Re: [OAUTH-WG] carrying oauth authorisation without HTTP
Daniel Migault <mglt.ietf@gmail.com> Wed, 29 April 2020 17:40 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 387BB3A14BC for <oauth@ietfa.amsl.com>; Wed, 29 Apr 2020 10:40:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iSXEGqcyU9HY for <oauth@ietfa.amsl.com>; Wed, 29 Apr 2020 10:40:26 -0700 (PDT)
Received: from mail-vs1-xe31.google.com (mail-vs1-xe31.google.com [IPv6:2607:f8b0:4864:20::e31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5FA63A14BD for <oauth@ietf.org>; Wed, 29 Apr 2020 10:40:25 -0700 (PDT)
Received: by mail-vs1-xe31.google.com with SMTP id e22so1957430vsa.12 for <oauth@ietf.org>; Wed, 29 Apr 2020 10:40:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=laOID5qgKnZFu0QSXqnthqxcZMs1FXNFsCgG/6P/Hzg=; b=rVvphk2iS8Neh3wZTXawRn1AlF6nIX475Ur0h4eYyJTg5AKJI5cS1+mQaZKvXPi7Lk LwJOo1rsX5qyy9vTBl0toUr7AxmM2v96rTih+PjV25brzp5HA870ScrDaw0F4ZqiOvA6 Zy5BvDyvYzhtso+ydmIatUMP8/n0vtMm7kkuQmUa2b7IKCUeN5f76MDq9daKEHg2OaSt VOz2+mkbP87HNC0rZwAcp0cvwK/8GZVCNQU6b4cCReoQIoRcLl0N+DgIK0oBT7sWaP6o OBvmP/O2nktt7uwoWMi4C80J7zSU7ffk6REfquVj0TkvqXhK7ZKDoVuIYw2GOll94Lk7 Goig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=laOID5qgKnZFu0QSXqnthqxcZMs1FXNFsCgG/6P/Hzg=; b=oltVhtai9wU0W/VZoQk2hvn8zXbsVqlr7FQ0wd73BabEgUkx1tA3Rz9MfQcMhy0yJd DBNURYznYqi4cSriOJ+2FyOO42uzqm3+xr7K4FFvPJC6N4a690bg53oUjQGlRI8bgXvv EAcCZBuHaYeF+biASowDF/q61fhSgyG9jJToCnWqoFEpN3iXCXLwxsxXrD60Vdnok3Jm vfLGji8VMr7K6z4TybobrV/MWAxgT1kGvea6AkdctokpzXqRcGKRsQF0DZqS5iMn49Ff PZEdn9xn+boXd+Hx/4THvnasQYuG6yWZRcTHdn04vb/pKqg9oWbiRMx+A+RyUDT6FSJZ XohA==
X-Gm-Message-State: AGi0PuagZYoktD2XrU30fpkaBDrjs8GtqTIhg+T2jRnHUP+B8+QjkAwh lCj+PTMilaje6x2VeHf7wLsy+JSnlLFYHKXPXPU=
X-Google-Smtp-Source: APiQypI6t05x5z1C5KDdyh4uidlwXhEAKueKhuO2Fy4NqvX8YEoteyMTU+1o1sJHYbpojSKJnczVsjKUdpnodgdNd1s=
X-Received: by 2002:a05:6102:208f:: with SMTP id h15mr2727119vsr.69.1588182024918; Wed, 29 Apr 2020 10:40:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAMtgMN2obdnaXQQmUU12hfG3dOvT3H+06jtv7UCNXkxvDKgXdQ@mail.gmail.com> <4EC0BF76-4745-40AC-BF22-3BA29B3DD3DC@mit.edu>
In-Reply-To: <4EC0BF76-4745-40AC-BF22-3BA29B3DD3DC@mit.edu>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 29 Apr 2020 13:40:13 -0400
Message-ID: <CADZyTk=2pdV6G+sM2raqLEVenfAG3R-VSqCYmWE236zPLeoZsA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Daniel Migault <mglt.biz@gmail.com>, oauth@ietf.org, Michael Richardson <mcr@sandelman.ca>
Content-Type: multipart/alternative; boundary="0000000000006f1e2605a47171b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JdJK3TiHyXBxZiJIMfrSZTZSqyM>
Subject: Re: [OAUTH-WG] carrying oauth authorisation without HTTP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 17:40:29 -0000
Thanks for the feed back. So in our case the communication between the Home router and the RS is DNS over TLS, so no HTTP, CoAP. We do not have hard constraint over the protocol being used between the Home Router and the AS. Currently there is no such communication. One possible solution would be to have the Home Router using a mutual TLS authentication to provide its certificate which is then passed to the RS. Yours, Daniel On Wed, Apr 29, 2020 at 12:45 PM Justin Richer <jricher@mit.edu> wrote: > It depends on what protocol you’re using on the socket connection between > the client (the home router) and the RS/AS. You’ll need :someplace: to put > the access token. RFC6750 and RFC8705 are explicitly about HTTP so you > can’t use them directly, but other work (like that done in the ACE group > with OSCORE) map the OAuth concepts to different underlying protocols. > > — Justin > > On Apr 28, 2020, at 10:13 PM, Daniel Migault <mglt.biz@gmail.com> wrote: > > Hi, > > I am completely new to oauth and would like to solicit the WG for advice. > > We are working on the Home Router outsourcing a service in the homenet WG > and we are wondering how oauth could be used to improve automation. > > Our scenario is represented in the figure below: > > 1. The end user connected to the web interface of the Home Router > 2. The Home Router redirects the End User to the service provider where > the end user register for that service ( AS ). > 3. The AS providing an authorisation token carried to the RS via the Home > Router to the RS. > > The session between the Home router and the RS in our case is not using > HTTP but is using TLS. We are wondering if there is a way to carry an > authorisation token over a non HTTP session and if RFC8705 "OAuth 2.0 > Mutual-TLS Client Authentication and Certificate-Bound Access Tokens" heads > in to this direction. > > I am happy to hear any feed back or comments! > > Yours, > Daniel > > > HTTPS +-----------+ > +------------------>| AS |<--------------+ > | | | | > v +-----------+ v > +-------------+ HTTPS +-----------+ TLS +---------+ > | User |<------>|Home Router|<--------->| RS | > |(Web Browser)| | | | | > +-------------+ +-----------+ +---------+ > > -- > Daniel Migault > Ericsson > 8400 boulevard Decarie > Montreal, QC H4P 2N2 > Canada > > Phone: +1 514-452-2160 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Daniel Migault Ericsson
- [OAUTH-WG] carrying oauth authorisation without H… Daniel Migault
- Re: [OAUTH-WG] carrying oauth authorisation witho… Justin Richer
- Re: [OAUTH-WG] carrying oauth authorisation witho… Neil Madden
- Re: [OAUTH-WG] carrying oauth authorisation witho… Daniel Migault
- Re: [OAUTH-WG] carrying oauth authorisation witho… Daniel Migault