Internet DRAFT - draft-ietf-httpapi-authentication-link

draft-ietf-httpapi-authentication-link







HTTPAPI                                                           E. Pot
Internet-Draft                                              4 March 2024
Intended status: Standards Track                                        
Expires: 5 September 2024


               Link relationship types for authentication
               draft-ietf-httpapi-authentication-link-01

Abstract

   This specification defines a set of relationships that may be used to
   indicate where a user may authenticate, log out, register a new
   account or find out who is currently authenticated.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 5 September 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.






Pot                     Expires 5 September 2024                [Page 1]

Internet-Draft  Link relationship types for authenticati      March 2024


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Usage examples  . . . . . . . . . . . . . . . . . . . . .   2
       1.1.1.  Browsers  . . . . . . . . . . . . . . . . . . . . . .   2
       1.1.2.  Web services  . . . . . . . . . . . . . . . . . . . .   2
   2.  authenticate  . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  authenticated-as  . . . . . . . . . . . . . . . . . . . . . .   3
   4.  logout  . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   5.  register-user . . . . . . . . . . . . . . . . . . . . . . . .   3
   6.  IANA considerations . . . . . . . . . . . . . . . . . . . . .   4
     6.1.  authenticate link relation  . . . . . . . . . . . . . . .   4
     6.2.  authenticated-as link relation  . . . . . . . . . . . . .   4
     6.3.  logout link relation  . . . . . . . . . . . . . . . . . .   4
     6.4.  register-user link relation . . . . . . . . . . . . . . .   4
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .   4
   Appendix A.  Changelog  . . . . . . . . . . . . . . . . . . . . .   5
     A.1.  Changes since -00 . . . . . . . . . . . . . . . . . . . .   5
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   [RFC8288] defines a framework and registry for Link Relationships
   types.  This specification defines a set of new relationship types to
   aid clients in discovering endpoints for authentication and
   registration: authenticate, authenticated-as, logout and register-
   user.

1.1.  Usage examples

1.1.1.  Browsers

   Many websites already provide these features.  If these links are
   annotated with a standard relationship type, it might allow browser
   extensions to automatically discover these and present them in new
   ways.  It could for example show a browser-level logout button.

   Link relationships such as these could appear on any page where Sign
   in, Register, Log in or Log out features exist.

1.1.2.  Web services

   Many webservices provide a resource to discover more information
   about the authenticated entity.  Creating standard link relationships
   might allow a generic client to discover information about the
   currently logged in user.





Pot                     Expires 5 September 2024                [Page 2]

Internet-Draft  Link relationship types for authenticati      March 2024


   Similarly, an authenticate link could allow a generic client to find
   an OAuth2 Authorization endpoint.

   This link relationship could appear on any API endpoint where this
   might be relevant, or it might just show up on central endpoint
   discovery document.

2.  authenticate

   The authenticate can be used to link to a resource that hosts a page
   where a user can authenticate itself for the current resource.

   For example, this link might refer to a HTML login page.

   Example:

   <a href="/login" rel="authenticate">Login</a>

3.  authenticated-as

   The authenticated-as link refers to a resource that describes the
   effective authenticated user for a HTTP response.

   Following this link might allow a client to answer the question 'who
   am I?'.  This might link to a user profile page, or it might link to
   an API that returns a JSON response with user information.

   Example:

   Link: <https://api.example.org/users/123-abc>; rel="authenticated-as"

4.  logout

   The logout refers to a resource where an authenticated user might end
   their session.

   In a browser this might clear cookies, or in the case of OAuth2 it
   could revoke any active authentication tokens.

5.  register-user

   The register-user Link Relation refers to a resource where a user
   might sign up for a service for the context URI.

   The linked resource might contain a HTML registration form, or
   otherwise instructions that allow a client to find out how to sign up
   for the service.




Pot                     Expires 5 September 2024                [Page 3]

Internet-Draft  Link relationship types for authenticati      March 2024


6.  IANA considerations

   This document defines authenticate, authenticated-as, logout and
   register-user link relation types and adds them to the "Link
   Relations" registry:

6.1.  authenticate link relation

   *  Relation name: authenticate

   *  Description: Refers to a resource where a client may authenticate
      for the the context URI.

   *  Reference: TBD

6.2.  authenticated-as link relation

   *  Relation name: authenticated-as

   *  Description: Refers to a resource that describes the authenticated
      entity for the HTTP response.

   *  Reference: TBD

6.3.  logout link relation

   *  Relation name: logout

   *  Description: Refers to an endpoint where a client may invalidate
      the current authentication session.

   *  Reference: TBD

6.4.  register-user link relation

   *  Relation name: register-user

   *  Description: Refers to a resource where a client may create a new
      user account for the context URI.

   *  Reference: TBD

7.  Normative References

   [RFC8288]  Nottingham, M., "Web Linking", RFC 8288,
              DOI 10.17487/RFC8288, October 2017,
              <https://www.rfc-editor.org/rfc/rfc8288>.




Pot                     Expires 5 September 2024                [Page 4]

Internet-Draft  Link relationship types for authenticati      March 2024


Appendix A.  Changelog

A.1.  Changes since -00

   *  More examples and clarifications

Author's Address

   Evert Pot
   Email: me@evertpot.com
   URI:   https://evertpot.com/








































Pot                     Expires 5 September 2024                [Page 5]