An OpenID Connect authentication proxy for an RDAP server, based on draft-ietf-regext-rdap-openid. This is a proof-of-concept only, and is not intended for production use.
Perl dependencies are listed in Makefile.PL.
perl Makefile.PL
make
make test
sudo make install
Configuration is in YAML format, like so:
port: {port}
base_rdap_url: {base-rdap-url}
dnt_supported: {boolean}
issuer_identifier_supported: {boolean}
implicit_token_refresh_supported: {boolean}
idp_details:
{name}:
id: {idp-client-id}
name: {idp-name}
secret: {idp-client-secret}
discovery_uri: {idp-discovery-uri}
...
redirect_uri: {redirect-uri}
idp_mappings:
- [ {regex}, {name} ]
- ...
filters:
unauthenticated:
{filter_name}: {enabled}
authenticated:
{filter_name}: {enabled}
port is the port on which the server will run.
base_rdap_url is the base URL of the RDAP server for which this
server is operating as a proxy.
dnt_supported indicates whether 'do not track'-style functionality
is supported (defaults to false).
issuer_identifier_supported indicates whether the client can
specify an ISS value manually in a 'login' request (defaults to
true).
implicit_token_refresh_supported indicates whether the server will
attempt to refresh the access token if it has expired (defaults to
true).
idp_details maps from a server-specific name for an
identity provider to the configuration details for that provider.
idp-name is a descriptive string that is returned in the RDAP
/help response.
idp_mappings is a list of lists, where each element list contains a
Perl regular expression and an identity provider name. This is used
to map from the user-provided id argument to an identity provider:
the provider for the first expression that matches the id argument
will be used for the relevant request. Provider issuer
discovery
is not currently implemented.
filters affect how requests to or responses from the proxied RDAP
server are handled. For unauthenticated requests, two filters
are defined:
no_entities, which strips top-level entities from the response; anddeny, which returns403 Forbiddenfor all requests.
For authenticated requests, two filters are defined:
pass_authenticated, which passes anauthenticated=1query argument to the backend; andpass_purpose, which passes the purposes from the user's claims to the backend.
Using a configuration file like so, with Google as the provider:
port: 38279
base_rdap_url: http://rdap.apnic.net
idp_details:
google:
id: {client-id}.apps.googleusercontent.com
secret: {client-secret}
discovery_uri: https://accounts.google.com/.well-known/openid-configuration
idp_mappings:
- [ "@gmail.com", "google" ]
filters:
unauthenticated:
no_entities: 1
A standard request can be sent like so:
$ curl http://localhost:38279/domain/203.in-addr.arpa
{"ldhName":"203.in-addr.arpa", ...
To log in via an OIDC provider, the client sends a request to the 'login' endpoint. (In this instance, because there is only one IDP, there is no need to provide the identifier in the request. However, depending on the configuration, an identifier and/or an issuer identifier may need to be provided.)
After logging in successfully, subsequent RDAP requests will be considered authenticated.
- This has been tested with Google's identity provider and with Keycloak. Other providers may not work as expected.
See LICENSE.txt.