IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Roman Shpount <roman@telurix.com> Wed, 10 July 2019 23:08 UTC

Return-Path: <roman@telurix.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B2B120275 for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 16:08:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.592
X-Spam-Level:
X-Spam-Status: No, score=-0.592 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SfiM5vWEo1pT for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 16:07:59 -0700 (PDT)
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CC761203ED for <sipcore@ietf.org>; Wed, 10 Jul 2019 16:07:59 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id o13so1927543pgp.12 for <sipcore@ietf.org>; Wed, 10 Jul 2019 16:07:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vZfsirhvCr3jgge1KeHvm23x2/olxP7K1lSy8mlC3Tg=; b=b08A62D7IuAIgDDr0fS83vtD/jPfjFszATXgkYdsEh5/0OqBU+NHA7en1/YeHo0Vzc jcVnxokHBmDijCDfmt9rI2tIfEV+1QHqNlkJtrnbdDMDxnz/6TdRE0/5rRrA7Y6OqvMC Q2mERpKQM94imMOhOcu511z9T0aCFYI2iNdBbEYx4eXn+BqSN/KK3oAqAFfh3XRdAJ6X 6w38wsw/9m6LS/KPZqDC5CTCjIMp9CHk3RR2ZefNNJ+1kTrc8o5ZQdM7eSW9SsIiUJtV 3Oww/Z5cnRo93hT/OAqogkXUGSxBapprPw1xt14E+0vakLTP06PGyp2W/kMxAtDMSaab nr2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vZfsirhvCr3jgge1KeHvm23x2/olxP7K1lSy8mlC3Tg=; b=GD+nzKjAoa20gJFyr+yDzYn0/NW1h4HO2noijAlpvR18aCQBJdYfuM+s5iPERH3wn1 zT5e6aJFeVpLjITraWvLARDEf1RfBILgRcbmyQRYNH3dI4bILvx5RpTijMRK4LwW1j+u C6OZJkIqN8T6Q7TKeubEsaA2YBe2IsgTlF3dAmRn8NlrnTYZQuUatj0smxAyBhdKy91a M3oUnRlZ4dqgTqgq3CNrJZXn+WBvNV5X/ADgLqFfX+DivqAc4FBxf6pLwb8vZUv5ij2f 9SbfP/I9FdvkdP5k2IfWqF4ppveEm6pCpSMccL1rbTxr1DRBxoETwfZUiMIZYLMcefqX 8KHA==
X-Gm-Message-State: APjAAAWz8187xtu9XfDYhG8fdAyB8X7+sudeCe1I78bNO4al6BZxrvDs 4nt+a2TFHypjlIkxhySlii8tQN1d
X-Google-Smtp-Source: APXvYqz08v8bnvu2+XDzihfjleSWCEUEqKWaqPQCKDJJz0P7UglBSMn9FJN40VuNxtTRhZEbQAz22g==
X-Received: by 2002:a17:90a:208d:: with SMTP id f13mr963767pjg.68.1562800078496; Wed, 10 Jul 2019 16:07:58 -0700 (PDT)
Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com. [209.85.215.180]) by smtp.gmail.com with ESMTPSA id j13sm3171292pfh.13.2019.07.10.16.07.57 for <sipcore@ietf.org> (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Wed, 10 Jul 2019 16:07:57 -0700 (PDT)
Received: by mail-pg1-f180.google.com with SMTP id z75so1944593pgz.5 for <sipcore@ietf.org>; Wed, 10 Jul 2019 16:07:57 -0700 (PDT)
X-Received: by 2002:a17:90a:b00b:: with SMTP id x11mr982000pjq.120.1562800076627; Wed, 10 Jul 2019 16:07:56 -0700 (PDT)
MIME-Version: 1.0
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <CAD5OKxuK_2+JcbGvo6LNeRbCYXWXQmhKQPNUzoZvZEOupPWyjw@mail.gmail.com> <HE1PR07MB3161612130F07C8F727A2BB693F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <CAD5OKxtR-WBhfa4msbAfXoK7JowYaKK3fSCbw0cXm6SRGwkLxg@mail.gmail.com> <CAGL6epK8Z938pnMKVyWGBK=6fMzNq6+gmxro-AAO2nzvGT4jeg@mail.gmail.com> <CAD5OKxs6g+6mLbMRc9C0q5BSSn=+7HHzKf5Ya5uL-+RbhVfEaA@mail.gmail.com> <CAGL6epKfLWA=RW3T84feSud9sZ+TcpB=XRA6fvTzP-jL3h4+4A@mail.gmail.com> <CAD5OKxs3=XdOFYThY1gCu23M4nqJV-bJOSCU7-Ogn0J=xy+E3A@mail.gmail.com> <CAGL6epJWXBTcnNk3nMN3Yfsh5y6+pddQSW_MbkAdNZbmWf6_Gg@mail.gmail.com> <CAD5OKxt=sJhKGRRFPUon=JokbJ2Vb=P7GcfJ8LpXt_Yp-eOg3Q@mail.gmail.com> <CAGL6ep+CGEs8OW4vO2vNuGg8co9rXiUiD1JWaR9W7BBm8+SpQw@mail.gmail.com> <CAD5OKxsmXUjFP0mGELdPxCgXKwDs+9iYKE327fB1Jtn0jsXAbg@mail.gmail.com> <42F6AA81-773C-46DB-8BE7-D76951C24B47@edvina.net>
In-Reply-To: <42F6AA81-773C-46DB-8BE7-D76951C24B47@edvina.net>
From: Roman Shpount <roman@telurix.com>
Date: Wed, 10 Jul 2019 19:07:48 -0400
X-Gmail-Original-Message-ID: <CAD5OKxtbdfuVa9ftduMmdRmih6AczhGXVoPjOC7DO=Fi+K-t4w@mail.gmail.com>
Message-ID: <CAD5OKxtbdfuVa9ftduMmdRmih6AczhGXVoPjOC7DO=Fi+K-t4w@mail.gmail.com>
To: "Olle E. Johansson" <oej@edvina.net>
Cc: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "sipcore@ietf.org" <sipcore@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006c2510058d5bbf60"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/DjM_kZsOGkDnnIzyIexVWfAp0K8>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 23:08:01 -0000

On Wed, Jul 10, 2019 at 2:40 AM Olle E. Johansson <oej@edvina.net> wrote:

> On 10 Jul 2019, at 03:44, Roman Shpount <roman@telurix.com> wrote:
>
> On Tue, Jul 9, 2019 at 9:29 PM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> wrote:
>
>> For me, the main motivation is SSO.
>> The user would use one set of corporate credentials to authenticate,
>> login to a deskphone, and get access to SIP and non-SIP services.
>>
>> I am not sure I am following your use case.
>> How would the user authenticate and obtain a an access token in this case?
>>
>>
> The use case is the same SSO in combination with hot desks and multiple
> PBXs. User picks a desk at a remote office, goes to a web page to login,
> enters his credentials and desk location. Expected result is that the phone
> on this temporary desk will ring when user gets a call on user's extension
> on the user home PBX. Internally, SSO system produces a token, which is
> sent to the PBX in the remote office. PBX in the remote office registers
> using this token with use home PBX, and configures that all the calls for
> this registration are forwarded to the phone on the user temporary desk.
> All the calls placed from that desk are also placed through user home PBX
> so that correct line is used and user home caller ID is displayed.
>
>
> That seems very complex. How is the token transferred from the web browser
> to the phone? And how does the home PBX validate the token sent on behalf
> of the user by the remove office PBX?
>
> Many chains of trust or many leaps of faith.
>
> But interesting.
>
>
One way to do it is, that remote PBX sends a registration to the home PBX
with the token and adds a forwarding rule to the device on the desk. End
device credentials are only used between end device and remote PBX, so
nothing on the device changes.

Another way to do it, if caller ID does not need to be preserved on user
calls, is to run a separate service which performs the third party
registration on user home PBX. As a result of user login via a web form,
this service initiates the registration to the user home PBX with token
authentication. Contact address in this registration is the URL pointed to
the remote office PBX, which is pre-configured to ring the phone on user
desk. I think I've built a couple of services like this, but needed to
store user credentials in DB, which was not secure. Using OAuth would have
been much cleaner.

Best Regards.
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email