Re: [OAUTH-WG] carrying oauth authorisation without HTTP
Daniel Migault <mglt.ietf@gmail.com> Wed, 29 April 2020 17:57 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E6143A0872 for <oauth@ietfa.amsl.com>; Wed, 29 Apr 2020 10:57:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LZwtwr9mb9z8 for <oauth@ietfa.amsl.com>; Wed, 29 Apr 2020 10:57:39 -0700 (PDT)
Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E9903A150B for <oauth@ietf.org>; Wed, 29 Apr 2020 10:57:11 -0700 (PDT)
Received: by mail-vs1-xe33.google.com with SMTP id s11so1995549vsq.13 for <oauth@ietf.org>; Wed, 29 Apr 2020 10:57:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dAsSx2FK6KtnBwTwyD0ld7URaKWH/Go7PG/swwxlbJs=; b=lydoq5a5tBONfwQxRP5uCbtw3hvyEY+Q8c/lCf2i56pK9+Cb5pMp9v/TtyN4XPaQqU r6Yv45jAzSPserluZBdq3ZH9WbZj/0cNStbq0cbS3evX+DBx5qLTgJe36jcfZV8dxYee RlWiJn1atJVm3Jrx8bIfx/qI0XeOBXDfuiVfWZeOABGryjCrCHyd7NuIeN5WP6GJhDBS llyxZ8Jqf03xNOXsGRuWhRcmjGYbPEYAXtwchKFK0swSUVgwEegQb6hT+YqOP1jOe4Tm WEwPkeZLzcQSsXf+ui/opBBsSZeqOZh/QBB03Fdphc73DkroNYAsvKI+yK+Ab6Z04LzS JyKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dAsSx2FK6KtnBwTwyD0ld7URaKWH/Go7PG/swwxlbJs=; b=b27dln2XwCCCU4VGySwze4PHkWmIQmt/EwwesTW4DaC3sE1JRKkc6YZYVUvh5WLUHL R/4BoF29PE5SvfLyUDUPswp6KQ0T9UfJ+pZlDwtAb+kE7CFUaCdrmZs52m4RCAB72Rix 7NLUesKJ2ZsbnfbsTKzaTvuRjOOQ/Hp4b+CamURapT0qPpbTKDtMGM3RqsDKrj5Wb+7u OLwvSp/XMNy7DsKSuxbDSFVMBVAh9c+wt95CN/5UYWHBeLa8WOmf9m1zeAhlJiOyNZW1 rpzOQw4WGanG7vf6+HRB+oQz8gszGRvPyQcLnFl9cTf9ijd78nUDQeLj3yyldqxZDeIg OnfQ==
X-Gm-Message-State: AGi0PubJnc/q/NbdY8Y30n8vKP9POonN1M3/54bRy48Xc2HNpbpeANYJ qxbscmTtn8+nJmPMK/zjQVhsrxYTgKCpGGRJZ9g=
X-Google-Smtp-Source: APiQypJF2yqc70trseJeqt5br8iBLBeISGn+D+ULzkJbqBRup0CDvG+x4jP/pJ6zE62OLcPY7/qP+mEDqX6quKBYNsI=
X-Received: by 2002:a67:fc46:: with SMTP id p6mr28630723vsq.169.1588183030384; Wed, 29 Apr 2020 10:57:10 -0700 (PDT)
MIME-Version: 1.0
References: <4EC0BF76-4745-40AC-BF22-3BA29B3DD3DC@mit.edu> <AE2D3343-6CE9-45CA-A586-13969457473F@forgerock.com>
In-Reply-To: <AE2D3343-6CE9-45CA-A586-13969457473F@forgerock.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 29 Apr 2020 13:56:59 -0400
Message-ID: <CADZyTkk8K7kh+R4tH39M0qfD9FfsMpxg2qfvf7KzYoUUONCm+A@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Justin Richer <jricher@mit.edu>, oauth@ietf.org, Michael Richardson <mcr@sandelman.ca>
Content-Type: multipart/alternative; boundary="0000000000005d49b905a471ade6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hXenXDwtbMIVuBFZZI5rA2ykGAU>
Subject: Re: [OAUTH-WG] carrying oauth authorisation without HTTP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 17:57:42 -0000
Thanks for the feed back. I have the impression that in our case, SASL might not be viable as our primary communication is DNS over TLS. But that is good to know anyway. Yours, Daniel On Wed, Apr 29, 2020 at 12:54 PM Neil Madden <neil.madden@forgerock.com> wrote: > There is also https://tools.ietf.org/html/rfc7628 > > On 29 Apr 2020, at 17:45, Justin Richer <jricher@mit.edu> wrote: > > It depends on what protocol you’re using on the socket connection between > the client (the home router) and the RS/AS. You’ll need :someplace: to put > the access token. RFC6750 and RFC8705 are explicitly about HTTP so you > can’t use them directly, but other work (like that done in the ACE group > with OSCORE) map the OAuth concepts to different underlying protocols. > > — Justin > > On Apr 28, 2020, at 10:13 PM, Daniel Migault <mglt.biz@gmail.com> wrote: > > Hi, > > I am completely new to oauth and would like to solicit the WG for advice. > > We are working on the Home Router outsourcing a service in the homenet WG > and we are wondering how oauth could be used to improve automation. > > Our scenario is represented in the figure below: > > 1. The end user connected to the web interface of the Home Router > 2. The Home Router redirects the End User to the service provider where > the end user register for that service ( AS ). > 3.. The AS providing an authorisation token carried to the RS via the Home > Router to the RS. > > The session between the Home router and the RS in our case is not using > HTTP but is using TLS. We are wondering if there is a way to carry an > authorisation token over a non HTTP session and if RFC8705 "OAuth 2.0 > Mutual-TLS Client Authentication and Certificate-Bound Access Tokens" heads > in to this direction. > > I am happy to hear any feed back or comments! > > Yours, > Daniel > > > HTTPS +-----------+ > +------------------>| AS |<--------------+ > | | | | > v +-----------+ v > +-------------+ HTTPS +-----------+ TLS +---------+ > | User |<------>|Home Router|<--------->| RS | > |(Web Browser)| | | | | > +-------------+ +-----------+ +---------+ > > -- > Daniel Migault > Ericsson > 8400 boulevard Decarie > Montreal, QC H4P 2N2 > Canada > > Phone: +1 514-452-2160 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Daniel Migault Ericsson
- [OAUTH-WG] carrying oauth authorisation without H… Daniel Migault
- Re: [OAUTH-WG] carrying oauth authorisation witho… Justin Richer
- Re: [OAUTH-WG] carrying oauth authorisation witho… Neil Madden
- Re: [OAUTH-WG] carrying oauth authorisation witho… Daniel Migault
- Re: [OAUTH-WG] carrying oauth authorisation witho… Daniel Migault