IETF Logo Mail Archive

Re: [sipcore] A SIP OAuth use case

"Peterson, Jon" <jon.peterson@neustar.biz> Tue, 07 October 2014 23:01 UTC

Return-Path: <jon.peterson@neustar.biz>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF1FA1A8A4F for <sipcore@ietfa.amsl.com>; Tue, 7 Oct 2014 16:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.067
X-Spam-Level:
X-Spam-Status: No, score=-99.067 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6A4JaSR2Elz for <sipcore@ietfa.amsl.com>; Tue, 7 Oct 2014 16:01:48 -0700 (PDT)
Received: from mx0a-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 547461A86F9 for <sipcore@ietf.org>; Tue, 7 Oct 2014 16:01:48 -0700 (PDT)
Received: from pps.filterd (m0049376.ppops.net [127.0.0.1]) by m0049376.ppops.net-0018ba01. (8.14.7/8.14.7) with SMTP id s97MoCNK010230; Tue, 7 Oct 2014 19:01:44 -0400
Received: from stntexhc10.cis.neustar.com ([156.154.17.216]) by m0049376.ppops.net-0018ba01. with ESMTP id 1pvnq90ed5-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 07 Oct 2014 19:01:43 -0400
Received: from STNTEXMB10.cis.neustar.com ([169.254.5.97]) by stntexhc10.cis.neustar.com ([169.254.4.83]) with mapi id 14.03.0158.001; Tue, 7 Oct 2014 19:01:41 -0400
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Thread-Topic: [sipcore] A SIP OAuth use case
Thread-Index: AQHPvtLmZYbTlD+FuE+zMNKWASQKqZvhvfeAgAAwjgCADcUOgIABvEuAgAAP2QCADliiAIACroIAgAMzZQCAH5scAA==
Date: Tue, 07 Oct 2014 23:01:41 +0000
Message-ID: <D059A86A.134723%jon.peterson@neustar.biz>
References: <10D4F263-37CF-4A74-8F23-EBA9E5010E02@mvryan.org> <CAGL6ep+sc7DKcSF5gXDcGtX5oVMt1-=1w9JMsa1OQJb1AtCrkw@mail.gmail.com> <53FB83FA.8010101@alum.mit.edu> <D020D401.12E169%jon.peterson@neustar.biz> <CAGL6epKSipp6PiHnsC7i9iQKdkss3v0y2CZH4T+zt0Bmh2WRxQ@mail.gmail.com> <D02E41DF.131993%jon.peterson@neustar.biz> <CAGL6epJrS7H+t-CmoW4--MZcsPQJ4em2g2ZiTradLLJEcJEs-A@mail.gmail.com> <D03C75E8.133DCF%jon.peterson@neustar.biz> <CAGL6epJV=00VSba5mUZ2Oi_VpQKQgMA1ddqeRv5aq3wT9fOQbg@mail.gmail.com>
In-Reply-To: <CAGL6epJV=00VSba5mUZ2Oi_VpQKQgMA1ddqeRv5aq3wT9fOQbg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-originating-ip: [192.168.128.186]
Content-Type: multipart/alternative; boundary="_000_D059A86A134723jonpetersonneustarbiz_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=nai engine=5600 definitions=7584 signatures=670543
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 kscore.is_bulkscore=9.76996261670138e-15 kscore.compositescore=0 circleOfTrustscore=0 compositescore=0.993311949948012 urlsuspect_oldscore=0.993311949948012 suspectscore=0 recipient_domain_to_sender_totalscore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=0 rbsscore=0.993311949948012 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1410070214
Archived-At: http://mailarchive.ietf.org/arch/msg/sipcore/5kR5NzlCeQpbdw_QOuMhwkJ-rCE
Cc: "sipcore@ietf.org" <sipcore@ietf.org>
Subject: Re: [sipcore] A SIP OAuth use case
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Oct 2014 23:01:55 -0000

I know I've owed you a response to this one for a while... Still just trying to understand the requirements.

I suspect that application services in the enterprise, the ones that you worry about maintaining ACLs, don't get to avoid having "a separate user directory" so easily. A classic voicemail service, for example, needs to keep voicemails for Alice separate from Bob - that's why typically it authenticates who Alice and Bob are. Such a service must have effectively a "directory" of separate users that effectively implies ACLs.

Now if, as you say:

> The application server needs the following pieces of information about each user:
> 1. ID and credentials
> 2. User profile to control the level of service provided to the user.

What is your app server using that ID and credentials for, if not to compare to something that is effectively an ACL - like, to prevent Alice from getting Bob's voicemail? My point earlier was that if all you care about is showing that someone is Alice or Bob (or just that they're an authenticated user and it doesn't matter who), then a solution to the requirements could look very similar to RFC4474 or STIR: you just need authentication, not authorization, and calling it authorization is just confusing the issue.

But, there's a different approach here, one where a service doesn't need to know IDs or credentials or anything about users. This is an approach where I just get a token from an authorization service, and hand that token to the app service, and the app service uses that token *instead of* my ID or credentials or any personal profile about me. I can imagine a very odd voicemail service that, rather than putting messages into buckets for Alice and Bob, put them all into one generic bucket - and then an outside authorization service kept track of the fact that messages 2, 17, and 109 are for Alice. When Alice requests access to her voicemail from the authorization service, it gives her a token that proves to the voicemail service that she is allowed to access only messages 2, 17, and 109, and she can only do it in the next five minutes, say, to prevent capture and replay. The voicemail service then has no idea who she is or who those messages are for, it just ponies them up. If *that* is what you said above, at least I would understand why you want to use OAuth - it would be a terrible architecture (the authZ service keeps track of those messages how exactly?), but at least this is what OAuth is for. The architectures make more sense with third parties.

A third approach would be problems we looked at as "trait-based" authorization problems. The classic example is where for some service, perhaps it matters whether Alice is in the Engineering department or the Finance department, rather than who Alice is exactly. Maybe those're the sort of elements you mean by "user profile." We did a whole requirements process years ago on "trait-based" authorization mechanisms intended to satisfy cases like this: see RFC4484. You'll note it shows architectures where a SIP endpoints point by-reference to HTTP objects that contain authorization policy elements like such "traits." There are a bunch of solutions for that space, too, but if that's what you want, then my question for you would be, do you have any requirements beyond what's defined in RFC4484 Sec. 5?

Jon Peterson
Neustar, Inc.

From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>>
Date: Wednesday, September 17, 2014 at 6:22 AM
To: Jon Peterson <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>>
Cc: Paul Kyzivat <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>>, "sipcore@ietf.org<mailto:sipcore@ietf.org>" <sipcore@ietf.org<mailto:sipcore@ietf.org>>
Subject: Re: [sipcore] A SIP OAuth use case



On Mon, Sep 15, 2014 at 3:29 PM, Peterson, Jon <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>> wrote:

Format snags aside,

I copied that text from a different editor.
The format seems ok here:
http://www.ietf.org/mail-archive/web/sipcore/current/msg06258.html

So, it might be something on your side?


I have a bit of difficulty even differentiating the issues listed below: surely the reason why enterprises assign multiple identities per user is to authorize access to different services separately.

Sorry, I do not get that.
Why would the enterprise be required to create multiple identities to allow access to different services separately? in other words, why cannot the enterprise create one identity and still be able to control the user's access to different services provided by different servers?


This is an issue that could be resolved with an access control list per service and a trusted identity broker in the enterprise vouching for user identities to these services.

But that means that each server that provides a service must maintain a separate user directory, which is exactly what I am trying to avoid.


But to convince ourselves that one approach to this is better than another, we need to look at a level of detail below these issue descriptions. Again, in order to access a voicemail service in an enterprise, say, what does the voicemail service need to know about the user?

Like, for regular access to the voicemail for "jon@enterprise," surely all the voicemail service needs to know is that the entity authoritative for the @enterprise issued me the name "jon." Maybe the "admin" account gets to access all the voicemails, if need be.

The application server needs the following pieces of information about each user:
1. ID and credentials
2. User profile to control the level of service provided to the user.

You cannot assume that all users will get the same level of service.


There are a variety of mechanisms that suffice to prove simple identities like that to a service.

Can you elaborate?
Are you assuming that the service still have a separate user directory?


If, however, I as "jon" needed for a third-party transcription service to access a subset of the messages in my voicemail box, and I wanted the permissions for that access to expire as soon as the messages had been transcribed, then there is a much narrower set of mechanisms that could provide that capability.

You keep going back to the OAuth 2.0 model and try to impose it on SIP, which would work in some use cases.

What I am proposing is something along the lines of OpenID, which extends the OAuth to authenticate the *user*.
In this case, the mapping between OAuth and SIP would be something like the following:

OAuth                                    SIP
---------------------------------------------------------------------------
Resource Owner                     End User
Resource Server                     SIP Proxy or SIP Application Server
Client                                     SIP UA
Authorization Server                Authorization Server

Do you see a problem with this model?


But it sounds to me, from this issues list, like your requirements are more along the former lines than the latter.


Actually, it is both.

Here is an example of a use case that fits with the OAuth 2.0 model:

An Application Server that provides Mobile Clients with access to SIP services.
The Mobile Client uses a proprietary protocol to communicate with the Application Server that registers and gets service from the SIP network on behalf of the user that is using the Mobile Client.

The communication channels between the players in this case are as follows (hopefully the format is ok this time):

[Mobile Client]  <----------->  [Application Server] <-----------> [SIP Proxy]
          /\                                         /\
           |                                          |
           |                                         \/
           ------------------------> [Authorization Server]


In this case, the mapping between OAuth and SIP would be something like the following:

OAuth                                    SIP
---------------------------------------------------------------------------
Resource Owner                     End User
Resource Server                     SIP Proxy
Client                                     Application Server (providing service to the mobile client)
Authorization Server                Authorization Server


Regards,
 Rifaat




Jon Peterson
Neustar, Inc.

From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>>
Date: Saturday, September 13, 2014 at 12:32 PM

To: Jon Peterson <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>>
Cc: Paul Kyzivat <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>>, "sipcore@ietf.org<mailto:sipcore@ietf.org>" <sipcore@ietf.org<mailto:sipcore@ietf.org>>
Subject: Re: [sipcore] A SIP OAuth use case



On Thu, Sep 4, 2014 at 7:27 PM, Peterson, Jon <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>> wrote:

I understand that OAuth can be altered from its basic flows to provide tokens for OpenID, and IdP could be bound to OAuth, and while this is all very interesting it doesn't change much about the requirements discussion I think we need to have: the one about what kinds of use cases we want to satisfy and who the relying parties are in those cases. Once we understand that, we will understand what tools are applicable to these use cases - preferably, not tools that need to be twisted into a different shape to be applicable.


Well, OpenID extends the OAuth 2.0 Framework to authenticate the user; why do you think it is "twisting" OAuth into a different shape?



It would helpful, in the enterprise SSO case, for us to understand what kinds of application servers a user might need to access, and what exactly those application servers need to know about the user in order to accomplish their function.


Below is a description for some enterprise issues, that hopefully will be addressed by a new authorization framework:


* Multiple Identities One of the major issues in the enterprise is the need for a user to obtain multiple uncorrelated identities associated with different products to get access to the various services provided by the enterprise. For example, in the enterprise the user will be provided with different identities to: o Login his device (PC, laptop, mobile, ...) to the network. o Register to the SIP network and get basic SIP services. o Access his Voice Mail. o Host a conference. o etc Typically, these identities belong to different administrative domains and realms. Instead of these multiple identities, ideally the enterprise would like to create and maintain only one identity for the user and then allow the user access to all SIP and non-SIP services using that one identity. * Authorization of Access to Services Another issue in the enterprise is the need to control and authorize a user access to services. Because application servers have their own user directory, the control of access to services is spread over a multitude of servers in the network. Ideally, the enterprise would like to manage the access to services using one centralized entity and for the various entities that provide the service to become the enforcement points. * Assignment of Services In the enterprise, different users might be assigned to different servers providing a specific service; e.g. Voice Mail Box for different users might be hosted by different servers, and the user need to know his assigned server to be able to get access to this service. * Application Servers To be able to provide service, the application server needs a list of users allowed to get services. The application server needs the following pieces of information about each user: 1. User ID and Credentials 2. Profile to control the level of service provided to the user. If one application server provides different services using different protocols, the application server might need to maintain different identities associated with these protocols; e.g. an application server that provides presence service using SIP, and IM service using XMPP. Ideally, an authorization framework would: 1. Off load the application server from the need to manage the user credentials and authenticating the user. 2. Off load the application server from the need to maintain the users and their profiles to control the level of service provided to the user. 3. Allow the assignment of a user to a specific application server. * OAuth/OpenID Model With the OAuth/OpenID framework, the user ID and credentials will be handled by the authorization server, and the application server assignment and the level of service associated with the user will be provided in the scope of the token associated with the user. When the application server receives a request from a user it will have all the details that would allow the application server to validate the request to make sure it is coming from the right authorization server, and to act upon the request because it has the scope associated with the user, without the need to contact the authorization server. * Relying Party Regarding the Relying Party question: I think that when the user is being authenticated, that the Relying Party would be the SIP Client that would be given a user token (ID Token in OpenID lingo) to access services on behalf of the end user. So, the mapping would be something like this: +------------------------+-----------------------------+ | OAuth | SIP | +------------------------+-----------------------------+ | Resource Owner | End User | | Resource Server | SIP Proxy or SIP App Server | | Client | SIP UA (Relying Party) | | Authorization Server | Authorization Server | +------------------------+-----------------------------+


Regards,
 Rifaat






Jon Peterson
Neustar, Inc.

From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>>
Date: Thursday, September 4, 2014 at 8:31 AM
To: Jon Peterson <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>>
Cc: Paul Kyzivat <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>>, "sipcore@ietf.org<mailto:sipcore@ietf.org>" <sipcore@ietf.org<mailto:sipcore@ietf.org>>
Subject: Re: [sipcore] A SIP OAuth use case




On Wed, Sep 3, 2014 at 4:00 PM, Peterson, Jon <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>> wrote:

While I would echo Paul's thoughts below about the plausibility of service
providers using this model to authorize recording, I also agree that
third-party recording is an excellent example of a service architecture
that requires an authorization mechanism like OAuth. An end user needs to
authorize a third party to participate in the session under certain
constraints, and coordinate the association between the third party and
the VoIP service. This example also (rightly, in my opinion) conducts the
majority of the flow in HTTP where it belongs.


I agree with that.


Many of the use cases under discussion in this thread, though, are of the
form where there are really only two involved parties: an end user and a
service provider. If you are my service provider, then in traditional SIP
I share a secret with you that I use to REGISTER my devices. I don't think
you need OAuth for that.

If you assume that there is one server that provides all the services, then you are right.
But that is not the case all the time. I think that Dale articulated that clearly in the following response:
http://www.ietf.org/mail-archive/web/sipcore/current/msg06233.html


I do understand that OAuth 2.0 is used in the
wild for SSO, though I sympathize with Matt that the base flow shown in
RFC6749 Sec 1.2 just doesn't map onto the requirements for SSO.


I agree that the OAuth 2.0 "as is" does not address the SSO requirements.
The SIP OAuth proposal is not just using OAuth 2.0 "as is", but it is extending the framework to authenticate and provide a *user* specific token.

Since Matt mentioned OpenID few times, I looked at the OpenID specification.
What they are doing there is that they defined a new token, called ID Token, that is associated with the *user*; which is exactly what the SIP OAuth proposal is doing.
http://openid.net/specs/openid-connect-core-1_0.html#IDToken

My plan is to use the same terminology, ID Token, in the next version of the SIP OAuth document to clarify that, and to differentiate it from the access token.


I think, though, we might usefully break uses cases here down by who the
intended relying party is:

- The user's own SIP service provider (my enterprise, my carrier, my OTT
provider)
- A third party that a user wants to authorize for a service (recording
service... But anything else?)

I would also append some use cases where the relying party:

- Someone with no association with the user (caller ID sorts of cases)

This last is where I've argued things like IdP might be relevant.


EKR has a nice description for binding IdP to OAuth in his WebRTC Security Architecture document here:
https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-10#appendix-A.2

We could use the same idea for SIP.


Regards,
 Rifaat



Are there any other high-level buckets of use cases here?

Jon Peterson
Neustar, Inc.

On 8/25/14, 11:44 AM, "Paul Kyzivat" <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>> wrote:

>On 8/25/14 11:50 AM, Rifaat Shekh-Yusef wrote:
>> Hi Matt,
>>
>> The use case and the solution provided assumes that the VoIP Provider
>> makes the decision on when and what to record.
>> While this is a valid use case, there are other use cases that allow the
>> user to decide on when and what to record; take a look at RFC6341 for
>> more info.
>> http://datatracker.ietf.org/doc/rfc6341/
>
>SIPREC supports numerous topologies.
>It would support the one that Matt outlines as well as end-user
>controlled ones.
>
>I found Matt's use case interesting. I think it would be nice if such
>services were available in that form. But I have difficulty imagining
>any of the VoIP providers I'm aware of supporting this model. My
>impression is that this means that they are giving up a value added
>revenue market, that they are loath to do. The most likely justification
>I can imagine that they don't want to legal consequences of doing
>recording.
>
>       Thanks,
>       Paul
>
>> For these use cases, where the user is in control, you need to away to
>> authenticate and control which users are allowed to record and the level
>> of service provided for that specific user.
>> This is where the solutions provided in section 3 or section 4 of the
>> SIP OAuth proposal come into play.
>> Obviously, in this case the authorization server is different from
>> authorization server used to establish the trust relationship between
>> the VoIP Provider and the CRS Provider.
>> In this case, the authorization server must authenticate the user and
>> provide his UA with an access token or a code that controls the user's
>> access to the service.
>>
>> Regards,
>>   Rifaat
>>
>>
>>
>> On Sat, Aug 23, 2014 at 9:05 AM, Matt Ryan <ietf@mvryan.org<mailto:ietf@mvryan.org>
>> <mailto:ietf@mvryan.org<mailto:ietf@mvryan.org>>> wrote:
>>
>>     Included is the use case I spoke of before.  My apologies for the
>>delay.
>>
>>     This is written as though it could be included in
>>     [draft-yusef-sipcore-sip-oauth] at section 6.
>>
>>
>>     6. Examples
>>
>>     6.1. Example: Call Recording Service
>>
>>     This example illustrates the use of SIP OAuth between three
>>     parties:  A hosted VoIP service provider, a Call Recording Service
>>     provider, and a phone system end-user.  In this example:
>>     - The phone system end-user is a customer of both the hosted VoIP
>>     provider and the Call Recording Service provider
>>     - The hosted VoIP service provider is a standard provider of hosted
>>     business-class VoIP telephone service using SIP
>>     - The Call Recording Service provider is a distinct entity from the
>>     hosted VoIP provider
>>
>>     The Call Recording Service provides to customers both the call
>>     recording abilities and management of call recordings
>>     (configuration, sharing and distribution, retention, etc.).  This
>>     service can accept and record RTP traffic, associate all RTP streams
>>     with a single call together, and store and catalog the recorded data
>>     for future searching and retrieval.  The service also offers a web
>>     interface where customers may view and retrieve stored calls.
>>     Stored calls may range from simple person-to-person voice calls to
>>     multi-party conferences with a multitude of audio and video
>>     streams.  In this example, customers are billed based on the amount
>>     of data they store, although other models are certainly possible.
>>
>>     6.1.1. OAuth 2.0 Roles
>>
>>     In this example, each party assumes the following OAuth 2.0 roles as
>>     defined in [RFC6749] Section 1.1:
>>     - The end-user assumes the role of resource owner
>>     - The hosted VoIP service provider assumes the role of client
>>     - The Call Recording Service provider assumes the role of resource
>>     server as well as the role of authorization server
>>
>>     6.1.2. Description
>>
>>     There are two parts to the example:  Initial configuration and
>>     real-time recording authorization.
>>
>>     Each section includes a simplified flow diagram for the purpose of
>>     describing the corresponding portion of the example.  For the sake
>>     of brevity, certain parts of the OAuth dialog have been eliminated.
>>     Implements should refer to [RFC6749] for details on OAuth.
>>
>>     6.1.2.1 Initial Configuration
>>
>>        +-------------+     +---------------+     +--------------+
>>        |  End-User   |     | VoIP Provider |     | CRS Provider |
>>        | Web Browser |     |    Website    |     |              |
>>        +-------------+     +---------------+     +--------------+
>>               |                    |                     |
>>               | HTTP 1             |                     |
>>               | (Configure CRS)    |                     |
>>               |------------------->|                     |
>>               |                    |                     |
>>               | HTTP 2             |                     |
>>               | (OAuth Redirect    |                     |
>>               |  to CRS Website)   |                     |
>>               |<-------------------|                     |
>>               |                    |                     |
>>               | HTTP 3             |                     |
>>               | (Authorize SIP from VoIP provider        |
>>               |----------------------------------------->|
>>               |                    |                     |
>>               | HTTP 4             |                     |
>>               | (OAuth Redirect back to VoIP portal)     |
>>               |<-----------------------------------------|
>>               |                    |                     |
>>               | HTTP 5             |                     |
>>               |------------------->|                     |
>>               |                    | HTTP 6              |
>>               |                    | (Request Access and |
>>               |                    |  refresh tokens)    |
>>               |                    |-------------------->|
>>               |                    |                     |
>>
>>     Some time after having signed up for both services, but prior to
>>     attempting to record any calls, the end-user logs into the web
>>     portal of the hosted VoIP provider with a web browser and configures
>>     their call recording service (HTTP 1).  This configuration includes
>>     providing a URI where the call recording service may be reached,
>>     along with a set of API credentials, provided by the call recording
>>     service, which will allow the client to initiate an OAuth exchange.
>>     The end-user also configures the conditions under which call
>>     recordings should take place.  For example, the end-user may request
>>     to record every multi-party (conference) call, or every call
>>     involving a specific set of users.  The end-user may also specify
>>     other restrictions, such as restricting codec negotiation to G.711u
>>     for audio and H.264 for video in order to record the RTP streams.
>>     Once the end-user saves the configuration, the hosted VoIP provider
>>     web portal redirects the end-user's web browser to the call
>>     recording service website and a standard HTTP OAuth dialog begins
>>     (HTTP 2).  The end-user authorizes the hosted VoIP provider to
>>     access (i.e. send SIP and RTP traffic to) the call recording
>>     service, for the purpose of recording calls, so long as the
>>     configured conditions are met (HTTP 3).  The result of this
>>     interaction is that the hosted VoIP provider ends up receiving an
>>     OAuth access token and refresh token from the call recording service
>>     (HTTP 4, HTTP 5, HTTP 6).  These tokens are saved in the end-user's
>>     hosted VoIP account database.
>>
>>     6.1.2.2 Real-time Recording Authorization
>>
>>        +-------------+     +---------------+      +--------------+
>>        |  End-User   |     | VoIP Provider |      | CRS Provider |
>>        |  SIP Phone  |     |    Website    |      |              |
>>        +-------------+     +---------------+      +--------------+
>>               |                    |                      |
>>               | SIP INVITE 1       |                      |
>>               |------------------->|                      |
>>               |                    | SIP INVITE 2         |
>>               |                    | (with access token)  |
>>               |                    |--------------------->|
>>               |                    |                      |
>>               |                    | SIP 401 Unauthorized |
>>               |                    |<---------------------|
>>               |                    |                      |
>>               |                    | SIP INVITE 3         |
>>               |                    | (with refresh token) |
>>               |                    |--------------------->|
>>               |                    |                      |
>>               |                    | SIP 200 1            |
>>               |                    | (new access token)   |
>>               |                    |<---------------------|
>>               |                    |                      |
>>               |                    | SIP INVITE 4         |
>>               |                    | (with access token)  |
>>               |                    |--------------------->|
>>               |                    |                      |
>>               |                    | SIP 200 2            |
>>               |                    |<---------------------|
>>               |                    |                      |
>>
>>     Independently of and after the initial configuration phase, the
>>     end-user makes a telephone call using the hosted VoIP provider (SIP
>>     INVITE 1).  When this call takes place, the hosted VoIP provider
>>     looks to see whether it believes this call should be recorded.  If
>>     so, at this point it would branch the call session to the call
>>     recording service, using SIP OAuth to pass the previously provided
>>     access token for authorization (SIP INVITE 2).  Once the access
>>     token is validated by the call recording service (perhaps after
>>     first providing a new access token based on receipt of a valid
>>     refresh token), the call recording service will check the rights
>>     that were previously authorized and examine the SIP to determine
>>     whether it can accept the call.  If so, it completes the
>>     establishment of the session and begins receiving and recording the
>>     RTP stream(s) (SIP 200 OK).  The call recording service provider
>>     could also deny the request, either because the tokens are invalid
>>     or because the content of
>>       the SIP invite does not match the previously authorized
>>     conditions, in which case a SIP 403 would be returned by the call
>>     recording service provider and the call would not be recorded -
>>     however, the initial call branch would continue without
>>interruption.
>>
>>     Note:
>>     [RFC6749] specifies that when a client uses a refresh token to
>>     request a new access token, the response is HTTP 200 with the new
>>     access token and optionally a new refresh token included in the
>>     payload.  In this example, a SIP 200 response (SIP 200 1) is sent
>>     which contains the new token(s).  However, this could be confusing
>>     as SIP 200 is generally viewed as the acceptance of the INVITE,
>>     which is not what is happening in this case.  Should SIP 200 be used
>>     for consistency, or should another mechanism be used?
>>
>>     6.1.3. Justification
>>
>>     6.1.3.1. Hosted VoIP Service Provider
>>
>>     In this example, the hosted VoIP service provider can allow their
>>     customers to enable call recording in their VoIP service by
>>     selecting from any of a number of supported call recording service
>>     providers.  This allows the hosted VoIP service provider to offer
>>     this feature to customers without requiring that the hosted VoIP
>>     service provider implement and support this feature themselves.
>>
>>     6.1.3.2. Call Recording Service Provider
>>
>>     In this example, the Call Recording Service provider can focus on
>>     value and innovation in the area of recording calls and managing
>>     recorded calls without having to build a full-featured telephony
>>     offering.
>>
>>     6.1.3.3. Customer
>>
>>     In this example, the customer has more flexibility in choosing a
>>     complete solution that meets all of the customer needs.  The
>>     customer does not have to settle for a substandard call recording
>>     service offering in order to obtain other features they seek in a
>>     hosted VoIP provider, and vice versa.
>>
>>     6.1.4. Variants
>>
>>     A simple variant of this example is one wherein one of the services
>>     (either the VoIP service or the call recording service) is managed
>>     directly by the end-user, but the other is not.  For example, the
>>     end-user may wish to make use of an external hosted VoIP service
>>     provider, but may have business or legal reasons that forbid the
>>     end-user from allowing a third party to store and manage recorded
>>     calls.  The end-user could choose to set up their own call recording
>>     service as described in this example, and use SIP OAuth to
>>     facilitate interaction between the hosted VoIP service and the
>>     end-user's own call recording service.
>>
>>     6.2. Other SIP OAuth examples
>>
>>     Many other SIP-based services could leverage SIP OAuth to provide
>>     value-added service to an end-user of a hosted VoIP service
>>     provider.  Some examples of these types of services are listed
>>below.
>>
>>     Voicemail service provider:  The end-user configures their hosted
>>     VoIP service provider to manage voicemail through a separate
>>     voicemail service provider, which chooses whether to store voicemail
>>     based on existing quotas, Caller ID, etc.
>>
>>     Conferencing service provider:  A conferencing service may wish to
>>     bill customers in a more granular fashion, for example, based on the
>>     number of participants and attendees in a conference, the duration
>>     of conference, whether video was also included, which codecs were
>>     being used, etc. instead of a flat monthly rate.  SIP OAuth would
>>     facilitate metered authorization for a client's use of the service,
>>     instead of all-or-nothing access.
>>
>>     Call center service provider:  A third party may provide ring groups
>>     or call queues for a hosted VoIP provider along with detailed
>>     reports and dashboards.  The end-user uses OAuth over SIP to control
>>     who can log into which queues or ring groups, etc.
>>
>>
>>
>>     --
>>     Matt Ryan
>>     code slinger | zoomulus.com<http://zoomulus.com> <http://zoomulus.com>
>>     ietf at mvryan dot org
>>
>>
>>
>>
>>     _______________________________________________
>>     sipcore mailing list
>>     sipcore@ietf.org<mailto:sipcore@ietf.org> <mailto:sipcore@ietf.org<mailto:sipcore@ietf.org>>
>>     https://www.ietf.org/mailman/listinfo/sipcore
>>
>>
>>
>>
>> _______________________________________________
>> sipcore mailing list
>> sipcore@ietf.org<mailto:sipcore@ietf.org>
>> https://www.ietf.org/mailman/listinfo/sipcore
>>
>
>_______________________________________________
>sipcore mailing list
>sipcore@ietf.org<mailto:sipcore@ietf.org>
>https://www.ietf.org/mailman/listinfo/sipcore

_______________________________________________
sipcore mailing list
sipcore@ietf.org<mailto:sipcore@ietf.org>
https://www.ietf.org/mailman/listinfo/sipcore

v2.23.0 | Report a Bug | By Email