is present in the set of allowed purposes. The RDAP serverMAY<bcp14>MAY</bcp14> choose to ignore both the requested purpose and the "rdap_allowed_purposes" claim values if they are inconsistent with local server policy. The serverMUST<bcp14>MUST</bcp14> return an HTTP 403 (Forbidden) response if the requested purpose is not an allowed purpose. If the "farv1_qp" parameter is not present, the serverMUST<bcp14>MUST</bcp14> process the query and make an access control decision based on any other information known to the server about theEnd-Userend user and the information they are requesting. For example, a serverMAY<bcp14>MAY</bcp14> treat the request as one performed by an unidentified or unauthenticated user and return either an error or an appropriate subset of the available data. An example domain query using the "farv1_qp" query parameter:</t><t>https://example.com/rdap/domain/example.com?farv1_qp=legalActions</t><figure anchor="example_farv1_qp"> <artwork><![CDATA[ https://example.com/rdap/domain/example.com?farv1_qp=legalActions ]]></artwork> </figure> </section> <sectionanchor="rdap-do-not-track" title="RDAPanchor="rdap-do-not-track"> <name>RDAP Do NotTrack">Track</name> <t>This query is represented as a "key=value" pair using a key value of "farv1_dnt" and a value component that contains a single boolean value. A value of "true" indicates that theEnd-Userend user is requesting that their query is not tracked or logged in accordance with server policy. A value of "false" indicates that theEnd-Userend user is accepting that their query can be tracked or logged in accordance with server policy. The serverMUST<bcp14>MUST</bcp14> return an HTTP 403 (Forbidden) response if the server is unable to perform the action requested by this query parameter. An example domain query using the "farv1_dnt" query parameter:</t><t>https://example.com/rdap/domain/example.com?farv1_dnt=true</t><figure anchor="example_farv1_dnt"> <artwork><![CDATA[ https://example.com/rdap/domain/example.com?farv1_dnt=true ]]></artwork> </figure> </section> <sectionanchor="parameter-processing" title="Parameter Processing">anchor="parameter-processing"> <name>Parameter Processing</name> <t>Unrecognized query parametersMUST<bcp14>MUST</bcp14> be ignored. An RDAP server that processes an authenticated queryMUST<bcp14>MUST</bcp14> determine if theEnd-Userend-user identification information is associated with an OP that is recognized and supported by the server. RDAP serversMUST<bcp14>MUST</bcp14> reject queries that include identification information that is not associated with a supported OP by returning an HTTP 400 (Bad Request) response. An RDAP server that receives a query containing identification information associated with a recognized OPMUST<bcp14>MUST</bcp14> perform the steps required to authenticate the user with the OP, process the query, and return an RDAP response that is appropriate for theEnd-User'send user's level of authorization and access.</t> </section> </section> </section> <sectionanchor="protocol" title="Protocolanchor="protocol"> <name>Protocol Features for Session-OrientedClients">Clients</name> <t>This specification adds the following features to RDAP that are commonly used by session-oriented clients:</t><t><list style="numbers"><ol spacing="normal" type="1"><li> <t>Data structures to return information that describes an established session and the information needed to establish a session for a UI-constrained device.</t> </li> <li> <t>A query parameter to request authentication for a specificEnd-Userend-user identity.</t> </li> <li> <t>A query parameter to support authentication for a specificEnd-Userend-user identity on a device with a constrained user interface.</t> </li> <li> <t>A query parameter to identify the purpose of the query.</t> </li> <li> <t>A query parameter to request that the server not log or otherwise record information about the identity associated with a query.</t> </li> <li> <t>Path segments to start, stop, refresh, and determine the status of an authenticated session for a specificEnd-Userend-user identity.</t></list> </t></li> </ol> <sectionanchor="data-structures" title="Data Structures">anchor="data-structures"> <name>Data Structures</name> <t>This specification describes two new data structures that are used to return information to a session-orientedclient: a "farv1_session"client:</t> <dl spacing="normal" newline="false"> <dt>"farv1_session":</dt> <dd>A data structure that contains information that describes an establishedsession, and a "farv1_deviceInfo"session.</dd> <dt>"farv1_deviceInfo":</dt> <dd>A data structure that contains information that describes an active attempt to establish a session on a UI-constraineddevice.</t>device.</dd> </dl> <sectionanchor="session" title="Session">anchor="session"> <name>Session</name> <t>The "farv1_session" data structure is an object that contains the following members:</t><t><list style="numbers"> <t>"userID": an OPTIONAL<dl spacing="normal" newline="false"> <dt>"userID":</dt> <dd>an <bcp14>OPTIONAL</bcp14> string value that represents theEnd-Userend-user identifier associated with thesession.</t> <t>"iss": an OPTIONALsession.</dd> <dt>"iss":</dt> <dd>an <bcp14>OPTIONAL</bcp14> URI value that represents the issuer of theEnd-Userend-user identifier associated with thesession.</t> <t>"userClaims": an OPTIONALsession.</dd> <dt>"userClaims":</dt> <dd>an <bcp14>OPTIONAL</bcp14> object that contains the set of claims associated with theEnd-User'send user's identity based on the user information provided by the OP as described in <xref target="user-info"/> and processed by the RDAP server in the authentication and authorization process. The set of possible values is determined by OP policy and RDAP serverpolicy.</t> <t>"sessionInfo": an OPTIONALpolicy.</dd> <dt>"sessionInfo":</dt> <dd><t>an <bcp14>OPTIONAL</bcp14> object that contains twomembers: <list style="letters"> <t>"tokenExpiration": anmembers:</t> <dl spacing="normal" newline="false"> <dt>"tokenExpiration":</dt> <dd>an integer value that represents the number of seconds that remain in the lifetime of theAccess Token, and</t> <t>"tokenRefresh": aaccess token.</dd> <dt>"tokenRefresh":</dt> <dd>a boolean value that indicates if the OP supports refresh tokens. As described inRFC 6749<xref target="RFC6749"/>, support for refresh tokens isOPTIONAL.</t> </list></t> </list></t><bcp14>OPTIONAL</bcp14>.</dd> </dl> </dd> </dl> <t>Note that all of the members of the "farv1_session" data structure areOPTIONAL.<bcp14>OPTIONAL</bcp14>. See <xref target="login-response"/> for instructions describing when to return the minimum set of members.</t><figure anchor="example_session_structure"> <preamble>An<t keepWithNext="true">An example of a "farv1_session" datastructure:</preamble> <artwork xml:space="preserve">structure:</t> <figure anchor="example_session_structure"> <artwork><![CDATA[ "farv1_session": { "userID": "user.idp.example", "iss": "https://idp.example.com", "userClaims": { "sub": "103892603076825016132", "name": "User Person", "given_name": "User", "family_name": "Person", "picture": "https://lh3.example.com/a-/AOh14=s96-c", "email": "user@example.com", "email_verified": true, "locale": "en", "rdap_allowed_purposes": [ "domainNameControl", "personalDataProtection" ], "rdap_dnt_allowed": false }, "sessionInfo": { "tokenExpiration": 3599, "tokenRefresh": true }} </artwork>}]]></artwork> </figure> </section> <sectionanchor="deviceInfo" title="Device Info">anchor="deviceInfo"> <name>Device Info</name> <t>The flow described in <xref target="process"/> requires anEnd-Userend user to interact with a server using a user interface that can process HTTP. This will not work well in situations where the client is automated or anEnd-Userend user is using acommand linecommand-line user interface such as <eref target="https://curl.se/">curl</eref> or <eref target="https://www.gnu.org/software/wget/">wget</eref>. This limitation can be addressed using a web browser on a second device. The information that needs to be entered using the web browser is contained in the "farv1_deviceInfo" data structure, an object that contains members as described inSection 3.2 ("Device Authorization Response") of RFC 8628<xreftarget="RFC8628"/>.</t> <figure anchor="example_deviceInfo_structure"> <preamble>Antarget="RFC8628" sectionFormat="of" section="3.2"/>.</t> <t keepWithNext="true">An example of a "farv1_deviceInfo" datastructure:</preamble> <artwork xml:space="preserve">structure:</t> <figure anchor="example_deviceInfo_structure"> <artwork><![CDATA[ "farv1_deviceInfo": { "device_code": "AH-1ng2ezu", "user_code": "NJJQ-GJFC", "verification_uri": "https://www.example.com/device", "verification_uri_complete": "https://www.example.com/device?user_code=NJJQ-GJFC", "expires_in": 1800, "interval": 5} </artwork>}]]></artwork> </figure> </section> </section> <sectionanchor="client-login" title="Client Login">anchor="client-login"> <name>Client Login</name> <t>Client authentication is requested by sending a "farv1_session/login" request to an RDAP server. If the RDAP server supports only remoteOpenID Providers,OPs, the "farv1_session/login" requestMUST<bcp14>MUST</bcp14> include at least oneof an End-User Identifierend-user identifier oranOP Issuer Identifier.</t> <t>The server sets an HTTP cookie as described inRFC 6265<xref target="RFC6265"/> when the "farv1_session/login" request is received and processed successfully. The clientMUST<bcp14>MUST</bcp14> include the session cookie received from the server in any RDAP request within the scope of that session, including "farv1_session/refresh","farv1_session/status""farv1_session/status", and "farv1_session/logout". A "farv1_session/login" followed by another "farv1_session/login" that does not include an HTTP cookieMUST<bcp14>MUST</bcp14> start a new session on the server that includes a new cookie. A server that receives a "farv1_session/login" followed by another "farv1_session/login" that includes an HTTP cookieMUST<bcp14>MUST</bcp14> return an HTTP 409 (Conflict) response.</t> <t>To help reduce the risk of resource starvation, a serverMAY<bcp14>MAY</bcp14> reject a "farv1_session/login" request and refuse to start a new session by returning an HTTP 409 (Conflict) response if a server-side maximum number of concurrent sessions per user exists and the client exceeds that limit. Additionally, an active sessionMAY<bcp14>MAY</bcp14> be removed by the server due to timeout expiration or because a maximum session lifetime has been exceeded. ClientsSHOULD<bcp14>SHOULD</bcp14> proactively monitor the "tokenExpiration" value associated with an active session and refresh the session as appropriate to provide a positive user experience.</t> <sectionanchor="end-user-identifier" title="End-User Identifier">anchor="end-user-identifier"> <name>End-User Identifier</name> <t>TheEnd-Userend-user identifier is delivered using one of two methods: by adding a query component to an RDAP request URI using the syntax described intheSection "application/x-www-form-urlencoded"sectionofWHATWG URL Standard<xreftarget="HTMLURL"/>,target="HTMLURL"/> or by including an HTTP"Authorization""authorization" request header for the Basic authentication scheme as described inRFC 7617<xref target="RFC7617"/>. Clients can use either of these methods to deliver theEnd-Userend-user identifier to a server that supports remoteOpenID ProvidersOPs and provider discovery. Servers that support remoteOpenID ProvidersOPs and provider discoveryMUST<bcp14>MUST</bcp14> accept both methods. If the RDAP server supports a defaultOpenID ProviderOP or if provider discovery is not supported, theEnd-Userend-user identifierMAY<bcp14>MAY</bcp14> be omitted.</t> <t>The query parameter used to deliver theEnd-Userend-user identifier is represented as anOPTIONAL<bcp14>OPTIONAL</bcp14> "key=value" pair using a key value of "farv1_id" and a value component that contains the client identifier issued by an OP. An example for client identifier "user.idp.example":</t><t>==========<figure anchor="example_client_identifier"> <artwork><![CDATA[ ========== NOTE: '\' line wrapping per RFC 8792===========</t> <artwork>=========== https://example.com/rdap/farv1_session/\login?farv1_id=user.idp.example </artwork>login?farv1_id=user.idp.example]]></artwork> </figure> <t>The authorization header for the Basic authentication scheme contains aBase64-encodedbase64-encoded representation of the client identifier issued by an OP. No password is provided. An example for client identifier "user.idp.example":</t><t>https://example.com/rdap/farv1_session/login</t> <t>Authorization:<figure anchor="example_base64"> <artwork><![CDATA[ https://example.com/rdap/farv1_session/login Authorization: BasicdXNlci5pZHAuZXhhbXBsZQ==</t>dXNlci5pZHAuZXhhbXBsZQ== ]]></artwork> </figure> <t>An example for use with a defaultOpenID Provider:</t> <t>https://example.com/rdap/farv1_session/login</t>OP:</t> <figure anchor="example_default_op"> <artwork><![CDATA[ https://example.com/rdap/farv1_session/login ]]></artwork> </figure> </section> <sectionanchor="issuer-identifier" title="OPanchor="issuer-identifier"> <name>OP IssuerIdentifier">Identifier</name> <t>The OP's Issuer Identifier is delivered by adding a query component to an RDAP request URI using the syntax described intheSection "application/x-www-form-urlencoded"sectionofWHATWG URL Standard<xref target="HTMLURL"/>. If the RDAP server supports a defaultOpenID Provider,OP, the Issuer IdentifierMAY<bcp14>MAY</bcp14> be omitted.</t> <t>The query parameter used to deliver the OP's Issuer Identifier is represented as anOPTIONAL<bcp14>OPTIONAL</bcp14> "key=value" pair using a key value of "farv1_iss" and a value component that contains the Issuer Identifier associated with an OP. An RDAP serverMAY<bcp14>MAY</bcp14> accept Issuer Identifiers not specified in the "farv1_openidcConfiguration" data structure andMAY<bcp14>MAY</bcp14> also decide to accept specific Issuer Identifiers only from specific clients. An example for Issuer Identifier "https://idp.example.com":</t><t>==========<figure anchor="example_issuer_identifier"> <artwork><![CDATA[ ========== NOTE: '\' line wrapping per RFC 8792===========</t> <artwork>=========== https://example.com/rdap/farv1_session/\login?farv1_iss=https://idp.example.com </artwork>login?farv1_iss=https://idp.example.com]]></artwork> </figure> </section> <sectionanchor="login-response" title="Login Response">anchor="login-response"> <name>Login Response</name> <t>The response to this requestMUST<bcp14>MUST</bcp14> be a valid RDAPresponse,response perRFC 9083<xref target="RFC9083"/>. ItMUST NOT<bcp14>MUST NOT</bcp14> include any members that relate to a specific RDAP object type (e.g.,"events","events" or "status"). In addition, the responseMAY<bcp14>MAY</bcp14> include an indication of the requested operation's success or failure in the "notices" data structure. If successful, the responseMUST<bcp14>MUST</bcp14> include a "farv1_session" data structure that includes a "sessionInfo" object and anOPTIONAL<bcp14>OPTIONAL</bcp14> "userClaims" object. If unsuccessful, the responseMUST<bcp14>MUST</bcp14> include a "farv1_session" data structure that omits the "userClaims" and "sessionInfo" objects.</t><figure anchor="example_login_response"> <preamble>An<t keepWithNext="true">An example of a successful "farv1_session/login"response:</preamble> <artwork xml:space="preserve">response:</t> <figure anchor="example_login_response"> <artwork><![CDATA[ { "rdapConformance": [ "farv1" ], "lang": "en-US", "notices": [ { "title": "Login Result", "description": [ "Login succeeded" ] } ], "farv1_session": { "userID": "user.idp.example", "iss": "https://idp.example.com", "userClaims": { "sub": "103892603076825016132", "name": "User Person", "given_name": "User", "family_name": "Person", "picture": "https://lh3.example.com/a-/AOh14=s96-c", "email": "user@example.com", "email_verified": true, "locale": "en", "rdap_allowed_purposes": [ "domainNameControl", "personalDataProtection" ], "rdap_dnt_allowed": false }, "sessionInfo": { "tokenExpiration": 3599, "tokenRefresh": true } }} </artwork>}]]></artwork> </figure><figure anchor="example_failed_login_response"> <preamble>An<t keepWithNext="true">An example of a failed "farv1_session/login"response:</preamble> <artwork xml:space="preserve">response:</t> <figure anchor="example_failed_login_response"> <artwork><![CDATA[ { "rdapConformance": [ "farv1" ], "lang": "en-US", "notices": [ { "title": "Login Result", "description": [ "Login failed" ] } ], "farv1_session": { "userID": "user.idp.example", "iss": "https://idp.example.com" }} </artwork>}]]></artwork> </figure> </section> <sectionanchor="ui-constrained" title="Clientsanchor="ui-constrained"> <name>Clients with Limited UserInterfaces"> <t>The "OAuth 2.0 Device Authorization Grant"Interfaces</name> <t>"<xref target="RFC8628" format="title"/>" <xreftarget="RFC8628"/>target="RFC8628" format="default"/> provides anOPTIONAL<bcp14>OPTIONAL</bcp14> method to request user authorization from devices that have an Internetconnection,connection but lack a suitable browser for a more conventional OAuth flow. This method requires anEnd-Userend user to use a second device (such as asmart telephone)smartphone) that has access to a web browser for entry of a code sequence that is presented on the UI-constrained device.</t> <sectionanchor="client-login-device" title="UI-constrainedanchor="client-login-device"> <name>UI-Constrained ClientLogin">Login</name> <t>Client authentication is requested by sending a "farv1_session/device" request to an RDAP server. If the RDAP server supports only remoteOpenID Providers,OPs, the "farv1_session/device" requestMUST<bcp14>MUST</bcp14> include either anEnd-Userend-user identifier as described in <xref target="end-user-identifier"/> or an OP Issuer Identifier as described in <xref target="issuer-identifier"/>.</t><t>==========<t keepWithNext="true">An example using wget for client identifier "user.idp.example":</t> <figure anchor="example_wget1"> <artwork><![CDATA[ ========== NOTE: '\' line wrapping per RFC 8792===========</t> <figure anchor="example_wget1"> <preamble>An example using wget for client identifier "user.idp.example":</preamble> <artwork xml:space="preserve">=========== wget -qO- "https://example.com/rdap/farv1_session/device\?farv1_id=user.idp.example" </artwork>?farv1_id=user.idp.example"]]></artwork> </figure> <t>The authorization header for the Basic authentication scheme contains aBase64-encodedbase64-encoded representation of the client identifier issued by an OP. No password is provided.</t><t>==========<t keepWithNext="true">An example using curl and an authorization header:</t> <figure anchor="example_curl1"> <artwork><![CDATA[ ========== NOTE: '\' line wrapping per RFC 8792===========</t> <figure anchor="example_curl1"> <preamble>An example using curl and an authorization header:</preamble> <artwork xml:space="preserve">=========== curl -H "Authorization: Basic dXNlci5pZHAuZXhhbXBsZQ=="\"https://example.com/rdap/farv1_session/device" </artwork>"https://example.com/rdap/farv1_session/device"]]></artwork> </figure> <t>The response to this requestMUST<bcp14>MUST</bcp14> be a valid RDAPresponse,response perRFC 9083<xref target="RFC9083"/>. ItMUST NOT<bcp14>MUST NOT</bcp14> include any members that relate to a specific RDAP object type (e.g.,"events","events" or "status"). In addition, the responseMAY<bcp14>MAY</bcp14> include an indication of the requested operation's success or failure in the "notices" datastructure,structure and, if successful, a "farv1_deviceInfo" data structure.</t><figure anchor="example_device_login_response"> <preamble>An<t keepWithNext="true">An example of a "farv1_session/device"response:</preamble> <artwork xml:space="preserve">response:</t> <figure anchor="example_device_login_response"> <artwork><![CDATA[ { "rdapConformance": [ "farv1" ], "lang": "en-US", "notices": [ { "title": "Device Login Result", "description": [ "Login succeeded" ] } ], "farv1_deviceInfo": { "device_code": "AH-1ng2ezu", "user_code": "NJJQ-GJFC", "verification_uri": "https://www.example.com/device", "verification_uri_complete": "https://www.example.com/device?user_code=NJJQ-GJFC", "expires_in": 1800, "interval": 5 }} </artwork>}]]></artwork> </figure> </section> <sectionanchor="client-login-device-poll" title="UI-constrainedanchor="client-login-device-poll"> <name>UI-Constrained Client LoginPolling">Polling</name> <t>After successful processing of the "farv1_session/device" request, the clientMUST<bcp14>MUST</bcp14> send a "farv1_session/devicepoll" request to the RDAP server to continue the login process. This request initiates the polling function described inRFC 8628<xref target="RFC8628"/> on the RDAP server. The RDAP server polls the OP as described inSection 3.4 of RFC 8628,<xref target="RFC8628" section="3.4" sectionFormat="of"/>, allowing the RDAP server to wait for theEnd-Userend user to enter the information returned from the "farv1_session/device" request using the interface on their second device. After theEnd-Userend user has completed that process, or if the process fails or times out, the OP will respond to the polling requests with an indication of success or failure. If the RDAP server supports only remoteOpenID Providers,OPs, the "farv1_session/devicepoll" requestMUST<bcp14>MUST</bcp14> include either anEnd-Userend-user identifier as described in <xref target="end-user-identifier"/> or an OP Issuer Identifier as described in <xref target="issuer-identifier"/>.</t> <t>The "farv1_session/devicepoll" requestMUST<bcp14>MUST</bcp14> also include a "farv1_dc" query parameter. The query parameter is represented as anOPTIONAL<bcp14>OPTIONAL</bcp14> "key=value" pair using a key value of "farv1_dc" and a value component that contains the value of the device_code that was returned in the response to the "farv1_session/device" request.</t><t>==========<t keepWithNext="true">An example using wget:</t> <figure anchor="example_wget2"> <artwork><![CDATA[ ========== NOTE: '\' line wrapping per RFC 8792===========</t> <figure anchor="example_wget2"> <preamble>An example using wget:</preamble> <artwork xml:space="preserve">=========== wget -qO- --keep-session-cookies --save-cookies cookie.txt\ "https://example.com/rdap/farv1_session/devicepoll\?farv1_id=user.idp.example&farv1_dc=AH-1ng2ezu" </artwork>?farv1_id=user.idp.example&farv1_dc=AH-1ng2ezu"]]></artwork> </figure><figure anchor="example_curl2"> <preamble>An<t keepWithNext="true">An example usingcurl:</preamble> <artwork xml:space="preserve">curl:</t> <figure anchor="example_curl2"> <artwork><![CDATA[ ========== NOTE: '\' line wrapping per RFC 8792 =========== curl -c cookie.txt "https://example.com/rdap/farv1_session/\devicepoll?farv1_id=user.idp.example&farv1_dc=AH-1ng2ezu" </artwork>devicepoll?farv1_id=user.idp.example&farv1_dc=AH-1ng2ezu"]]></artwork> </figure> <t>The response to this requestMUST<bcp14>MUST</bcp14> use the response structures described in <xref target="client-login"/>. RDAP query processing can continue normally on the UI-constrained device once the device polling process has been completed successfully.</t> </section> </section> </section> <sectionanchor="session-status" title="Session Status">anchor="session-status"> <name>Session Status</name> <t>ClientsMAY<bcp14>MAY</bcp14> send a query to an RDAP server to determine the status of an existing login session using a "farv1_session/status" path segment. An example "farv1_session/status" request:</t><t>https://example.com/rdap/farv1_session/status</t><figure anchor="example_session_status"> <artwork><![CDATA[ https://example.com/rdap/farv1_session/status ]]></artwork> </figure> <t>The response to this requestMUST<bcp14>MUST</bcp14> be a valid RDAPresponse,response perRFC 9083<xref target="RFC9083"/>. ItMUST NOT<bcp14>MUST NOT</bcp14> include any members that relate to a specific RDAP object type (e.g.,"events","events" or "status"). In addition, the responseMAY<bcp14>MAY</bcp14> include an indication of the requested operation's success or failure in the "notices" data structure. If the operation issuccessful,successful and an active session exists, the responseMUST<bcp14>MUST</bcp14> include a "farv1_session" data structure that includes a "sessionInfo" object and anOPTIONAL<bcp14>OPTIONAL</bcp14> "userClaims" object. If the operation isunsuccessful,unsuccessful or if no active session exists, the responseMUST NOT<bcp14>MUST NOT</bcp14> include a "farv1_session" object.</t><figure anchor="example_session_response_1"> <preamble>An<t keepWithNext="true">An example of a "farv1_session/status" response for an activesession:</preamble> <artwork xml:space="preserve">session:</t> <figure anchor="example_session_response_1"> <artwork><![CDATA[ { "rdapConformance": [ "farv1" ], "lang": "en-US", "notices": [ { "title": "Session Status Result", "description": [ "Session status succeeded" ] } ], "farv1_session": { "userID": "user.idp.example", "iss": "https://idp.example.com", "userClaims": { "sub": "103892603076825016132", "name": "User Person", "given_name": "User", "family_name": "Person", "picture": "https://lh3.example.com/a-/AOh14=s96-c", "email": "user@example.com", "email_verified": true, "locale": "en", "rdap_allowed_purposes": [ "domainNameControl", "personalDataProtection" ], "rdap_dnt_allowed": false }, "sessionInfo": { "tokenExpiration": 3490, "tokenRefresh": true } }} </artwork>}]]></artwork> </figure> <t>If the operation issuccessful,successful and an active session does not exist, the responseMAY<bcp14>MAY</bcp14> note the lack of an active session in the "notices" data structure. The "farv1_session" data structureMUST<bcp14>MUST</bcp14> be omitted.</t><figure anchor="example_session_response_2"> <preamble>An<t keepWithNext="true">An example of a "farv1_session/status" response with no activesession:</preamble> <artwork xml:space="preserve">session:</t> <figure anchor="example_session_response_2"> <artwork><![CDATA[ { "rdapConformance": [ "farv1" ], "lang": "en-US", "notices": [ { "title": "Session Status Result", "description": [ "Session status succeeded", "No active session" ] } ]} </artwork>}]]></artwork> </figure> </section> <sectionanchor="session-refresh" title="Session Refresh">anchor="session-refresh"> <name>Session Refresh</name> <t>ClientsMAY<bcp14>MAY</bcp14> send a request to an RDAP server torefresh,refresh orextend,extend an existing login session using a "farv1_session/refresh" path segment. The RDAP serverMAY<bcp14>MAY</bcp14> attempt to refresh theAccess Tokenaccess token associated with the current session as part of extending the session for a period of time determined by the RDAP server. As described inRFC 6749<xref target="RFC6749"/>, OP support for refresh tokens isOPTIONAL.<bcp14>OPTIONAL</bcp14>. An RDAP serverMUST<bcp14>MUST</bcp14> determine if the OP supports token refresh and process the refresh request by either requesting refresh of theAccess Tokenaccess token orbyreturning a response that indicates that token refresh is not supported by the OP in the "notices" data structure. An example "farv1_session/refresh" request:</t><t>https://example.com/rdap/farv1_session/refresh</t><figure anchor="example_session_refresh"> <artwork><![CDATA[ https://example.com/rdap/farv1_session/refresh ]]></artwork> </figure> <t>The response to this requestMUST<bcp14>MUST</bcp14> be a valid RDAPresponse,response perRFC 9083<xref target="RFC9083"/>. ItMUST NOT<bcp14>MUST NOT</bcp14> include any members that relate to a specific RDAP object type (e.g.,"events","events" or "status"). In addition, the responseMAY<bcp14>MAY</bcp14> include an indication of the requested operation's success or failure in the "notices" data structure. The responseMUST<bcp14>MUST</bcp14> include a "farv1_session" data structure that includes a "sessionInfo" object and anOPTIONAL<bcp14>OPTIONAL</bcp14> "userClaims" object. Ifunsuccessful,unsuccessful but an active session exists, the responseMUST<bcp14>MUST</bcp14> include a "farv1_session" data structure that includes a "sessionInfo" object and anOPTIONAL<bcp14>OPTIONAL</bcp14> "userClaims" object. Ifunsuccessful,unsuccessful and no active session exists, the responseMUST<bcp14>MUST</bcp14> omit the "farv1_session" data structure.</t><figure anchor="example_refresh_response"> <preamble>An<t keepWithNext="true">An example of a successful "farv1_session/refresh"response:</preamble> <artwork xml:space="preserve">response:</t> <figure anchor="example_refresh_response"> <artwork><![CDATA[ { "rdapConformance": [ "farv1" ], "lang": "en-US", "notices": [ { "title": "Session Refresh Result", "description": [ "Session refresh succeeded", "Token refresh succeeded." ] } ], "farv1_session": { "userID": "user.idp.example", "iss": "https://idp.example.com", "userClaims": { "sub": "103892603076825016132", "name": "User Person", "given_name": "User", "family_name": "Person", "picture": "https://lh3.example.com/a-/AOh14=s96-c", "email": "user@example.com", "email_verified": true, "locale": "en", "rdap_allowed_purposes": [ "domainNameControl", "personalDataProtection" ], "rdap_dnt_allowed": false }, "sessionInfo": { "tokenExpiration": 3599, "tokenRefresh": true } }} </artwork>}]]></artwork> </figure> <t>Alternatively, an RDAP serverMAY<bcp14>MAY</bcp14> attempt to refresh anAccess Tokenaccess token upon receipt of a query if theAccess Tokenaccess token associated with an existing session has expired and the corresponding OP supports token refresh. The default RDAP server behavior is described in the "implicitTokenRefreshSupported" value that's included in the "farv1_openidcConfiguration" data structure (see <xref target="openidcConfiguration"/>).</t> <t>If the value of "implicitTokenRefreshSupported" is "true", the clientMAY<bcp14>MAY</bcp14> either explicitly attempt to refresh the session using the "farv1_session/refresh"query,query orit MAYdepend on the RDAP server to attempt to refresh the session as necessary when an RDAP query is received by the server. In this case, a serverMUST<bcp14>MUST</bcp14> attempt to refresh theAccess Tokenaccess token upon receipt of a query if theAccess Tokenaccess token associated with an existing session has expired and the corresponding OP supports token refresh. ServersMUST<bcp14>MUST</bcp14> return an HTTP 401 (Unauthorized) response to a query if an attempt to implicitly refresh an existing session fails.</t> <t>If the value of "implicitTokenRefreshSupported" is "false", the clientMUST<bcp14>MUST</bcp14> explicitly attempt to refresh the session using the "farv1_session/refresh" query to extend an existing session. If a session cannot be extended for any reason, the clientMUST<bcp14>MUST</bcp14> establish a new session to continue authenticated query processing by submitting a "farv1_session/login" query. If the OP does not support token refresh, the clientMUST<bcp14>MUST</bcp14> submit a new "farv1_session/login" request to establish a new session once anAccess Tokenaccess token has expired.</t> <t>ClientsSHOULD NOT<bcp14>SHOULD NOT</bcp14> send a "farv1_session/refresh" request in the absence of an active login session because the request conflicts with the current state of the server. ServersMUST<bcp14>MUST</bcp14> return an HTTP 409 (Conflict) response if a "farv1_session/refresh" request is received in the absence of a session cookie.</t> </section> <sectionanchor="client-logout" title="Client Logout">anchor="client-logout"> <name>Client Logout</name> <t>ClientsMAY<bcp14>MAY</bcp14> send a request to an RDAP server to terminate an existing login session. Termination of a session is requested using a "farv1_session/logout" path segment. Access and refresh tokens can be revoked during the "farv1_session/logout" process as described inRFC 7009<xref target="RFC7009"/> if supported by the OP (token revocation endpoint support isOPTIONAL<bcp14>OPTIONAL</bcp14> perRFC 8414<xref target="RFC8414"/>). If supported, this featureSHOULD<bcp14>SHOULD</bcp14> be used to ensure that the tokens are not mistakenly associated with a future RDAP session. Alternatively, an RDAP serverMAY<bcp14>MAY</bcp14> attempt to log out from the OP using the"OpenIDOpenID Connect RP-InitiatedLogout"Logout protocol(<xref target="OIDCL"/>)<xref target="OIDCL"/> if that protocol is supported by the OP. In any case, to prevent abuse before the cookie timesoutout, an RDAP serverSHOULD<bcp14>SHOULD</bcp14> invalidate the HTTP cookie associated with the session as part of terminating the session.</t> <t>An example "farv1_session/logout" request:</t><t>https://example.com/rdap/farv1_session/logout</t><figure anchor="example_session_logout"> <artwork><![CDATA[ https://example.com/rdap/farv1_session/logout ]]></artwork> </figure> <t>The response to this requestMUST<bcp14>MUST</bcp14> be a valid RDAPresponse,response perRFC 9083<xref target="RFC9083"/>. ItMUST NOT<bcp14>MUST NOT</bcp14> include any members that relate to a specific RDAP object type (e.g.,"events","events" or "status"). In addition, the responseMAY<bcp14>MAY</bcp14> include an indication of the requested operation's success or failure in the "notices" data structure. The "notices" data structureMAY<bcp14>MAY</bcp14> include an indication of the success or failure of any attempt to logout from the OP or to revoke the tokens issued by the OP.</t><figure anchor="example_logout_response"> <preamble>An<t keepWithNext="true">An example of a "farv1_session/logout"response:</preamble> <artwork xml:space="preserve">response:</t> <figure anchor="example_logout_response"> <artwork><![CDATA[ { "rdapConformance": [ "farv1" ], "lang": "en-US", "notices": [ { "title": "Logout Result", "description": [ "Logout succeeded" "Provider logout failed: Not supported by provider.", "Token revocation successful." ] } ]} </artwork>}]]></artwork> </figure> <t>In the absence of a "logout" request, an RDAP sessionMUST<bcp14>MUST</bcp14> be terminated by the RDAP server after a server-defined period of time. The serverSHOULD<bcp14>SHOULD</bcp14> also take appropriate steps to ensure that the tokens associated with the terminated session cannot be reused. ThisSHOULD<bcp14>SHOULD</bcp14> include revoking the tokens or logging out from the OP if either operation is supported by the OP.</t> </section> <sectionanchor="request-sequencing" title="Request Sequencing">anchor="request-sequencing"> <name>Request Sequencing</name> <t>The requests described in this document are typically performed in a specificsequence: "farv1_session/login"sequence:</t> <ol spacing="normal" type="1"> <li>"farv1_session/login" (or the related "farv1_session/device" and "farv1_session/devicepoll" requests) to start asession, "farv1_session/status"session,</li> <li>"farv1_session/status" and/or "farv1_session/refresh" to manage asession, andsession,</li> <li>and "farv1_session/logout" to end asession. Ifsession.</li> </ol> <t>If a client sends a "farv1_session/status", "farv1_session/refresh", or "farv1_session/logout" request in the absence of a session cookie, the serverMUST<bcp14>MUST</bcp14> return an HTTP 409 (Conflict) error.</t> <t>A client can end a session explicitly by sending a "farv1_session/logout" request to the RDAP server. A session can also be ended implicitly by the server after a server-defined period of time. The status of a session can be determined at any time by sending a "farv1_session/status" query to the RDAP server.</t> <t>An RDAP serverMUST<bcp14>MUST</bcp14> maintain session state information for the duration of an active session. This is commonly done using HTTP cookies as described inRFC 6265<xref target="RFC6265"/>. Doing so allowsEnd-Userend users to submit queries without having to explicitly identify and authenticate themselves for every query.</t> <t>An RDAP server can receive queries that include a session cookie where the associated session has expired or is otherwise unavailable (e.g., due to the user requesting explicit logout for the associated session). The serverMUST<bcp14>MUST</bcp14> return an HTTP 401 (Unauthorized) error in response to such queries.</t> </section> </section> <sectionanchor="protocol-tokens" title="Protocolanchor="protocol-tokens"> <name>Protocol Features for Token-OrientedClients">Clients</name> <t>This specification adds additional processing steps for token-oriented clients as described in this section and <xref target="overview"/>. It does not define additional data structures or RDAP-specific protocol parameters specifically for token-oriented clients.</t> <sectionanchor="login-tokens" title="Client Login">anchor="login-tokens"> <name>Client Login</name> <t>Clients identify and authenticateEnd-Usersend users by exchanging information with an OP that is recognized by the RDAP server as described in Sections <xreftarget="auth-request"/>,target="auth-request" format="counter"/>, <xreftarget="End-User-auth"/>,target="End-User-auth" format="counter"/>, and <xreftarget="auth-valid"/>.target="auth-valid" format="counter"/>. A clientSHOULD<bcp14>SHOULD</bcp14> append the "additionalAuthorizationQueryParams" values retrieved from the "openidcProviders" array described in <xref target="openidcConfiguration"/> to theAuthorization Endpointauthorization endpoint URL when requesting authorization from the OP. Once these processes are completed successfully, the client can request tokens from the OP as described in <xref target="tokens"/>. The OPSHOULD<bcp14>SHOULD</bcp14> include the RDAP server's client_id in the "aud" claim value of an issued IDtoken.Token. The RDAP serverMAY<bcp14>MAY</bcp14> choose to ignore the value of the "aud" claim or exchange the token as described in <xref target="token-exch"/>. With these steps completed, theAccess Tokenaccess token received from the OP can be passed to an RDAP server in an HTTP"Authorization""authorization" request header <xref target="RFC6750"/> for RDAP queries that requireEnd-Userend-user identification, authentication, and authorization.</t> </section> <sectionanchor="queries-tokens" title="Client Queries">anchor="queries-tokens"> <name>Client Queries</name> <t>An RDAP server that receives a bearer token in an HTTP"Authorization""authorization" request header as part of an RDAP object queryMUST<bcp14>MUST</bcp14> validate the token in accordance with local policy and confirm that the token is a legitimateAccess Token.access token. Once validated, theAccess Token MAYaccess token <bcp14>MAY</bcp14> be used to retrieve the claims associated with theEnd-User'send user's identity, including claims associated with the "rdap" scope that are not already included in theAccess Token,access token, as described in <xref target="user-info"/>. The RDAP server can then evaluate theEnd-User'send user's identity information to determine theEnd-User'send user's authorization level and process the query in accordance with server policies. A clientMUST<bcp14>MUST</bcp14> include the "farv1_iss" query parameter andissuer identifierIssuer Identifier value with an RDAP query if the token was issued by a remote OP.</t> </section> <sectionanchor="access-token-val" title="Accessanchor="access-token-val"> <name>Access TokenValidation">Validation</name> <t>An RDAP serverMUST<bcp14>MUST</bcp14> validate a receivedAccess Tokenaccess token prior to using that token for access control purposes. ValidationMAY<bcp14>MAY</bcp14> include token introspection <xref target="RFC7662"/> using the issuingOP,OP or analysis of the values included in a JWTAccess Token.access token. Once anAccess Tokenaccess token is validated, an RDAP serverMAY<bcp14>MAY</bcp14> use that token to request user claims from the issuing OP.</t> <t>There are performance considerations associated with the process of validating a token and requesting user claims as part of processing every received RDAP query. An RDAP serverMAY<bcp14>MAY</bcp14> cache validated information and use that cached information to reduce the amount of time needed to process subsequent RDAP queries associated with the sameAccess Tokenaccess token as long as the token has not expired. The clientSHOULD<bcp14>SHOULD</bcp14> monitor the token expiration time and refresh the token as needed.</t> </section> <sectionanchor="token-exch" title="Token Exchange">anchor="token-exch"> <name>Token Exchange</name> <t>Tokens can include an "aud" (audience) claim that contains the OAuth 2.0 client_id of the RP as an audience value. In some operational scenarios (such as a client that is providing a proxy service), an RP can receive tokens with an "aud" claim value that does not include the RP's client_id. These tokens might not be trusted by the RP, and the RP might refuse to accept the tokens. This situation can be remedied by having the RP exchange theAccess Tokenaccess token with the OP for a set of trusted tokens that reset the "aud" claim. The token exchange protocol is described inRFC 8693<xref target="RFC8693"/>.</t> </section> </section> <sectionanchor="query-processing" title="RDAPanchor="query-processing"> <name>RDAP QueryProcessing">Processing</name> <t>Once an RDAP session is active, an RDAP serverMUST<bcp14>MUST</bcp14> determine if theEnd-Userend user is authorized to perform any queries that are received during the duration of the session. ThisMAY<bcp14>MAY</bcp14> include rejecting queries outright, and itMAY<bcp14>MAY</bcp14> include omitting or otherwise redacting information that theEnd-Userend user is not authorized to receive. Specific processing requirements are beyond the scope of this document.</t> </section> <sectionanchor="conformance" title="RDAP Conformance">anchor="conformance"> <name>RDAP Conformance</name> <t>RDAP responses that contain values described in this documentMUST<bcp14>MUST</bcp14> indicate conformance with this specification by including an rdapConformance(<xref target="RFC9083"/>)<xref target="RFC9083"/> value of "farv1"(Federated Authentication(federated authentication method for RDAP version 1). The information needed to register this value in theRDAP Extensions Registry"RDAP Extensions" registry is described in <xref target="ext-registry"/>.</t><figure anchor="rdapConformance_example"> <preamble>Example<t keepWithNext="true">Example rdapConformance structure with extensionspecified:</preamble> <artwork xml:space="preserve">specified:</t> <figure anchor="rdapConformance_example"> <artwork><![CDATA[ "rdapConformance" : [ "rdap_level_0", "farv1"] </artwork>]]]></artwork> </figure> </section> <sectionanchor="IANA" title="IANA Considerations">anchor="IANA"> <name>IANA Considerations</name> <sectionanchor="ext-registry" title="RDAPanchor="ext-registry"> <name>RDAP ExtensionsRegistry">Registry</name> <t>IANAis requested to registerhas registered the following value in theRDAP Extensions Registry:</t> <t><ul empty="true" spacing="compact"> <li>Extension identifier: farv1</li> <li>Registry operator: Any</li> <li>Published specification: This document.</li> <li>Contact:"RDAP Extensions" registry:</t> <dl spacing="compact" newline="false"> <dt>Extension Identifier:</dt><dd>farv1</dd> <dt>Registry Operator:</dt><dd>Any</dd> <dt>Specification:</dt><dd>RFC 9560</dd> <dt>Contact:</dt><dd> IETF<iesg@ietf.org></li> <li>Intended usage:<iesg@ietf.org></dd> <dt>Intended Usage:</dt><dd> This extension describesversion 1 of afederated authentication method for RDAP version 1 using OAuth 2.0 and OpenIDConnect.</li> </ul></t>Connect.</dd> </dl> </section> <sectionanchor="JWT-registry" title="JSONanchor="JWT-registry"> <name>JSON Web Token ClaimsRegistry">Registry</name> <t>IANAis requested to registerhas registered the following values in theJSON"JSON Web TokenClaims Registry:</t> <t><ul empty="true"Claims" registry:</t> <dl spacing="compact"><li>Claim Name: "rdap_allowed_purposes"</li> <li>Claim Description:<dt>Claim Name:</dt><dd>rdap_allowed_purposes</dd> <dt>Claim Description:</dt><dd> This claim describes the set of RDAP query purposes that are available to an identity that is presented for access to a protected RDAPresource.</li> <li>Change Controller: IETF</li> <li>Specification Document(s):resource.</dd> <dt>Change Controller:</dt><dd> IETF</dd> <dt>Reference:</dt><dd> <xref target="stated-purposes"/> ofthis document.</li> </ul></t> <t></t> <t><ul empty="true"RFC 9560.</dd> </dl> <dl spacing="compact"><li>Claim Name: "rdap_dnt_allowed"</li> <li>Claim Description:<dt>Claim Name:</dt><dd>rdap_dnt_allowed</dd> <dt>Claim Description:</dt><dd> This claim contains a JSON boolean literal that describes a "do not track" request for server-side tracking, logging, or recording of an identity that is presented for access to a protected RDAPresource.</li> <li>Change Controller: IETF</li> <li>Specification Document(s):resource.</dd> <dt>Change Controller:</dt><dd> IETF</dd> <dt>Reference:</dt><dd> <xref target="rdap_dnt_allowed"/> ofthis document.</li> </ul></t>RFC 9560.</dd> </dl> </section> <sectionanchor="purpose-registry" title="RDAPanchor="purpose-registry"> <name>RDAP Query PurposeRegistry">Registry</name> <t>IANAis requested to createhas created a new protocol registry to manage RDAP query purpose values.</t><t>Section<dl newline="false" spacing="compact"> <dt>Section athttps://www.iana.org/protocols: Registration<eref target="https://www.iana.org/protocols"/>:</dt> <dd>Registration Data Access Protocol(RDAP)</t> <t>Name of registry: Registration(RDAP)</dd> <dt>Registry Name:</dt> <dd>Registration Data Access Protocol (RDAP) Query PurposeValues</t> <t>Registration policy: ThisValues</dd> <dt>Registration Procedure(s):</dt> <dd>This registry is operated under the "Specification Required" policy defined inRFC 8126 (<xref target="RFC8126"/>).<xref target="RFC8126"/>. TheDesignated Expertdesignated expert must ensure that requests to add values to this registry meet the syntax, value, and description requirements described in thissection.</t> <t>Required information: Registrationsection.</dd> <dt>Required Information:</dt> <dd>Registration requests are described in a specification that's consistent with the "Specification Required" policy defined inRFC 8126 (<xref target="RFC8126"/>).<xref target="RFC8126"/>. The specification must include one or more purpose values as describedbelow.</t> <t>Size, format, and syntax of registry entries:</t>below.</dd> </dl> <t>Individual purpose values are registered with IANA. Each entry in the registry contains the following fields:</t><t>Value: the<dl newline="false" spacing="compact"> <dt>Value:</dt> <dd>The purpose string value being registered. Value strings can containupper caseuppercase ASCII characters from "A" to "Z",lower caselowercase ASCII characters from "a" to "z", and the underscore ("_") character. Value strings contain at least one character and no more than 64characters.</t> <t>Description: a one-characters.</dd> <dt>Description:</dt> <dd>One ortwo-sentence,two sentences in Englishlanguage description ofdescribing the meaning of the purpose value, how it might be used, and/or how it should be interpreted by clients andservers.</t> <t>Initial assignments and reservations:</t>servers.</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> <t>The set of initial values used to populate the registry as describedherebelow aretakenderived from the<eref target="https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf">final report</eref>final report produced by the Expert Working Group on gTLD Directory Services chartered by the Internet Corporation for Assigned Names and Numbers(ICANN).</t> <t>-----BEGIN FORM----- <ul empty="true"> <li>Value: domainNameControl</li> <li>Description: Tasks(ICANN) <xref target="gTLD" format="default"/>.</t> <dl spacing="compact" newline="false"> <dt>Value:</dt> <dd>domainNameControl</dd> <dt>Description:</dt> <dd>Tasks within the scope of this purposeinclude creating and managing and monitoringinclude, for a registrant's own domain name,includingcreating the domain name, updating information about the domain name, transferring the domain name, renewing the domain name, deleting the domain name, maintaining a domain name portfolio, and detecting fraudulent use of theRegistrant'sregistrant's own contactinformation.</li> </ul> -----END FORM-----</t> <t>-----BEGIN FORM----- <ul empty="true"> <li>Value: personalDataProtection</li> <li>Description: Tasksinformation.</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> <dl spacing="compact" newline="false"> <dt>Value:</dt><dd>personalDataProtection</dd> <dt>Description:</dt><dd>Tasks within the scope of this purpose include identifying the accreditedprivacy/proxyprivacy or proxy provider associated with a domainname andname, reporting abuse, requesting reveal, or otherwise contacting theprovider.</li> </ul> -----END FORM-----</t> <t>-----BEGIN FORM----- <ul empty="true"> <li>Value: technicalIssueResolution</li> <li>Description:provider.</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> <dl spacing="compact" newline="false"> <dt>Value:</dt><dd>technicalIssueResolution</dd> <dt>Description:</dt><dd> Tasks within the scope of this purpose include (but are not limited to) working to resolve technical issues, including email delivery issues, DNS resolution failures, and websitefunctional issues.</li> </ul> -----END FORM-----</t> <t>-----BEGIN FORM----- <ul empty="true"> <li>Value: domainNameCertification</li> <li>Description:functionality issues.</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> <dl spacing="compact" newline="false"> <dt>Value:</dt><dd> domainNameCertification</dd> <dt>Description:</dt><dd> Tasks within the scope of this purpose include a Certification Authority (CA) issuing an X.509 certificate to a subject identified by a domainname.</li> </ul> -----END FORM-----</t> <t>-----BEGIN FORM----- <ul empty="true"> <li>Value: individualInternetUse</li> <li>Description:name.</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> <dl spacing="compact" newline="false"> <dt>Value:</dt><dd> individualInternetUse</dd> <dt>Description:</dt><dd> Tasks within the scope of this purpose include identifying the organization using a domain name to instill consumertrust,trust or contacting that organization to raise a customer complaint to them or file a complaint aboutthem.</li> </ul> -----END FORM-----</t> <t>-----BEGIN FORM----- <ul empty="true"> <li>Value: businessDomainNamePurchaseOrSale</li> <li>Description:them.</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> <dl spacing="compact" newline="false"> <dt>Value:</dt><dd> businessDomainNamePurchaseOrSale</dd> <dt>Description:</dt><dd> Tasks within the scope of this purpose include making purchase queries about a domain name, acquiring a domain name from a registrant, and enabling due diligenceresearch.</li> </ul> -----END FORM-----</t> <t>-----BEGIN FORM----- <ul empty="true"> <li>Value: academicPublicInterestDNSResearch</li> <li>Description:research.</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> <dl spacing="compact" newline="false"> <dt>Value:</dt><dd> academicPublicInterestDNSResearch</dd> <dt>Description:</dt><dd> Tasks within the scope of this purpose include academic public interest research studies about domain names published in the registration data service, including public information about the registrant and designated contacts, the domain name's history and status, and domain names registered by a given registrant (reversequery).</li> </ul> -----END FORM-----</t> <t>-----BEGIN FORM----- <ul empty="true"> <li>Value: legalActions</li> <li>Description:query).</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> <dl spacing="compact" newline="false"> <dt>Value:</dt><dd> legalActions</dd> <dt>Description:</dt><dd> Tasks within the scope of this purpose include investigating possible fraudulent use of a registrant's name or address by other domain names, investigating possible trademark infringement, contacting aregistrant/licensee'sregistrant's or licensee's legal representative prior to taking legalactionaction, and then taking a legal action if the concern is not satisfactorilyaddressed.</li> </ul> -----END FORM-----</t> <t>-----BEGIN FORM----- <ul empty="true"> <li>Value: regulatoryAndContractEnforcement</li> <li>Description: Tasksaddressed.</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> <dl spacing="compact" newline="false"> <dt>Value:</dt><dd> regulatoryAndContractEnforcement</dd> <dt>Description:</dt><dd>Tasks within the scope of this purpose include investigating the tax authorityinvestigationof businesses with onlinepresence,presences, investigating UniformDispute ResolutionDomain-Name Dispute-Resolution Policy(UDRP) investigation,(UDRP), investigating contractualcompliance investigation,compliance, andregistrationregistering data escrowaudits.</li> </ul> -----END FORM-----</t> <t>-----BEGIN FORM----- <ul empty="true"> <li>Value: criminalInvestigationAndDNSAbuseMitigation</li> <li>Description:audits.</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> <dl spacing="compact" newline="false"> <dt>Value:</dt><dd> criminalInvestigationAndDNSAbuseMitigation</dd> <dt>Description:</dt><dd> Tasks within the scope of this purpose include reporting abuse to someone who can investigate and address thatabuse,abuse or contacting entities associated with a domain name during an offline criminalinvestigation.</li> </ul> -----END FORM-----</t> <t>-----BEGIN FORM----- <ul empty="true"> <li>Value: dnsTransparency</li> <li>Description:investigation.</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> <dl spacing="compact" newline="false"> <dt>Value:</dt><dd> dnsTransparency</dd> <dt>Description:</dt><dd> Tasks within the scope of this purpose involve querying the registration data made public by registrants to satisfy a wide variety of use cases around informing thepublic.</li> </ul> -----END FORM-----</t> </section> </section> <section anchor="impl-status" title="Implementation Status"> <t>NOTE: Please remove this section and the reference to RFC 7942 prior to publication as an RFC.</t> <t>This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942 <xref target="RFC7942"/>. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.</t> <t>According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".</t> <t>Version -09 of this specification introduced changes that are incompatible with earlier implementations. Implementations that are consistent with this specification will be added as they are identified.</t> <section anchor="SAH" title="Editor Implementation"> <t><ul empty="true" spacing="compact"> <li>Location: https://procuratus.net/rdap/</li> <li>Description: This implementation is a functionally limited RDAP server that supports only the path segments described in this specification. It uses the "jumbojett/OpenID-Connect-PHP" library found on GitHub, which appears to be minimally maintained. The library was modified to add support for the device authorization grant. Session variable management is still a little buggy. Supported OPs include Google (Gmail) and Yahoo.</li> <li>Level of Maturity: This is a "proof of concept" research implementation.</li> <li>Coverage: This implementation includes all the features described in this specification.</li> <li>Version compatibility: Version -11+ of this specification.</li> <li>Contact Information: Scott Hollenbeck, shollenbeck@verisign.com</li> </ul></t> </section> <section anchor="vlabs" title="Verisign Labs"> <t><ul empty="true" spacing="compact"> <li>Responsible Organization: Verisign Labs</li> <li>Location: https://rdap.verisignlabs.com/</li> <li>Description: This implementation includes support for domain registry RDAP queries using live data from the .cc and .tv country code top-level domains and the .career generic top-level domain. Three access levels are provided based on the authenticated identity of the client: <ol type="1" spacing="compact"> <li>Unauthenticated: Limited information is returned in response to queries from unauthenticated clients.</li> <li>Basic: Clients who authenticate using a publicly available identity provider like Google Gmail or Microsoft Hotmail will receive all the information available to an unauthenticated client plus additional registration metadata, but no personally identifiable information associated with entities.</li> <li>Advanced: Clients who authenticate using a more restrictive identity provider will receive all the information available to a Basic client plus whatever information the server operator deems appropriate for a fully authorized client. Supported identity providers include those developed by Verisign Labs (https://testprovider.rdap.verisignlabs.com/) and CZ.NIC (https://www.mojeid.cz/).</li> </ol></li> <li>Level of Maturity: This is a "proof of concept" research implementation.</li> <li>Coverage: This implementation includes all the features described in this specification.</li> <li>Version compatibility: Version -07 of this specification.</li> <li>Contact Information: Scott Hollenbeck, shollenbeck@verisign.com</li> </ul></t> </section> <section anchor="viagenie" title="Viagenie"> <t><ul empty="true" spacing="compact"> <li>Responsible Organization: Viagenie</li> <li>Location: https://auth.viagenie.ca</li> <li>Description: This implementation is an OpenID identity provider enabling users and registries to connect to the federation. It also includes a barebone RDAP client and RDAP server in order to test the authentication framework. Various levels of purpose are available for testing.</li> <li>Level of Maturity: This is a "proof of concept" research implementation.</li> <li>Coverage: This implementation includes most features described in this specification as an identity provider.</li> <li>Version compatibility: Version -07 of this specification.</li> <li>Contact Information: Marc Blanchet, marc.blanchet@viagenie.ca</li> </ul></t>public.</dd> <dt>Reference:</dt> <dd>RFC 9560</dd> </dl> </section> </section> <sectionanchor="Security" title="Security Considerations">anchor="Security"> <name>Security Considerations</name> <t>Security considerations for RDAP can be found inRFC 7481<xref target="RFC7481"/>. Security considerations for OpenID Connect Core <xref target="OIDCC"/> and OAuth 2.0 <xref target="RFC6749"/> can be found in their reference specifications; best current security practice for OAuth 2.0 can be found inRFC TBD<xref target="I-D.ietf-oauth-security-topics"/>. Additionally, the practices described inRFC 9325<xref target="RFC9325"/>MUST<bcp14>MUST</bcp14> be followed when the Transport Layer Security (TLS) protocol is used.</t> <t>As described in <xref target="auth-request"/>, the OAuth 2.0 Implicit Flow <xref target="RFC6749"/> is consideredinsecureinsecure, and efforts are being made to deprecate the flow. ItMUST NOT<bcp14>MUST NOT</bcp14> be used.</t> <t>Some of the responses described in this specification return information to a client from an RDAP server that is intended to help the client match responses to queries and manage sessions. Some of that information, such as the "userClaims" described in <xref target="session"/>, can be personally identifiable and considered sensitive if disclosed to unauthorized parties. An RDAP server operator must develop policies for information disclosure to ensure that personally identifiable information is disclosed only to clients that are authorized to process that information.</t> <t>The "do not track" claim relies on the good will of the RDAP server and associated proxies. As such,useusing and processingofthis claim depends on out-of-band trust relationships that need to be established before the claim is used in practice. If used and accepted by the RDAP server, there is a risk of information loss that could seriously impair audit capabilities.</t> <sectionanchor="access" title="Authenticationanchor="access"> <name>Authentication and AccessControl">Control</name> <t>Having completed the client identification, authorization, and validation process, an RDAP server can make access control decisions based on a comparison of client-provided information (such as the set of "userClaims" described in <xref target="session"/>) and local policy. For example, a client who provides an email address (and nothing more) might be entitled to receive a subset of the information that would be available to a client who provides an email address, a full name, and a stated purpose. Development of these access control policies is beyond the scope of this document.</t> </section> </section><section anchor="acks" title="Acknowledgments"> <t>The author would like to acknowledge the following individuals for their contributions to the development of this document: Julien Bernard, Marc Blanchet, Tom Harrison, Russ Housley, Jasdip Singh, Rhys Smith, Jaromir Talir, Rick Wilhelm, and Alessandro Vesely. In addition, the Verisign Registry Services Lab development team of Joseph Harvey, Andrew Kaizer, Sai Mogali, Anurag Saxena, Swapneel Sheth, Nitin Singh, and Zhao Zhao provided critical "proof of concept" implementation experience that helped demonstrate the validity of the concepts described in this document.</t> <t>Pawel Kowalik and Mario Loffredo provided significant text contributions that led to welcome improvements in several sections of this document. Their contributions are greatly appreciated.</t> </section></middle> <back><references title="Normative References"> &RFC2119; &RFC6265; &RFC6749; &RFC6750; &RFC7009; &RFC7480; &RFC7481; &RFC7662; &RFC9082; &RFC9083; &RFC7519; &RFC7617; &RFC8126; &RFC8174; &RFC8628; &RFC8693; &RFC9325; &RFC9068; &RFC9110;<displayreference target="I-D.ietf-oauth-security-topics" to="OAUTH-SECURITY"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6265.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6750.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7009.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7480.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7481.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7662.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9082.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9083.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7519.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7617.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8628.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8693.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9325.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9068.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9110.xml"/> <reference anchor="OIDCC" target="https://openid.net/specs/openid-connect-core-1_0.html"> <front> <title>OpenID Connect Core 1.0 incorporating errata set1</title>2</title> <authorinitials="" surname=""> <organization>OpenID Foundation</organization> </author>initials="N." surname="Sakimura"></author> <author initials="J." surname="Bradley"></author> <author initials="M." surname="Jones"></author> <author initials="B." surname="de Medeiros"></author> <author initials="C." surname="Mortimore"></author> <datemonth="November" year="2014" />month="December" year="2023"/> </front> </reference> <reference anchor="OIDCR" target="https://openid.net/specs/openid-connect-registration-1_0.html"> <front> <title>OpenID Connect Dynamic Client Registration 1.0 incorporating errata set1</title>2</title> <authorinitials="" surname=""> <organization>OpenID Foundation</organization> </author>initials="N." surname="Sakimura"></author> <author initials="J." surname="Bradley"></author> <author initials="M." surname="Jones"></author> <datemonth="November" year="2014" />month="December" year="2023"/> </front> </reference> <reference anchor="OIDCD" target="https://openid.net/specs/openid-connect-discovery-1_0.html"> <front> <title>OpenID Connect Discovery 1.0 incorporating errata set1</title>2</title> <authorinitials="" surname=""> <organization>OpenID Foundation</organization> </author>initials="N." surname="Sakimura"></author> <author initials="J." surname="Bradley"></author> <author initials="M." surname="Jones"></author> <author initials="E." surname="Jay"></author> <datemonth="November" year="2014" />month="December" year="2023"/> </front> </reference> <reference anchor="OIDCL" target="https://openid.net/specs/openid-connect-rpinitiated-1_0.html"> <front> <title>OpenID Connect RP-Initiated Logout 1.0</title> <authorinitials="" surname=""> <organization>OpenID Foundation</organization>surname="Jones" initials="M."> <organization>Microsoft</organization> </author> <author surname="de Medeiros" initials="B."> <organization>Google</organization> </author> <author surname="Agarwal" initials="N."> <organization>Microsoft</organization> </author> <author surname="Sakimura" initials="N."> <organization>NAT.Consulting</organization> </author> <author surname="Bradley" initials="J."> <organization>Yubico</organization> </author> <date month="September"year="2022" />year="2022"/> </front> </reference> <reference anchor="HTMLURL"target="https://url.spec.whatwg.org/#application/x-www-form-urlencoded">target="https://url.spec.whatwg.org/"> <front> <title>URL (Living Standard)</title><author initials="" surname=""> <organization>Web Hypertext Application Technology Working Group (WHATWG)</organization><author> <organization>WHATWG</organization> </author> <datemonth="September" year="2023" />month="March" year="2024"/> </front> </reference> </references><references title="Informative References"><references> <name>Informative References</name> <reference anchor="OIDC" target="https://openid.net/developers/how-connect-works/"> <front> <title>What is OpenID Connect</title><author initials="" surname=""> <organization>OpenID Foundation</organization><author> <organization>OpenID</organization> </author> </front> </reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4949.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8414.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8792.xml"/> <!-- [I-D.ietf-oauth-security-topics] IESG state: Waiting for AD Go-Ahead::AD Followup as of 04/23/24 --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-oauth-security-topics.xml"/> <reference anchor="gTLD" target="https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf"> <front> <title>Final Report from the Expert Working Group on gTLD Directory Services: A Next-Generation Registration Directory Service (RDS)</title> <author> <organization>Expert Working Group on gTLD Directory Services (EWG)</organization> </author> <datemonth="" year="" />year="2014" month="June"/> </front> </reference>&RFC4949; &RFC7942; &RFC8414; &RFC8792; &I-D.ietf-oauth-security-topics;</references> </references> <sectiontitle="Change Log"> <t> <list style="hanging"> <t hangText="00:">Initial working group version ported from draft-hollenbeck-regext-rdap-openid-10.</t> <t hangText="01:">Modified ID Token delivery approachanchor="acks" numbered="false" toc="default"> <name>Acknowledgments</name> <t>The author would like tonote proper use of an HTTP bearer authorization header.</t> <t hangText="02:">Modified token delivery approach (Access Token isacknowledge thebearer token)following individuals for their contributions tonote proper use of an HTTP bearer authorization header, fixingthechange made in -01.</t> <t hangText="03:">Updated OAuth 2.0 Device Authorization Grant description and reference due to publication of RFC 8628.</t> <t hangText="04:">Updated OAuth 2.0 token exchange description and reference due to publicationdevelopment ofRFC 8693. Correctedthis document: <contact fullname="Julien Bernard"/>, <contact fullname="Marc Blanchet"/>, <contact fullname="Tom Harrison"/>, <contact fullname="Russ Housley"/>, <contact fullname="Jasdip Singh"/>, <contact fullname="Rhys Smith"/>, <contact fullname="Jaromir Talir"/>, <contact fullname="Rick Wilhelm"/>, and <contact fullname="Alessandro Vesely"/>. In addition, theRDAP conformance identifier to be registered with IANA.</t> <t hangText="05:">Keepalive refresh.</t> <t hangText="06:">Keepalive refresh.</t> <t hangText="07:">Added "login_hint" description to <xref target="auth-request"/>. Added some text to <xref target="rdap_dnt_allowed"/> to note that "do not track" requires compliance with local regulations.</t> <t hangText="08:">Rework of token management processing in Sections 4 and 5.</t> <t hangText="09:">Updated RDAP specification references. Added text to describe both default and remote OpenID Provider processing. Removed text that described passingVerisign Registry Services Lab development team ofID Tokens as query parameters.</t> <t hangText="10:">Updated <xref target="discovery"/>. Replaced token processing queries with "login", "session", and "logout" queries.</t> <t hangText="11:">Replaced queries with "session/*" queries. Added description<contact fullname="Joseph Harvey"/>, <contact fullname="Andrew Kaizer"/>, <contact fullname="Sai Mogali"/>, <contact fullname="Anurag Saxena"/>, <contact fullname="Swapneel Sheth"/>, <contact fullname="Nitin Singh"/>, and <contact fullname="Zhao Zhao"/> provided critical "proof of"rdap" OAuth scope. Addedconcept" implementationstatus information.</t> <t hangText="12:">Updated data structure descriptions. Updated <xref target="IANA"/>. Minor formatting changes due to a move to xml2rfc-v3 markup.</t> <t hangText="13:">Added support for OP discovery via OP's Issuer Identifier. Modified the RDAP conformance text to use "roidc1", and addedexperience thatvalue to extension path segments, data structures, and query parameters. Changed the "purpose" and "dnt" claims to "rdap_allowed_purposes" (making it an array) and "rdap_dnt_allowed". Added the "roidc1_qp" and "roidc1_dnt" query parameters. Changedhelped demonstrate thedescriptions of "local" OPs to "default" OPs.</t> <t hangText="14:">Fixed a few instances of "id" that were changed to "roidc1_id" and "session" that were changed to "roidc1_session". Added "implicitTokenRefreshSupported".</t> <t hangText="15:">Fixed an instancevalidity ofopenidcConfiguration that was missingthe"roidc1" prefix. Changed SHOULD to MUST to describe the need to return the roidc1_openidcConfiguration data structure in a "help" response.</t> <t hangText="16:">Changed the "roidc1" prefix to "farv1". Added additional terminology text. Added RFC 8996 as a normative reference. Multiple clarifications in Sections 3, 4, and 5. Added login/refresh/logout sequence and conflict response text. Added "clientID" and "iss" to the "farv1_session" data structure. Made the "userClaims" and "sessionInfo" objects OPTIONAL in the "farv1_session" data structure. Fixed the curl example in <xref target="client-login-device"/>. Modified the "/device" and "/devicepoll" requests to include query parameters. Added "device_code" to the "farv1_deviceInfo" data structure. Added the "farv1_dc" query parameter.</t> <t hangText="17:">Changed string "true" to boolean trueconcepts described in<xref target="example_openidcConfiguration_structure"/>. Fixed the reference to RFC 8996. Updated references for RFCs 5226 (to 8126) and 7230 (to 9110).</t> <t hangText="18">Addressed WG last call feedback for which we had agreed-upon updates.</t> <t hangText="19">Updated Security Considerations. Updated response processing text. Added and changed text to describe support for session-oriented and token-oriented clients. Added reference to RFC 9068.</t> <t hangText="20">Updatedthis document.</t> <t><contact fullname="Pawel Kowalik"/> and <contact fullname="Mario Loffredo"/> provided significant textto describe support for session-oriented and token-oriented clients.</t> <t hangText="21">Changed "Servers MUST support both types of client" to "SHOULD". Added "sessionClientSupported" and "tokenClientSupported" as a consequence. Notedcontributions thatthe OIDCC Implicit Flow is being deprecated due to security concerns. Added additional text to describe the relationship between "providerDiscoverySupported" and "farv1_id", and "issuerIdentifierSupported" and "farv1_iss". Restructured <xref target="request-sequencing"/> and <xref target="query-processing"/>. Replaced the reference to RFC 2616 (obsolete) with RFC 9110. Replaced the reference to RFC 7231 (obsolete) with RFC 9110.</t> <t hangText="22">Changed MANDATORY to REQUIRED for BCP 14 alignment. Updated <xref target="client-cons"/>, <xref target="Security"/>, and <xref target="acks"/>.</t> <t hangText="23">Changed "IESG" to "IETF" in <xref target="IANA"/> at IANA's request.</t> <t hangText="24">AD evaluation edits.</t> <t hangText="25">IETF last call edits.</t> <t hangText="26">IESG evaluation edits.</t> <t hangText="27">IESG evaluation edit. Changed "An RDAP server operator SHOULD develop policies"led to"An RDAP server operator must develop policies"welcome improvements in<xref target="Security"/>.</t> </list> </t>several sections of this document. Their contributions are greatly appreciated.</t> </section> </back> </rfc>