Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

["Olle E. Johansson" <oej@edvina.net>]

> On 10 Jul 2019, at 00:57, Roman Shpount <roman@telurix.com> wrote:
> 
> On Tue, Jul 9, 2019 at 4:00 PM Christer Holmberg <christer.holmberg@ericsson.com <mailto:christer.holmberg@ericsson.com>> wrote:
> >>>> As far as I know, OAuth for SIP has only been used for REGISTER requests, between the UA and the registrar. 
> >>>> I have never heard about anyone using it for non-REGISTER authentication, and I wonder whether we even need 
> >>>> to cover it in the draft. We could limit the scope the REGISTER requests. Then, if anyone ever needs OAuth for non-REGISTER requests, a separate draft can be written.
> >>> 
> >>> Really? Normally, for a secure solution, every SIP request, including requests sent by UA in dialog established from the 
> >>> server to the registered end point must be authenticated. OAuth for REGISTRER requests only is kind of useless since it 
> >>> does not allow UA to send any messages to the server without some additional authentication mechanism.
> >>
> >> Not sure what you mean by "secure solution", but UAs can still use SIP Digest authentication.
> >>
> >> What I am saying is that only use-case for SIP OAuth I am aware of is for REGISTER.
> >
> > How do they get these SIP Digest credentials?
> >
> > I am looking at a very simple SIP-Over-Websockets client scenario:
> >
> > User logs into the web site which uses OAuth. UA, running in the browser gets a token which is used to Register UA with a SIP proxy.
> 
> Wouldn't  you use OAuth to establish the WebSocket connection?
>  
> No, WebSocket connection is to a different server and typically does not require authentication.
I don’t think that’s correct. See section 7 of RFC 7118 - SIP over WS. https://tools.ietf.org/html/rfc7118#section-7 <https://tools.ietf.org/html/rfc7118#section-7>

> In this specific case, I was thinking OpenSIPS with SIP-over-WS support. Implementing OAuth authentication of SIP message would be trivial there, but OAuth authentication for WebSocket would be much less obvious.
That’s implementation. I am pretty sure that Kamailio can auth the websocket, either by TLS client cert or HTTP digest auth. Guess I need to test :-)

> 
> >What credentials is UA using to place a call (send INVITE to the proxy)? 
> >If a call comes in from the proxy to UA, what credentials is UA using to hang up the call (send BYE message)?
> 
> If the registry and the call handling is part of the same service I guess you could use the same credentials, assuming 3261 generally allows using the same credentials for registrations and calls.
> 
> Are you saying using OAuth token authentication for calls (INVITE) and in dialog messages (BYE)?
Why not? It’s just a different Authorization header value. In my view Oauth bearer tokens should be usable in all places where you today have MD5 digest auth.

/O