Re: [OAUTH-WG] carrying oauth authorisation without HTTP

Neil Madden <neil.madden@forgerock.com> Wed, 29 April 2020 16:54 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 895F33A1437 for <oauth@ietfa.amsl.com>; Wed, 29 Apr 2020 09:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N3c02A2q7BXn for <oauth@ietfa.amsl.com>; Wed, 29 Apr 2020 09:54:24 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B6A23A1432 for <oauth@ietf.org>; Wed, 29 Apr 2020 09:54:18 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id i10so3383419wrv.10 for <oauth@ietf.org>; Wed, 29 Apr 2020 09:54:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=ZXb/500ybxLAovffzh0DKWJPCC92Itq+l8DgwRGIISc=; b=CeEXyEOL71vc3kqyS2+Od3hL1PLbs7s3kzqekZBP4PrS4iVzIUhJEPHudb5WRC5AJ6 r//hJET1XQZAm2SI9c2vke4/60qHBCmPUrCve1nR384Dbgj7gXrP6wG/pJVFlvCNehfX FWsWpvYtb5YIFipee+E1FaloiXSrMWwTzEILI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=ZXb/500ybxLAovffzh0DKWJPCC92Itq+l8DgwRGIISc=; b=FCE9SXh2HzUjLdN+Ln1Pa4FBhAEYFAodipfybLw5VrnLcxiD3uJpfR72NcHLO2fytQ yU8M3iYWJzIqJOMAEEJU2PxRQcNQNn3cIWJuryHCJjLj3ORqiQlBOKvvh/FwP8pp76ly rIPh378ZuJpc5mtyu0H78tbhkHI6KiPXzTejUtg+HV5jYy/IneK+mTSzl6s2TYbB/UCS w8G7AM0LwfizS6nkgJ7TzFqZ5A/gOQbLuGNwvCwiYa/n9ERsWaD7zU6nMhxbt+L1HN3S ZPyh6k3HRf9LVCvTifnF+h/FIbJ6br1C2UoxEC3JMyPO6PzAafmj+5ARZlBRVhuhvsHy aShw==
X-Gm-Message-State: AGi0PuZZISfrgAq4xCj6sgzJ/Buu1hlPJ9i0bXO0svqtOnmecjSs+swt mbMJ9sEbM9zMIKGS7j7LDYwj1w==
X-Google-Smtp-Source: APiQypLbl6TFfyIMKnlekHZD7UXFMR5v3W6XyLmZanIl9WSojyal9ka4bQovCdcsaqFV9NI7pgxf1A==
X-Received: by 2002:a5d:4dcb:: with SMTP id f11mr39510034wru.174.1588179256858; Wed, 29 Apr 2020 09:54:16 -0700 (PDT)
Received: from [10.0.0.3] (193.207.159.143.dyn.plus.net. [143.159.207.193]) by smtp.gmail.com with ESMTPSA id a1sm31341106wrn.80.2020.04.29.09.54.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Apr 2020 09:54:16 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-82CD2DA4-E836-472B-A7EB-453F6E99EC99
Content-Transfer-Encoding: 7bit
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 29 Apr 2020 17:54:14 +0100
Message-Id: <AE2D3343-6CE9-45CA-A586-13969457473F@forgerock.com>
References: <4EC0BF76-4745-40AC-BF22-3BA29B3DD3DC@mit.edu>
Cc: Daniel Migault <mglt.biz@gmail.com>, oauth@ietf.org, Michael Richardson <mcr@sandelman.ca>
In-Reply-To: <4EC0BF76-4745-40AC-BF22-3BA29B3DD3DC@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Mailer: iPhone Mail (17D50)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7HMNRRIzmnGjLtn2Xr382Ru0HTg>
Subject: Re: [OAUTH-WG] carrying oauth authorisation without HTTP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 16:54:27 -0000

There is also https://tools.ietf.org/html/rfc7628

> On 29 Apr 2020, at 17:45, Justin Richer <jricher@mit.edu> wrote:
> 
> It depends on what protocol you’re using on the socket connection between the client (the home router) and the RS/AS. You’ll need :someplace: to put the access token. RFC6750 and RFC8705 are explicitly about HTTP so you can’t use them directly, but other work (like that done in the ACE group with OSCORE) map the OAuth concepts to different underlying protocols.
> 
>  — Justin
> 
>> On Apr 28, 2020, at 10:13 PM, Daniel Migault <mglt.biz@gmail.com> wrote:
>> 
>> Hi,
>> 
>> I am completely new to oauth and would like to solicit the WG for advice.
>> 
>> We are working on the Home Router outsourcing a service in the homenet WG and we are wondering how oauth could be used to improve automation.
>> 
>> Our scenario is represented in the figure below:
>> 
>> 1.  The end user connected to the web interface of the Home Router  
>> 2. The Home Router redirects the End User to the service provider where the end user register for that service ( AS ).
>> 3. The AS providing an authorisation token carried to the RS via the Home Router to the RS.
>> 
>> The session between the Home router and the RS in our case is not using HTTP but is using TLS. We are wondering if there is a way to carry an authorisation token over a non HTTP session and if RFC8705 "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens" heads in to this direction.
>> 
>> I am happy to hear any feed back or comments!
>> 
>> Yours,
>> Daniel
>> 
>> 
>>       HTTPS            +-----------+
>>    +------------------>|    AS     |<--------------+
>>    |                   |           |               |
>>    v                   +-----------+               v
>> +-------------+ HTTPS  +-----------+    TLS    +---------+
>> | User        |<------>|Home Router|<--------->|   RS    |
>> |(Web Browser)|        |           |           |         |
>> +-------------+        +-----------+           +---------+
>> 
>> -- 
>> Daniel Migault
>> Ericsson
>> 8400 boulevard Decarie
>> Montreal, QC   H4P 2N2
>> Canada
>> 
>> Phone: +1 514-452-2160
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth