IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

"Olle E. Johansson" <oej@edvina.net> Thu, 11 July 2019 08:12 UTC

Return-Path: <oej@edvina.net>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86C95120122 for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 01:12:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QmZ_2V6ae2vn for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 01:12:51 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [212.3.14.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6557120105 for <sipcore@ietf.org>; Thu, 11 Jul 2019 01:12:50 -0700 (PDT)
Received: from [192.168.1.80] (static-212-247-19-62.cust.tele2.se [212.247.19.62]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp7.webway.se (Postfix) with ESMTPSA id 05EC7A40; Thu, 11 Jul 2019 10:12:47 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: "Olle E. Johansson" <oej@edvina.net>
In-Reply-To: <99649808-9894-42B4-ADD1-52D0F70A3FB3@ericsson.com>
Date: Thu, 11 Jul 2019 10:12:45 +0200
Cc: Olle E Johansson <oej@edvina.net>, Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BCFE43BD-86FF-457E-9006-1DA7C8F3F6BE@edvina.net>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <5ABB2F7B-8928-4581-8AAD-C8EFDBE95F7E@edvina.net> <99649808-9894-42B4-ADD1-52D0F70A3FB3@ericsson.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/MO13dpkHP1_l4BPwwflpZ7Iw5hE>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 08:12:54 -0000


> On 11 Jul 2019, at 09:49, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
> 
> 
> Hi,
> 
>>>> OAuth allows you to re-use the token as many times as you want (until it expires) for the same service. So, for SIP, re-using 
>>>> the token in binding refresh REGISTER requests is fine.
>>>> But, you should not re-use a token you got for one "service" (e.g., your registration authentication) with another 
>>>> "service" (e.g., user-to-user authentication for a SIP call). It most likely wouldn't even work.
>>> 
>>> Is the token somehow bound to the "registration service"? (Whatever that is.)
>> 
>> In Oauth2 there are two tokens - access token and refresh token. If you add OpenID Connect, there’s an Identity token. Can we please be more
>> specific in our discussions? 
> 
> Good point. When I have been talking about tokens, I refer to Oauth2 tokens. Perhaps we should always indicate that explicitly.
Well, the document talks about both, but let’s name the specific token.
> 
> ...
> 
>> The tokens generally, but if I understand it right not always, are JWT structures that contain various data. In 
>> OpenID connect both the access and identity token are JWTs.
>> We can either specify specific claims that  are standardised for various SIP functions or let that be open for 
>> the SIP implementors to specify or a combination. 
> 
> For backward compatibility, we should at least let SIP implementors specify
Maybe, but at least we should write something about the usage of claims and scopes.
I think a base level for this draft is specifying a way to say “this access token is valid for SIP usage” or
“this is also a SIP identity"
> 
>> I would suggest that a generic specifier meaning “this access token is valid for SIP services” would be a good thing. 
>> 
>> As a service provider I would like to add authorizations like “this user is authorized for calls to international destinations” 
>> or “this user belongs to the support queue”.
> 
> Such information could also be stored in the user profile in the registrar.
Absolutely. You either use your IDP only for authentication and handle authorization elsewhere or trust the IDP
for authorizations in SIP. That’s up to the implementor.

/O

v2.23.0 | Report a Bug | By Email