[TSG-Access-RD] Useful resource on OAuth2/OpenID Connect
Hollenbeck, Scott
shollenbeck at verisign.com
Mon Dec 17 18:19:12 UTC 2018
> On Dec 17, 2018, at 1:07 PM, Tomofumi Okubo <tomofumi.okubo at digicert.com> wrote:
>
> I think it is a good starting point.
>
>> 7. The RDAP server validates the ID and/or access token and returns the
>> response to the client. Subsequent requests would bypass steps 2-6.
>
> For non-public data, this would be an issue as data requester can freely query whatever once the connection is established. I believe there needs to be some sanity check per query for non-public data especially as RDAP allows regex-ish searches.
>
Tokens are still used to validate requests once they’ve been negotiated. There are no “free” queries that bypass the authentication mechanism unless the client chooses to send a query without the parameters - and if they do that the query is processed without authentication.
Scott
More information about the TSG-Access-RD
mailing list