IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

"Olle E. Johansson" <oej@edvina.net> Thu, 11 July 2019 09:29 UTC

Return-Path: <oej@edvina.net>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3094E12019F for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 02:29:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QjvMGPbCOf09 for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 02:29:17 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [212.3.14.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3CE91200D6 for <sipcore@ietf.org>; Thu, 11 Jul 2019 02:29:16 -0700 (PDT)
Received: from [192.168.1.69] (static-212-247-19-62.cust.tele2.se [212.247.19.62]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp7.webway.se (Postfix) with ESMTPSA id 643C5A40; Thu, 11 Jul 2019 11:29:13 +0200 (CEST)
From: "Olle E. Johansson" <oej@edvina.net>
Message-Id: <C980D7F7-4CED-4363-81AE-199C5A6275B4@edvina.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D5417CB4-E5DE-43A2-942C-A851B5B8F11F"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 11 Jul 2019 11:29:12 +0200
In-Reply-To: <5ABB2F7B-8928-4581-8AAD-C8EFDBE95F7E@edvina.net>
Cc: Olle E Johansson <oej@edvina.net>, "sipcore@ietf.org" <sipcore@ietf.org>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <5ABB2F7B-8928-4581-8AAD-C8EFDBE95F7E@edvina.net>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/I669HlPApZLb_k7KDY56muEBSPI>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 09:29:20 -0000


> On 11 Jul 2019, at 09:30, Olle E. Johansson <oej@edvina.net> wrote:
> 
> 
> 
>> On 10 Jul 2019, at 17:26, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
>> 
>> On 7/9/19 1:45 PM, Christer Holmberg wrote:
>> 
>>> OAuth allows you to re-use the token as many times as you want (until it expires) for the same service. So, for SIP, re-using the token in binding refresh REGISTER requests is fine.
>>> But, you should not re-use a token you got for one "service" (e.g., your registration authentication) with another "service" (e.g., user-to-user authentication for a SIP call). It most likely wouldn't even work.
>> 
>> Is the token somehow bound to the "registration service"? (Whatever that is.)
> In Oauth2 there are two tokens - access token and refresh token. If you add OpenID Connect, there’s an Identity token. Can we please be more
> specific in our discussions? 
> 
> 
>> 
>> ISTM that the token is bound to the parameters from www-authenticate were used in the process of obtaining the token. And so presumably the token should be applicable to any other use that provokes a www-authenticate with the same values of those parameters.
>> 
>> So, if I use a token in REGISTER, and then I do a SUBSCRIBE and get challenged the same way I would expect to use the same token for that. And I might decide to preemptively use the same token in the SUBSCRIBE if it is being sent to the same target.
>> 
>> Based on analogies to Digest, I would expect that after receiving a Bearer challenge and fetching a matching token I would then add that token to a key ring, indexed by some (which?) of the parameters from the www-authenticate. And then in the future for new requests I would look on the key ring for keys (credentials/tokens) suitable for use on this request. (When doing this I might find either Digest or Bearer credentials, or maybe both.)
> 
> The tokens generally, but if I understand it right not always, are JWT structures that contain various data.
Found a draft that specifies an Oauth Access Token JWT profile
https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-00 <https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-00>

"The original OAuth 2.0 Authorization Framework [RFC6749 <https://tools.ietf.org/html/rfc6749>]
   specification does not mandate any specific format for access tokens.
   While that remains perfectly appropriate for many important scenario,
   in-market use has shown that many commercial OAuth2 implementations
   elected to issue access tokens using a format that can be parsed and
   validated by resource servers directly, without further authorization
   server involvement.  The approach is particularly common in
   topologies where the authorization server and resource server are not
   co-located, are not ran by the same entity, or are otherwise
   separated by some boundary.  All of the known commercial
   implementations known at this time leverage the JSON Web Tokens(JWT)
   [RFC7519 <https://tools.ietf.org/html/rfc7519>] format.
“

I think we can safely assume that an Access Token is going to be parsable.

/O



> In OpenID connect both the access and identity token are JWTs.
> We can either specify specific claims that  are standardised for various SIP functions or let that be open for the SIP implementors to specify or a combination. 
> 
> I would suggest that a generic specifier meaning “this access token is valid for SIP services” would be a good thing. 
> 
> As a service provider I would like to add authorizations like “this user is authorized for calls to international destinations” or “this user belongs to the support queue”.
> 
> /O
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore

v2.23.0 | Report a Bug | By Email