Internet DRAFT - draft-pot-authentication-link
draft-pot-authentication-link
Network Working Group E. Pot
Internet-Draft October 02, 2019
Intended status: Standards Track
Expires: April 4, 2020
Link relationship types for authentication
draft-pot-authentication-link-01
Abstract
This specification defines a set of relationships that may be used to
indicate where a user may authenticate, log out, register a new
account or find out who is currently authenticated.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 4, 2020.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Pot Expires April 4, 2020 [Page 1]
Internet-Draft Link relationship types for authentication October 2019
1. Introduction
[RFC8288] defines a framework and registry for Link Relationships
types. This specification defines a set of new relationship types to
aid clients in discovering endpoints for authentication and
registration: "authenticate", "authenticated-as", "logout" and
"register-user".
1.1. Usage examples
1.1.1. Browsers
Many websites already provide these features. If these links are
annotated with a standard relationship type, it might allow browser
extensions to automatically discover these and present them in new
ways. It could for example show a browser-level logout button.
Link relationships such as these could appear on any page where Sign
in, Register, Log in or Log out features exist.
1.1.2. Web services
Many webservices provide a resource to discover more information
about the authenticated entity. Creating standard link relationships
might allow a generic client to discover information about the
currently logged in user.
Similarly, an "authenticate" link could allow a generic client to
find an OAuth2 Authorization endpoint.
This link relationship could appear on any API endpoint where this
might be relevant, or it might just show up on central endpoint
discovery document.
2. authenticate
The "authenticate" can be used to link to a resource that hosts a
page where a user can authenticate itself for the current resource.
For example, this link might refer to a HTML login page.
Example:
<a href="/login" rel="authenticate">Login</a>
Pot Expires April 4, 2020 [Page 2]
Internet-Draft Link relationship types for authentication October 2019
3. authenticated-as
The "authenticated-as" link refers to a resource that describes the
effective authenticated user for a HTTP response.
Following this link might allow a client to answer the question 'who
am I?'. This might link to a user profile page, or it might link to
an API that returns a JSON response with user information.
Example:
Link: <https://api.example.org/users/123-abc>; rel="authenticated-as"
4. logout
The "logout" refers to a resource where an authenticated user might
end their session.
In a browser this might clear cookies, or in the case of OAuth2 it
could revoke any active authentication tokens.
5. register-user
The "register-user" Link Relation refers to a resource where a user
might sign up for a service for the context URI.
The linked resource might contain a HTML registration form, or
otherwise instructions that allow a client to find out how to sign up
for the service.
6. IANA considerations
This document defines "authenticate", "authenticated-as", "logout"
and "register-user" link relation types and adds them to the "Link
Relations" registry:
6.1. authenticate link relation
o Relation name: authenticate
o Description: Refers to a resource where a client may authenticate
for the the context URI.
o Reference: TBD
Pot Expires April 4, 2020 [Page 3]
Internet-Draft Link relationship types for authentication October 2019
6.2. authenticated-as link relation
o Relation name: authenticated-as
o Description: Refers to a resource that describes the authenticated
entity for the HTTP response.
o Reference: TBD
6.3. logout link relation
o Relation name: logout
o Description: Refers to an endpoint where a client may invalidate
the current authentication session.
o Reference: TBD
6.4. register-user link relation
o Relation name: register-user
o Description: Refers to a resource where a client may create a new
user account for the context URI.
o Reference: TBD
7. Normative References
[RFC8288] Nottingham, M., "Web Linking", RFC 8288,
DOI 10.17487/RFC8288, October 2017,
<https://www.rfc-editor.org/info/rfc8288>.
Appendix A. Changelog
A.1. Changes since -00
o More examples and clarifications
Author's Address
Evert Pot
Email: me@evertpot.com
URI: https://evertpot.com/
Pot Expires April 4, 2020 [Page 4]