pawel-kow
commented
7 months ago IMHO likely it's worth mentioning, but isn't that actually out of scope here? Or in other words, I would only first transition as-is state of EPP, with user/password with simple auth. Important factor here would be that the authentication should move to http layer rather than payload. This has loads of benefits on it's own - for example one can peek the payload on the server without any risk of exposing credential data. Also the authentication/authorization may be off-loaded to an API gateway, which is also a way to adress performance challenges and separate the concerns of the underlaying systems. Other methods, like bearer token based authentication and authorization, with specific flows like OAuth I would leave to separate specifications. We may mention it as extension point however.
maybe describe requirements for auth schemes? best fit would be something like JSON Web Token (JTW) https://datatracker.ietf.org/doc/html/rfc7519
where server can validate token after client gets token van auth server. how much of this process do we need to describe?