Re: [Ace] attribute based access control
Ludwig Seitz <ludwig@sics.se> Fri, 16 December 2016 08:47 UTC
Return-Path: <ludwig@sics.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52F811295BC for <ace@ietfa.amsl.com>; Fri, 16 Dec 2016 00:47:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sics.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7dGE7TBM-cEn for <ace@ietfa.amsl.com>; Fri, 16 Dec 2016 00:47:34 -0800 (PST)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78C7412945D for <ace@ietf.org>; Fri, 16 Dec 2016 00:47:34 -0800 (PST)
Received: by mail-wm0-x22b.google.com with SMTP id a197so22794834wmd.0 for <ace@ietf.org>; Fri, 16 Dec 2016 00:47:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sics.se; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=yVM49m6QjRajE3NheIeQXbUuqlX/EBBTxTieYTsVdyw=; b=EunDNNNuZm4zCPiqHVxGe/Fyb/JJ0zREg9OBwtz2mbShlgsaOuXBSTfJGCAosns7IO Cv8ZHKBwO1AU0/smy4VAFxlCkV9CDITuBwUCwskH6n1jWyavYPUI8t4Cpv4xqTTOMefW UtFItWe7WmXkpwDBDxybSUSz5kD8SElobCfGd5nqey4zT3F6GgKOAPzi6o7aBrycx7nR Fl+/Gu1PSzzmvtZ76b6Rs+4YCSvk6PAJrUkhEseeyB5RiW2G2GRr4zEzFqGG0KWAsf2m wqk+mCXFpcyt0IWBZT4AS3IYBYarB9KlcZfODw6/K7lY/QFwnI3IvItRwpZeG3qA7yAT Vkwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=yVM49m6QjRajE3NheIeQXbUuqlX/EBBTxTieYTsVdyw=; b=tKDpy7DUMKfeggewG/YlYLv/raN5WEKJCz+N8EUaqn3gSsMKXOqP1mIDQkpAuch2wb Ml+PwT2FVjlWv1uYghiRajfdekbCn+imdeT3SFF2LQwMvSLrqfG8Bxzlk3Yze8TOYUCP CjMhvroFDuQJfXjfxr0dM+ATKnV8RJTR5EGY0mW0JlpP/aFY11krm7y11sx8gVQ6PGas DK1KRqgVmOBC0Dh1wZWYYtQSqXwSHo8kA4bX2kwwWwvpsH+/eUx3scXMEukRqoj4GHiA fKCQAgbVYmsT6DFFsyz48mNb/ESb5+rSGL73brOjfrlLwaWC56F98jD7SFDcKXAfqbYr sw/w==
X-Gm-Message-State: AKaTC03qTTWpTTiho13JEvDxqJJk35d9yjyafNwsIAlvM2jdEl1azkbNCweueVlbfITsQCOp
X-Received: by 10.25.212.82 with SMTP id l79mr483927lfg.155.1481878052789; Fri, 16 Dec 2016 00:47:32 -0800 (PST)
Received: from [192.168.0.166] ([85.235.12.155]) by smtp.gmail.com with ESMTPSA id u204sm1163892lja.5.2016.12.16.00.47.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Dec 2016 00:47:31 -0800 (PST)
To: ace@ietf.org, rturner@amalfisystems.com
References: <EF55666E-29B1-4AB8-9C54-3A2E5DF73146@amalfisystems.com>
From: Ludwig Seitz <ludwig@sics.se>
Message-ID: <c58054c0-8e4f-8c3b-82f3-157c9dccbf89@sics.se>
Date: Fri, 16 Dec 2016 09:47:17 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <EF55666E-29B1-4AB8-9C54-3A2E5DF73146@amalfisystems.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms010501080500090701060102"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/gqg-Q1Ud0e1PHSHqES55aKaS_pA>
Subject: Re: [Ace] attribute based access control
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Dec 2016 08:47:38 -0000
On 2016-12-16 07:28, Randy Turner wrote: > HI, > > I was looking at draft-ietf-ace-oauth-authz-04, specifically the > client-to-AS section — I am trying to determine if it is possible to > use this OAUTH-based model to implement attribute-based authorization > (ABAC). The client-to-AS section of this draft refers the reader to > section 4 of RFC 6749, which provides a “client-id” (good) and a > “scope” to include in an authorization request. > In addition, it looks like the ACE draft adds to this the “aud” and > “cnf” parameters. > > I’m trying to map this client-to-AS request to a traditional ABAC > authorization request which asks the question “Identity <A> wants to > perform action <B> on resource <C>” … is this allowed ? (allow/deny > response) > > In one of the ACE draft examples, it uses the “aud” field to include > the name of a sensor “tempSensor4711” - this could be the “resource” > of the ABAC request, and the “client ID” (RFC 6749) could be the > “identity” > > I’m missing the type of operation or “action” that the client is > trying to perform on a resource (“read”, “write”, “something else, > hopefully extensible”) — would this be the “scope” parameter ? > > I did see section 8.2 of the draft where it discusses a registry of > parameters which might allow additional parameters to a client-to-AS > request, but I was looking for a way to do ABAC without having to > register anything. > > I’m specifically asking about obtaining an access token to be used > later by a client accessing the actual resource. > > Has anyone tried combining draft-ietf-ace-oauth-authz-04 with ABAC > systems ? Yes I have. My approach is the following: I use the OAuth client credentials grant flow to request an access token, and then I use an XACML engine internally on the AS to decide on access token requests base on the client's credentials and the "scope" and "aud" parameters of the access token request. When it comes to extracting an action and a resource from an access token request, my understanding is that the scope parameter actually gives you both in an application specific way. If you look at the examples of how scope is used in https://www.brandur.org/oauth-scope you can see that e.g. LinkedIn uses some kind of capability-like format for their scope parameters (r_basicprofile r_emailaddress rw_groups w_messages). Thus you could extract the action and the resource from scope with an application specific processing module. You could also have a look at https://tools.ietf.org/html/draft-bormann-core-ace-aif-03 which defines a CoAP specific capability format. I was considering to use that as values for the scope in CoAP-specific scenarios. I would be happy to hear your take on this and discuss the issue in more detail. Regards, Ludwig -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park, Building Beta 2 Scheelevägen 17, SE-223 70 Lund Phone +46(0)70-349 92 51 The RISE institutes SP, Swedish ICT and Innventia are merging in order to create a unified institute sector and become a stronger innovation partner for businesses and society. At the end of the year we will change our name to RISE. Read more at www.ri.se/en/about-rise
- [Ace] attribute based access control Randy Turner
- Re: [Ace] attribute based access control Ludwig Seitz
- Re: [Ace] attribute based access control Randy Turner