Re: [Ace] Questions on draft-ietf-ace-oauth-authz
Ludwig Seitz <ludwig@sics.se> Wed, 15 February 2017 08:41 UTC
Return-Path: <ludwig@sics.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CB1D1294CD for <ace@ietfa.amsl.com>; Wed, 15 Feb 2017 00:41:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sics.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pbg8AhqkIXG8 for <ace@ietfa.amsl.com>; Wed, 15 Feb 2017 00:41:30 -0800 (PST)
Received: from mail-lf0-x22e.google.com (mail-lf0-x22e.google.com [IPv6:2a00:1450:4010:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6330B128AC9 for <ace@ietf.org>; Wed, 15 Feb 2017 00:41:30 -0800 (PST)
Received: by mail-lf0-x22e.google.com with SMTP id n124so77532061lfd.2 for <ace@ietf.org>; Wed, 15 Feb 2017 00:41:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sics.se; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=zVWtMUsGIVSLxttPYmz8rG4aYAluXVM2Mr5VxEVRc7Q=; b=cJzPz2yxJU17Jp7DfIQPgmxJ17EScFlhTgo2E0mFsQ3hlVV4vJh9wBDkPa/0ljRkjE KRb9hEljI+KGcNpbyYPxvdkDrUfD9xmvT863DxvRIKVtneSRroQLI3PLiCsYH4Jol08N Dkvi3Wy6Xy6iUqPREd2/cpFgU6ZQMioBathiqLR9VO8vAy80OBJFlGtb6xEn3oeIUra5 /ksMaAGRWKmiI7GGNSZO9NMvBTcg4fx4EKPX0uozFo9GVe/lKK3femzB675FBqwUDsaO 9zTVvgWrD0RXJ6J2TQDnLlR6YKDy8h69G4vENLpZ1y0jH4kWj1qtNueBFGHBB8gSVAWy kosA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=zVWtMUsGIVSLxttPYmz8rG4aYAluXVM2Mr5VxEVRc7Q=; b=gt7PEwsAGyQRlVKLPwhDlEWjCVUDXKgU7AWXfvGXkrkwVhT5SgGjA0ABi7k76DWdtE VJYiDK2O3omIv+tAsSIC9RZ/boZmZsl1hAgkRv6TSN7XE9gItITPm3IHciVHUHYuq4gz 87uCRxYheZfpBnk1Z2eZbI97bMjtuhbliY+ablesfj57EtO3tGyV8eAmNgNBfh+t+ESG CC2HGno4sKPNcYaAtaj+MX3YeLM+/CUIRvOBvd0qQ2t7T5AWcfBschlvze9O/fXLIkSx IpOHaFULsQHMi8vYv2aS+vxTHlC6HynFYJQZP6y4FQuxq7JvRLLCo6t8MR93GqNPw+G1 xh4Q==
X-Gm-Message-State: AMke39kd9esFsC3GYlyLTGgLSEzltXtIp8SchViKkfXgLUlZAyhvFRoDY8W4uzHyJ5AhOYXt
X-Received: by 10.25.208.20 with SMTP id h20mr11543822lfg.150.1487148088085; Wed, 15 Feb 2017 00:41:28 -0800 (PST)
Received: from [192.168.0.166] ([85.235.12.155]) by smtp.gmail.com with ESMTPSA id 9sm762349ljp.45.2017.02.15.00.41.27 for <ace@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Feb 2017 00:41:27 -0800 (PST)
To: ace@ietf.org
References: <101001d28712$aaaab140$000013c0$@augustcellars.com>
From: Ludwig Seitz <ludwig@sics.se>
Message-ID: <62bf6f54-bd0e-0371-0431-845d49d2c394@sics.se>
Date: Wed, 15 Feb 2017 09:41:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <101001d28712$aaaab140$000013c0$@augustcellars.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms020202050701000908060402"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/oDZefXzdb4TrHnjWE1fv49mh0rk>
Subject: Re: [Ace] Questions on draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2017 08:41:33 -0000
On 2017-02-14 23:35, Jim Schaad wrote: > In going through and starting to map out how an implementation would work, I > have started getting some questions. > > 1. What is the difference between scope and audience, and is there an > expected way that these values would relate to a CoAP URI? From OAuth, I > would have generally expected scope to identify one or more resources to be > accessed. However, this document requires that an audience either be > explicit or implicit and thus identifying things just by scope would not > work. Scope and audience are (intentionally) defined very vaguely by OAuth 2.0. The intention is that audience should identify the recipients of the access token. It is originally defined in RFC 7519 section 4.1.3. Scope is "defined" in section 3.3. of RFC 6749. It is used in a variety of ways as nicely demonstrated here: https://www.brandur.org/oauth-scope. I mostly interpret it as identifying a set of resources and actions that can be performed on these resources, i.e. as a sort of capability list (a bit like LinkedIn uses it). I was thinking of using some variant of the format Carsten suggested here: https://tools.ietf.org/html/draft-bormann-core-ace-aif-03 for scopes, but I've not fully evaluated the pros and cons of that idea. I have no strong opinion on the requirement of having an explicit or implicit audience, I just thought it made sense the way audience and scope were defined (i.e. I got the impression that scope was not intended to cover audience). > > My basic expectation is that the scope and audience would normally be copied > into the access token after doing grant evaluation. This means that we are > looking at three different entities that need to be able to understand how > things fields interact. Indeed the client and the RS need to know the meaning of the scopes and audiences relevant for them. The AS just needs to know which audiences and scopes it is allowed to grant to a client, it doesn't need to understand the semantics behind those values. > >>From my reading an audience could be anything from a host name to a full URI > or even a group name depending on the application being processed. Is this > correct? That is also my interpretation. > > 2. When a cnf is sent as part of a request, are there any plans for the > ability to do a POP as part of this being thought about? If not, is the > expectation that one would only offer an asymmetric key in a cnf if it had > already be provided to the AS? > The use of cnf in a request by the client (to the /token endpoint) is to indicate a key, the client whishes to use as proof-of-possession key towards the RS. The AS is expected to use this cnf for the access token. For example: C -----{cnf="myPublicKey" ...}-----> AS <---CWT={cnf="myPublicKey" ...}--- /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE ICT/SICS Phone +46(0)70-349 92 51
- Re: [Ace] Questions on draft-ietf-ace-oauth-authz Ludwig Seitz
- [Ace] Questions on draft-ietf-ace-oauth-authz Jim Schaad