Re: [Ace] draft-ietf-ace-oauth-authz-02
Somaraju Abhinav <abhinav.somaraju@tridonic.com> Mon, 10 October 2016 11:41 UTC
Return-Path: <abhinav.somaraju@tridonic.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AB9412960C for <ace@ietfa.amsl.com>; Mon, 10 Oct 2016 04:41:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=zgrp.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VpsOuUwE4Ben for <ace@ietfa.amsl.com>; Mon, 10 Oct 2016 04:41:07 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0114.outbound.protection.outlook.com [104.47.0.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FEF1129608 for <ace@ietf.org>; Mon, 10 Oct 2016 04:41:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zgrp.onmicrosoft.com; s=selector1-tridonic-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=GIt4+Euusu7X3KTyKXFBCPofofjQvULDuF12mLEoLKI=; b=KtLsnvwT0ip9tELccT6IMIkhuzcoocfOGbjKJf/iNjOddQZuN/881xgdksoQ7ald4RoQRF6j8aCMxivSn/xFUMlQubSaXqk2ZPj/We2uFI9YYWHLZ4uuXgtd8IFs1B3JWsEpcZ+JrPoQTJb0tyrZRQ5V1kcc8tWtgkNo65pEUSo=
Received: from DB6PR0601MB2198.eurprd06.prod.outlook.com (10.168.57.139) by DB6PR0601MB2199.eurprd06.prod.outlook.com (10.168.57.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.16; Mon, 10 Oct 2016 11:41:03 +0000
Received: from DB6PR0601MB2198.eurprd06.prod.outlook.com ([10.168.57.139]) by DB6PR0601MB2198.eurprd06.prod.outlook.com ([10.168.57.139]) with mapi id 15.01.0649.027; Mon, 10 Oct 2016 11:41:03 +0000
From: Somaraju Abhinav <abhinav.somaraju@tridonic.com>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Re: [Ace] draft-ietf-ace-oauth-authz-02
Thread-Index: AdIi6J7hv4U2h0UYRsWsVuXZNGjOhg==
Date: Mon, 10 Oct 2016 11:41:03 +0000
Message-ID: <DB6PR0601MB21986C821B87D0570E04DE97FCDB0@DB6PR0601MB2198.eurprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=abhinav.somaraju@tridonic.com;
x-originating-ip: [146.108.200.99]
x-ms-office365-filtering-correlation-id: 2e444db0-12fc-4e35-f8b4-08d3f102509a
x-microsoft-exchange-diagnostics: 1; DB6PR0601MB2199; 7:6qnZO52ByxBfn+BBBjfX4G4rrThjl6fO/6jtY/h4Q/FUg2TUS5ICmrVmsDHv/uPsV9bV5OMZJCiN3C6FMGPFMCduntRQDSRdFD7nXBOqATTADMz31Ga9TPDGYDWYdmcZPSN4AShsN26dHwiWknoMXm3gQMyGap0qxx1KVxVmVR4RVaSNtguTxvz23jWPM4curFk6uzr9GU1VCW0Sj/Bg8DeNg060i1Vz3Ob7Y9FsodUgCJUeG4oLoVbWg/tf3NXQsQx7001oaF2ZbaJh3k7t4xR6wmuXQMbNkJDP17XAT5jHst5M8DRkauaXBkigGmkRI9y/x1bNpJtJ4WKP7RquGg2VT7aXQEyC3BJ5y8wb3Zc=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0601MB2199;
x-microsoft-antispam-prvs: <DB6PR0601MB21997F6E9EDE925C43E10A7CFCDB0@DB6PR0601MB2199.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(271806183753584)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:DB6PR0601MB2199; BCL:0; PCL:0; RULEID:; SRVR:DB6PR0601MB2199;
x-forefront-prvs: 0091C8F1EB
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(24454002)(377424004)(199003)(8936002)(10400500002)(230783001)(7736002)(6116002)(3846002)(102836003)(586003)(122556002)(11100500001)(2351001)(106356001)(105586002)(2501003)(54356999)(9686002)(50986999)(87936001)(7696004)(101416001)(7846002)(110136003)(92566002)(74316002)(76576001)(5002640100001)(790700001)(5890100001)(8676002)(1730700003)(81166006)(81156014)(107886002)(97736004)(19625215002)(33656002)(4001150100001)(5660300001)(15975445007)(3280700002)(3660700001)(66066001)(2900100001)(86362001)(77096005)(450100001)(6916009)(19300405004)(189998001)(16236675004)(68736007)(2906002)(5630700001)(19580395003)(5640700001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6PR0601MB2199; H:DB6PR0601MB2198.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: tridonic.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DB6PR0601MB21986C821B87D0570E04DE97FCDB0DB6PR0601MB2198_"
MIME-Version: 1.0
X-OriginatorOrg: tridonic.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Oct 2016 11:41:03.2542 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8b206608-a593-4ace-a4b6-ef1fc83c9169
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0601MB2199
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/JQx2smpgsA__gDuox2YPUTlwRCQ>
Subject: Re: [Ace] draft-ietf-ace-oauth-authz-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 11:41:10 -0000
On 2016-10-10 09:02, Somaraju Abhinav wrote: > Hi, I have been looking into this draft, which is very well written, > and I would like a clarification regarding the workflow in figure 1 > of the draft. > > This workflow is a bit different to the typical one I imagine for > constrained clients/servers. Such devices would typically be > provisioned from some kind of a commissioning tool and the tool would > also initiate the provisioning process. Therefore, would it not be > better to have a protocol flow that is not necessarily initiated by > the client device? If I understand you correctly, you are suggesting to provision either the grant or the access token during the commissioning process. Our idea was to use the client credentials grant instead (not shown in our figure 1) and have the AS decide what access tokens to grant purely based on the credentials presented by the client. This way you don't have to provision anything, except for base credentials to a client. The underlying idea is that the RO would configure access control policies at the AS during the commissioning procedure. The AS uses these to determine what kind of access tokens to grant to the client, when it requests one. [AS] Okay. This makes sense. I did not understand this from the text and maybe some clarification in the text could help. For example, in figure 2, how does the client know what to write in the "aud" field. In the Figure 3, the grant_type says "token" and I am not sure how this would work. In general, this Section is a little unclear to me and maybe an example in the Appendix of how a commissioning tool would be used to provision the system might help with the readability of the document. You could of course also provision a long term access token to the client during commissioning (I think we mentioned that somewhere, or at least thought of it), so your proposed option 2 would also be valid, and I think they would work just as well with the rest of the framework. I would suggest to add a step before (A) then, were the RO requests an access token from the AS on behalf of the client. [AS] Okay. This could work but maybe the CoAP server/client interaction needs a little bit more work (e.g. how can the AS initiate an interaction with the client without needing the client to send a GET request). As for option 1, I am not sure what the advantage would be of provisioning a grant to the client as opposed to using the client credentials grant. Could you elaborate on that? [AS] Now that I understand your idea better (i.e. use of client credentials and the fact that the commissioning tool tells the AS the access rights of the client), I don't think Option 2 is required. I was thinking of a situation where the commissioning tool is not permanently available. With Option 2, the commissioning tool could be available during the initial provisioning and during this time it could provide every client with an authorization grant that includes in the "claims" the access rights of the client. This authorization grant could then be used in the token request from client to AS, which then provides the access tokens. ________________________________________________________ The contents of this e-mail and any attachments are confidential to the intended recipient. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If this e-mail is received in error, please immediately notify the sender and delete the e-mail and attached documents. Please note that neither the sender nor the sender's company accept any responsibility for viruses and it is your responsibility to scan or otherwise check this e-mail and any attachments.
- Re: [Ace] draft-ietf-ace-oauth-authz-02 Somaraju Abhinav
- [Ace] draft-ietf-ace-oauth-authz-02 Somaraju Abhinav
- Re: [Ace] draft-ietf-ace-oauth-authz-02 Ludwig Seitz