Federated Authentication for RDAP

The Registration Data Access Protocol (RDAP) is described in RFCs 7480, 7481, 7482, and 7483. RDAP is HTTPS-based, so it inherits all of the default client identification and authentication features that are available to servers that support HTTPS. It does not currently include a federated authentication mechanism.

RDAP is currently used in environments (including the regional Internet number registries and generic Top-Level Domain (gTLD) registry and registrar operations) to provide access to registration data. Some of this data is sensitive, and some RDAP operations (such as searching) can strain server resources if abused. There is a need for a federated authentication mechanism that provides fine-grained client identification and authorization features so that server operators can make access control decisions when processing requests for data or for access to resource-consuming functions. One such mechanism is described in a REGEXT working group draft, Federated Authentication for the Registration Data Access Protocol (RDAP) using OpenID Connect. The approach described in this draft has been implemented in prototype environments and proven to work and interoperate, but it has the same browser dependency described in the GNAP charter. This means that the draft has to include a small hack and a second device dependency for UI-constrained RDAP clients, such as those that use a command-line interface.

GNAP may be a better solution if there's a way to eliminate the second device dependency. I'd consider working with the REGEXT working group to consider GNAP if it provides a "better" solution.