[gtld-tech] Progress Report for the Verisign Labs Experiment with Federated Authentication for RDAP
Hollenbeck, Scott
shollenbeck at verisign.com
Mon Feb 29 16:31:28 UTC 2016
Thank you to everyone who has taken part in the Verisign Labs experiment with federated authentication for RDAP. This is a summary of the things we've found through the end of February. Here's a link to my original description of the experiment:
http://mm.icann.org/pipermail/gtld-tech/2016-February/000703.html
1. Back in January I sent a cross-area review request to the IETF OAuth mailing list:
https://mailarchive.ietf.org/arch/msg/oauth/ir4Yu1U8_oM3l52j-difKKn3u8A
One person volunteered to take a look. I'm still waiting for their feedback.
2. We found one issue with the OpenID Connect specification. The auth_time claim element of the ID Token is described as "a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC". We've found one implementation that represents this value as an integer, another that represents it as a float, and the two do not interoperate. We've opened issues in the GitHub repositories for both projects, but there's been no discussion. In the mean time we've patched the code we're running to make things work.
3. We found a few issues with our software implementation of RDAP, but nothing due to issues with the specifications.
3.1 We've had to fix response codes to note the difference between 404 (not found) and 501 (not implemented) responses.
3.2 Our first implementation of core RDAP omitted search functionality. We now have it implemented per RFC 7482. More interestingly, we've done some experimentation with more complex search patterns. I'll provide a more detailed description of our findings in another message at some point in the future.
4. We've integrated two identity providers in addition to the Google Gmail and Microsoft Hotmail providers described in my original note. Verisign Labs has developed an identity provider that allows us to make and test software changes (such as support for new claims) quickly as easily. We've also added support for an identity provider developed by CZ.NIC. CZ.NIC has been very helpful with debugging the interoperability issue described in point #2 above (thanks, Jaromír).
We're still looking for people to both try the service as end users and/or participate in the experiment as RDAP servers operators or as identity providers. Please contact me directly for details.
Scott
More information about the gtld-tech
mailing list