IETF Logo Mail Archive

Re: [OAUTH-WG] carrying oauth authorisation without HTTP

Justin Richer <jricher@mit.edu> Wed, 29 April 2020 16:45 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCB6A3A1415 for <oauth@ietfa.amsl.com>; Wed, 29 Apr 2020 09:45:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gPcpcAh3jqxH for <oauth@ietfa.amsl.com>; Wed, 29 Apr 2020 09:45:36 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7C423A1416 for <oauth@ietf.org>; Wed, 29 Apr 2020 09:45:35 -0700 (PDT)
Received: from [192.168.1.13] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 03TGjViI027784 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 29 Apr 2020 12:45:31 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <4EC0BF76-4745-40AC-BF22-3BA29B3DD3DC@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5D183B4D-8F32-4D8B-B516-0E6C86EFE37F"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Wed, 29 Apr 2020 12:45:31 -0400
In-Reply-To: <CAMtgMN2obdnaXQQmUU12hfG3dOvT3H+06jtv7UCNXkxvDKgXdQ@mail.gmail.com>
Cc: oauth@ietf.org, Michael Richardson <mcr@sandelman.ca>
To: Daniel Migault <mglt.biz@gmail.com>
References: <CAMtgMN2obdnaXQQmUU12hfG3dOvT3H+06jtv7UCNXkxvDKgXdQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MaZAe_QBmLG-suHK_4bVgtUwZVk>
Subject: Re: [OAUTH-WG] carrying oauth authorisation without HTTP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 16:45:38 -0000

It depends on what protocol you’re using on the socket connection between the client (the home router) and the RS/AS. You’ll need :someplace: to put the access token. RFC6750 and RFC8705 are explicitly about HTTP so you can’t use them directly, but other work (like that done in the ACE group with OSCORE) map the OAuth concepts to different underlying protocols.

 — Justin

> On Apr 28, 2020, at 10:13 PM, Daniel Migault <mglt.biz@gmail.com> wrote:
> 
> Hi,
> 
> I am completely new to oauth and would like to solicit the WG for advice.
> 
> We are working on the Home Router outsourcing a service in the homenet WG and we are wondering how oauth could be used to improve automation.
> 
> Our scenario is represented in the figure below:
> 
> 1.  The end user connected to the web interface of the Home Router  
> 2. The Home Router redirects the End User to the service provider where the end user register for that service ( AS ).
> 3. The AS providing an authorisation token carried to the RS via the Home Router to the RS.
> 
> The session between the Home router and the RS in our case is not using HTTP but is using TLS. We are wondering if there is a way to carry an authorisation token over a non HTTP session and if RFC8705 "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens" heads in to this direction.
> 
> I am happy to hear any feed back or comments!
> 
> Yours,
> Daniel
> 
> 
>       HTTPS            +-----------+
>    +------------------>|    AS     |<--------------+
>    |                   |           |               |
>    v                   +-----------+               v
> +-------------+ HTTPS  +-----------+    TLS    +---------+
> | User        |<------>|Home Router|<--------->|   RS    |
> |(Web Browser)|        |           |           |         |
> +-------------+        +-----------+           +---------+
> 
> -- 
> Daniel Migault
> Ericsson
> 8400 boulevard Decarie
> Montreal, QC   H4P 2N2
> Canada
> 
> Phone: +1 514-452-2160
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email