IETF Logo Mail Archive

Re: [Ace] comment on draft-ietf-ace-oauth-authz-26

Daniel Migault <daniel.migault@ericsson.com> Mon, 25 November 2019 14:41 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0305F120918 for <ace@ietfa.amsl.com>; Mon, 25 Nov 2019 06:41:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRaZQ5VmfvGA for <ace@ietfa.amsl.com>; Mon, 25 Nov 2019 06:41:15 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-eopbgr790088.outbound.protection.outlook.com [40.107.79.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A67561209C3 for <ace@ietf.org>; Mon, 25 Nov 2019 06:41:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MYGixlXrFryafL3/wCzkQFNdvLPki3MRwPIhdj6jnwRkTiY1+9E1Vyg9r7k1aWE/DZjk5FM+SFUqoaG5WFSl2Eo6laCWjN4Nr9cuJQD96ZaxtFC7+6RkYXn0nQnBnJe6WOGSe2vCKUZd9HDUuWjtcnZGJCf1OVH/ayFiGsH1vZoEwou6O9R0WAxMNvLkiS9hs1xScIltuGvP+BtKRJm66hFzsuBk0i+rzcV3/ymfV/cR4e/r5kqtwLKII22CueNaU4Fbw01i7OYMfYIgfUgLQ3vn4TqTl0HNsp/6Ee19JENE9ZCHWe/jzkIcSJ/InqCYZOVMh689SKQlVzowCuN/4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XOhd4X7OPXAWmYLroi4R46ulGUC3fhqqoMLQhfkEm+8=; b=CWlLvoO4GK1f7QUYZEw+GwOvJx0qDf9Xpa0bYCzIhnoFwvhQKscws/8MrOO8LTKWpvSajQPnKRgq2lSZav8e5P7oQwfqNUCEWrTJbdco2syexSbTy/CDcpvLvD/A8tGZaC9oNm8gJuPyrfv67G8tRGfVtQgLq2W5uZB3Hhzt6x/avgDqluJKZOg4upGQJaCc3YfLQjrc4zvm5gW/tFKSs3RWGKRmMlfPDKuUnoAADDfp+PhTeTNqQwHPufYHDXlQUV/REPsKWamx/wuFNR+qOmXZzutBjCOuGpcyOnx6h9Lz5vkt1AGzeCu4fTg2LU/Nq12IMpTE17PoosZ/47zoyw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XOhd4X7OPXAWmYLroi4R46ulGUC3fhqqoMLQhfkEm+8=; b=DxZYR6oNglUE3hAxHYSeMTKq5WTIGnXNpXUt8OuahR2AxJP4iLe4BCNuF9uIa5zQMF4lwQaDPEbI9eCU6dEZYj7/jc6frn+8yJaw7WRjtZ2LHkENnFbWQfvFTencu5Wug/1EQWqKDas+J/U2OEWVp8mYsEXovr67z3/z8xrPX5c=
Received: from BY5PR15MB3521.namprd15.prod.outlook.com (10.255.245.75) by BY5PR15MB3523.namprd15.prod.outlook.com (52.133.254.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.22; Mon, 25 Nov 2019 14:41:10 +0000
Received: from BY5PR15MB3521.namprd15.prod.outlook.com ([fe80::e950:7249:b996:a13a]) by BY5PR15MB3521.namprd15.prod.outlook.com ([fe80::e950:7249:b996:a13a%7]) with mapi id 15.20.2474.023; Mon, 25 Nov 2019 14:41:10 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Jim Schaad <ietf@augustcellars.com>, 'Cigdem Sengul' <cigdem.sengul@gmail.com>
CC: "ace@ietf.org" <ace@ietf.org>, 'Ludwig Seitz' <ludwig.seitz@ri.se>
Thread-Topic: [Ace] comment on draft-ietf-ace-oauth-authz-26
Thread-Index: AQHVoBODTRvmfj9LwkSkMn4vLe0h8aeU7P0AgAADQXCAAGtOAIAC+IQAgAL8BoCAAKrFIA==
Date: Mon, 25 Nov 2019 14:41:10 +0000
Message-ID: <BY5PR15MB35214FD50A37B9BC19D26B70E34A0@BY5PR15MB3521.namprd15.prod.outlook.com>
References: <CADZyTkkUsfeXcMo3pgZH47P2zWVdearXO4SLjvLOmDcGC4TptA@mail.gmail.com> <93a0ac2d-6d00-ad7b-677c-4c44b77f91e0@ri.se> <CH2PR15MB352544C3EB0EA2D5824C59BDE34E0@CH2PR15MB3525.namprd15.prod.outlook.com> <CAA7SwCM60p-TSgNGhhcODiVZ3qayYgTLFhvwyGtp_up4hibqAA@mail.gmail.com> <CADZyTk=-jXkQCMy_379RNB6bALxrSEX7fzT_e+KA1HW2vjcvrQ@mail.gmail.com> <052801d5a348$20fb98b0$62f2ca10$@augustcellars.com>
In-Reply-To: <052801d5a348$20fb98b0$62f2ca10$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=daniel.migault@ericsson.com;
x-originating-ip: [192.75.88.130]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f5f97aad-97cc-46ae-8d8a-08d771b583bd
x-ms-traffictypediagnostic: BY5PR15MB3523:
x-ms-exchange-purlcount: 6
x-microsoft-antispam-prvs: <BY5PR15MB3523CB3B5BEC5D2D8DBBF564E34A0@BY5PR15MB3523.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0232B30BBC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(136003)(39850400004)(346002)(366004)(51444003)(199004)(189003)(13464003)(51914003)(54906003)(55016002)(6306002)(186003)(54896002)(110136005)(236005)(14444005)(256004)(9686003)(966005)(14454004)(6436002)(8676002)(81166006)(81156014)(7736002)(25786009)(2906002)(74316002)(33656002)(5660300002)(52536014)(7696005)(6246003)(99286004)(76176011)(4326008)(478600001)(8936002)(86362001)(790700001)(9326002)(316002)(3846002)(6116002)(66946007)(66476007)(66556008)(64756008)(66446008)(76116006)(102836004)(26005)(71200400001)(44832011)(71190400001)(66066001)(53546011)(229853002)(6506007)(606006)(11346002)(446003); DIR:OUT; SFP:1101; SCL:1; SRVR:BY5PR15MB3523; H:BY5PR15MB3521.namprd15.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: VACJleuHgSt/IYB6q07I3ouDVSpflIdBuNAl1dQ/qQsvJRQZIG/D1FlsOFbpuFHphi/QH78wDR0xMuzdfwx25rYesSGU5zwwCtLDJ4d68V9p24ddCoOS9+Oaql5sPhRlGttLMNJ5AGr0mhr0ja9anXA3U0KjveWudf9pcyScpkrbMKSHVAWolhtb04JF4Jv5XxxLwN1pBAvzIFBguqssp+gWuq3As3JA7AAX4P+khZN+czlA7P376YBDufhXW8WstDBs2SYEFdjVV1u/UcRycDW4VdbSNwYQlfH72HY8FFmBagiEMoxVQDZzvp73w7nzJJxnVijSmW9RQ4fnu5yYBJsK9S7jOkC4NxmjvJVMdwQPyEn78r27ljZiSTk+7Ucri9Wo+BHWpcwgXSkWN7j+uPjgzA1h2UPrQvGWaM5q0FrMD6zHSABpE5V+0ejn7KUyBtjofUldgpPwb8Q7duwtJvzCBIMhkBrgvuAwk5j4l08=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR15MB35214FD50A37B9BC19D26B70E34A0BY5PR15MB3521namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5f97aad-97cc-46ae-8d8a-08d771b583bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Nov 2019 14:41:10.7832 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QvR2bs8ANxQuknp55fqEYytQANO1fenIKtQYfdOV0e9IbDzRjdbfS+BSIm3eGQ+wjffThhVgRLtHvLHXkvP6E7jvt1DC0WkAZ7vkTF30X2M=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR15MB3523
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/6ohuiRex8fb9D_1rwT6pWmc7Q2M>
Subject: Re: [Ace] comment on draft-ietf-ace-oauth-authz-26
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2019 14:41:19 -0000

Hi Jim,

I think that was the point I was raising and my understanding is that the text we follow is [ace-oauth-authz]. Are you suggesting to completely remove 6749 completely, or is there any text you would prefer ?

Yours,
Daniel

From: Jim Schaad <ietf@augustcellars.com>
Sent: Sunday, November 24, 2019 11:24 PM
To: Daniel Migault <daniel.migault@ericsson.com>; 'Cigdem Sengul' <cigdem.sengul@gmail.com>
Cc: ace@ietf.org; 'Ludwig Seitz' <ludwig.seitz@ri.se>
Subject: RE: [Ace] comment on draft-ietf-ace-oauth-authz-26

Daniel,

I don’t understand why you want to follow a different specification for the error interactions in this case.  I don’t see any reason not to following [ace-oauth-authz] but using JSON for the errors.

Jim


From: Ace <ace-bounces@ietf.org<mailto:ace-bounces@ietf.org>> On Behalf Of Daniel Migault
Sent: Friday, November 22, 2019 10:49 PM
To: Cigdem Sengul <cigdem.sengul@gmail.com<mailto:cigdem.sengul@gmail.com>>
Cc: ace@ietf.org<mailto:ace@ietf.org>; Ludwig Seitz <ludwig.seitz@ri.se<mailto:ludwig.seitz@ri.se>>; Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org<mailto:daniel.migault=40ericsson.com@dmarc.ietf.org>>
Subject: Re: [Ace] comment on draft-ietf-ace-oauth-authz-26

Thank you Ludwig and Cigdem,

I would effectively prefer to have one reference, i.e ace-oauth-authz. I also reviewed the text from ace-oauth-authz and it seems fine. I also guess the text from Cigdem is better, however, ace-oauth-authz provides exceptions for CBOR and CoAP.

OLD
"As described in [ace-oauth-authz] the error responses for JSON-based interactions with AS follow RFC6749. When CBOR is used, the interactions MUST implement [ace-oauth-authz]"

NEW
"As described in [ace-oauth-authz] the error responses for HTTP/JSON-based interactions with AS follow RFC6749. When CBOR or CoAP is used, the interactions MUST implement [ace-oauth-authz]"

Yours,
Daniel

On Thu, Nov 21, 2019 at 5:27 PM Cigdem Sengul <cigdem.sengul@gmail.com<mailto:cigdem.sengul@gmail.com>> wrote:
Hello,

Ludwig, I agree that the current draft describes specifically for when CBOR is used.
When CBOR is not used, I have read it as it will act similar to Section 5.2 of [RFC6749]<https://tools.ietf.org/html/rfc6749#section-5.2> as you have indicated also in the ace-oauth-authz document.

Therefore, instead of an indirect reference to RFC6749 by referencing ace-oauth-authz, we used a direct reference to explain what the error response should be.

Is this problematic? or confusing?

I can reword in mqtt_tls draft something like:
"As described in [ace-oauth-authz] the error responses for JSON-based interactions with AS follow RFC6749. When CBOR is used, the interactions MUST implement [ace-oauth-authz]"

Would that help?

Thanks,
--Cigdem



On Thu, Nov 21, 2019 at 3:06 AM Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
Hi Ludwig,

Thanks for the feed back. I was raising the issue before it got forgotten. , and I must say I did not checked whether it had been addressed or not, as I did not remember this had been raised for the ace-oauth-authz document.

What you are saying is that the draft has been updated already. I will have a closer look at it, and ask mqtt-profile to confirm the current text is fine.

Thanks!
Daniel

-----Original Message-----
From: Ace <ace-bounces@ietf.org<mailto:ace-bounces@ietf.org>> On Behalf Of Ludwig Seitz
Sent: Thursday, November 21, 2019 10:51 AM
To: ace@ietf.org<mailto:ace@ietf.org>
Subject: Re: [Ace] comment on draft-ietf-ace-oauth-authz-26

On 21/11/2019 03:29, Daniel Migault wrote:
> Hi,
>
> This only concerns potential clarification of the text.
>
> While reviewing mqtt-profile draft I raised an issue regarding the
> reference for Oauth [RFC6749] while the remaining of the document
> references draft-ietf-ace-oauth-authz [1]. My reading of
> draft-ietf-ace-oauth-authz section 5.6.3
> <https://tools..ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6..3<http://ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3>>.
> was the same of the one of mqtt-profile coauthors, that is error
> mandates the use of CBOR. Discussing this with others it seems a mis
> interpretation of  draft-ietf-ace-oauth-authz section 5.6.3
> <https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3> [2].
>
> I believe that is nice this is a mis-interpretation, but I would
> recommend that the text makes it more explicit the use of JSON is
> permitted. This seems to me a request to clarify the text.
>
> Yours,
> Daniel
>

I would be happy to add more clarification, but I'm currently at a loss of what that would be. Most of the bullets you cited already modify the MUSTs with "...when CBOR is used" or something similar to the same effect. The idea was to express: You can use the vanilla OAuth interactions based on JSON, but if you use CBOR then do it as specified here.

I am happy to take suggestions.

/Ludwig

> [1]
> """
>
>     In the case of an error, the AS returns error responses for HTTP-
>     based interactions as ASCII codes in JSON content, as defined in
>     Section 5.2 of RFC 6749  <https://tools.ietf.org/html/rfc6749#section-5.2>  [RFC6749  <https://tools.ietf.org/html/rfc6749>].
>
> """
>
> [2]
> """
>
>
>         5.6.3
>         <https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3>.
>         Error Response
>
>
>
>     The error responses for CoAP-based interactions with the AS are
>     generally equivalent to the ones for HTTP-based interactions as
>     defined inSection 5.2 of [RFC6749]  <https://tools.ietf.org/html/rfc6749#section-5.2>, with the following exceptions:
>
>     o  When using CBOR the raw payload before being processed by the
>        communication security protocol MUST be encoded as a CBOR map.
>
>     o  A response code equivalent to the CoAP code 4.00 (Bad Request)
>        MUST be used for all error responses, except for invalid_client
>        where a response code equivalent to the CoAP code 4.01
>        (Unauthorized) MAY be used under the same conditions as specified
>        inSection 5.2 of [RFC6749]  <https://tools.ietf.org/html/rfc6749#section-5.2>..
>
>     o  The Content-Format (for CoAP-based interactions) or media type
>        (for HTTP-based interactions) "application/ace+cbor" MUST be used
>        for the error response.
>
>     o  The parameters "error", "error_description" and "error_uri" MUST
>        be abbreviated using the codes specified in Figure 12, when a CBOR
>        encoding is used.
>
>     o  The error code (i.e., value of the "error" parameter) MUST be
>        abbreviated as specified in Figure 10, when a CBOR encoding is
>        used.
> /------------------------+-------------\
>
>             | Name                   | CBOR Values |
>             |------------------------+-------------|
>             | invalid_request        |      1      |
>             | invalid_client         |      2      |
>             | invalid_grant          |      3      |
>             | unauthorized_client    |      4      |
>             | unsupported_grant_type |      5      |
>             | invalid_scope          |      6      |
>             | unsupported_pop_key    |      7      |
>             | incompatible_profiles  |      8      |
>             \------------------------+-------------/
>
>             Figure 10: CBOR abbreviations for common error codes
>
>     In addition to the error responses defined in OAuth 2.0, the
>     following behavior MUST be implemented by the AS:
>
>     o  If the client submits an asymmetric key in the token request that
>        the RS cannot process, the AS MUST reject that request with a
>        response code equivalent to the CoAP code 4...00 (Bad Request)
>        including the error code "unsupported_pop_key" defined in
>        Figure 10.
>
>     o  If the client and the RS it has requested an access token for do
>        not share a common profile, the AS MUST reject that request with a
>        response code equivalent to the CoAP code 4...00 (Bad Request)
>        including the error code "incompatible_profiles" defined in
>        Figure 10.
>
> """
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org<mailto:Ace@ietf.org>
> https://www.ietf.org/mailman/listinfo/ace
>


--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51

_______________________________________________
Ace mailing list
Ace@ietf.org<mailto:Ace@ietf.org>
https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
Ace@ietf.org<mailto:Ace@ietf.org>
https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email