SIDN / ietf-epp-restful-transport

RESTful transport for EPP
Other
3 stars 4 forks source link

Add section about authentication? #55

Open mwullink opened 9 months ago

mwullink commented 9 months ago

maybe describe requirements for auth schemes? best fit would be something like JSON Web Token (JTW) https://datatracker.ietf.org/doc/html/rfc7519

where server can validate token after client gets token van auth server. how much of this process do we need to describe?

pawel-kow commented 9 months ago

IMHO likely it's worth mentioning, but isn't that actually out of scope here? Or in other words, I would only first transition as-is state of EPP, with user/password with simple auth. Important factor here would be that the authentication should move to http layer rather than payload. This has loads of benefits on it's own - for example one can peek the payload on the server without any risk of exposing credential data. Also the authentication/authorization may be off-loaded to an API gateway, which is also a way to adress performance challenges and separate the concerns of the underlaying systems. Other methods, like bearer token based authentication and authorization, with specific flows like OAuth I would leave to separate specifications. We may mention it as extension point however.