[TSG-Access-RD] Useful resource on OAuth2/OpenID Connect

[Hollenbeck, Scott]

> -----Original Message-----
> From: TSG-Access-RD <tsg-access-rd-bounces at icann.org> On Behalf Of
> Gavin Brown
> Sent: Friday, December 14, 2018 12:13 PM
> To: tsg-access-rd at icann.org
> Subject: [EXTERNAL] [TSG-Access-RD] Useful resource on OAuth2/OpenID
> Connect
>
> I know we have yet to agree on a charter but I don't think there's any harm in
> starting to explore the solution space.
>
> I've been meaning to get my head around OAuth2 and OpenID Connect for
> some time, being aware of the work of Scott and Marc Blanchet of Viagenie
> on using OpenID Connect to authenticate RDAP queries.
> Suspecting that any protocol we might produce will be based on them, I
> spent some time today looking for an "idiot's guide" and found this video on
> YouTube which I think is worth an hour of your time:
>
> https://www.youtube.com/watch?v=996OiexHze0
>
> I've tried to conceptualise how the different parts of OAuth2 might map onto
> our use case:
>
> * "Resource owner" - for us, this would not be owner of the registration
> data, but the person requesting access to non-public registration data.
>
> * "Authorisation server" - this would be operated by ICANN, but could
> redirect to other authorisation servers. The might also redirect to a third-
> party authentication server.

The third-party authentication server is sometimes described as an "Identity Provider".

> * "Resource server" - this is an RDAP server. It seems as though a way for
> ICANN and RO to agree on a client's access token is needed.

Also sometimes described as a "Relying Party".

> * "Authorisation grants" - one difference to the traditional OAuth2 model is
> that the specific permissions granted are determined by the authz server,
> not the user.
>
> Scott - any thoughts on the above?

These look fine. Anyone who cares to see how I've tried to apply these concepts to a model for RDAP may want to read through my Internet-Draft:

https://datatracker.ietf.org/doc/draft-hollenbeck-regext-rdap-openid/

I have both an RDAP server and an Identity Provider running to demonstrate the concepts:

https://rdap-pilot.verisignlabs.com/rdap/v1/

I can provide access credentials for a Verisign-developed Identity Provider for anyone who wants to see how the authentication and authorization parts work. Marc Blanchet's company also implemented an identity provider where you can create a credential yourself:

https://auth.viagenie.ca/oxauth/login

ICANN sponsored development of a client that appears to operate in the way described in our charter. That client can be found here:

https://rdap-client.viagenie.ca/

None of this should be presumed to be anything more than a proof-of-concept implementation. They can, however, help us understand what's available in terms of technology that has been demonstrated to perform some of the functions we need to investigate.

Scott