[OAUTH-WG] carrying oauth authorisation without HTTP

Daniel Migault <mglt.biz@gmail.com> Wed, 29 April 2020 02:14 UTC

Return-Path: <mglt.biz@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E00F63A0BCE for <oauth@ietfa.amsl.com>; Tue, 28 Apr 2020 19:14:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJZ3EssFTfS7 for <oauth@ietfa.amsl.com>; Tue, 28 Apr 2020 19:14:10 -0700 (PDT)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5470F3A0BCB for <oauth@ietf.org>; Tue, 28 Apr 2020 19:14:10 -0700 (PDT)
Received: by mail-ot1-x32a.google.com with SMTP id z17so425496oto.4 for <oauth@ietf.org>; Tue, 28 Apr 2020 19:14:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=PWAsq8ftuQEPBUl7GuJJ3MFYHI5jwgBp37Ejrtdft+U=; b=hODqzzju7JMucQ3q3e58OtMfjOYgfkzemjc4185Hhh3pVPvDWQR30r/ak0S0DpeQvx qM7c1bO4DqLvLY1LnZnlAV1H729hAsAmBKQxcklliQqYBJHll7qF9V8o9ymRDBnSqB29 AYFDsHTyx8QYqXm0Hk3L4eMF0SLgSumm174GxStipfBmUfGppxnWa8Apqb+ppbYI0ZxX 1Ncp8ow1pP+guLEe/NZWbbrvuzOIGJVBsMs2nPfuTexDRvyVjkT+GgRtY55Ro5hodacF 6HRoA84NXhoLuYrR3cipxN+NZc6i/8WVetFUPz4FhKeilT8aCzyM/Tp+xCo42kVzL1P1 KOHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=PWAsq8ftuQEPBUl7GuJJ3MFYHI5jwgBp37Ejrtdft+U=; b=HSwukcCcaKrid8e0CXgTOfeFSekOtALNAqvx0ckcwauwQTOdP0INl6VE9GzdpOXtG5 AsEcWjOaqeY3K73rYlsVg3NM1sKKxGpopwInUXk9kIVM7/9VqP0nsqXyh1EzpIymOmRA 2BvFtn2cxDJ6tFHTMY+cKNWrlxz+TEM9SY+KNDkALUIDB1kNXDxSOyIssqpyp19jbScr 3UVUz/YtaLfNpQqH8myPZxLUHH7mKdIDva+skIl3DIqY79aY0gh+JTC8yyguK3p4Hkk4 kmyQ/l2LcGvMqlI2t3+8nyfGPA5/unn1UWOnw5+r4JEdTXhH8cK8BBIcb7hmOhIYfYwE yBzw==
X-Gm-Message-State: AGi0PuY//O3oVqsEA2/HOjt/2Ej0Yj163JUJtURpYVh2KrOtQZw7Ofxd 4R7HP6Tbxw+LHY5dnsIIQkqmwXV9oEgooyFiRqILQxKd
X-Google-Smtp-Source: APiQypIsUjsmdheraQX/5/6fHHsyQ6G41CximnyB6r9ytsriKMvSb1u85Gx7OHrvHjeYM96CkuTxVfCic6mZSBwXFuo=
X-Received: by 2002:a05:6830:1181:: with SMTP id u1mr13270233otq.200.1588126449229; Tue, 28 Apr 2020 19:14:09 -0700 (PDT)
MIME-Version: 1.0
From: Daniel Migault <mglt.biz@gmail.com>
Date: Tue, 28 Apr 2020 22:13:58 -0400
Message-ID: <CAMtgMN2obdnaXQQmUU12hfG3dOvT3H+06jtv7UCNXkxvDKgXdQ@mail.gmail.com>
To: oauth@ietf.org
Cc: Michael Richardson <mcr@sandelman.ca>
Content-Type: multipart/alternative; boundary="000000000000dd64db05a4648093"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZIv9pqqd7OlG2hXYPa1ZmETL5fk>
Subject: [OAUTH-WG] carrying oauth authorisation without HTTP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 02:14:12 -0000

Hi,

I am completely new to oauth and would like to solicit the WG for advice.

We are working on the Home Router outsourcing a service in the homenet WG
and we are wondering how oauth could be used to improve automation.

Our scenario is represented in the figure below:

1.  The end user connected to the web interface of the Home Router
2. The Home Router redirects the End User to the service provider where the
end user register for that service ( AS ).
3. The AS providing an authorisation token carried to the RS via the Home
Router to the RS.

The session between the Home router and the RS in our case is not using
HTTP but is using TLS. We are wondering if there is a way to carry an
authorisation token over a non HTTP session and if RFC8705 "OAuth 2.0
Mutual-TLS Client Authentication and Certificate-Bound Access Tokens" heads
in to this direction.

I am happy to hear any feed back or comments!

Yours,
Daniel


      HTTPS            +-----------+
   +------------------>|    AS     |<--------------+
   |                   |           |               |
   v                   +-----------+               v
+-------------+ HTTPS  +-----------+    TLS    +---------+
| User        |<------>|Home Router|<--------->|   RS    |
|(Web Browser)|        |           |           |         |
+-------------+        +-----------+           +---------+

-- 
Daniel Migault
Ericsson
8400 boulevard Decarie
Montreal, QC   H4P 2N2
Canada

Phone: +1 514-452-2160