IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Wed, 10 July 2019 12:18 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB2D912012B for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 05:18:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l9yrTXEzFs8I for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 05:18:45 -0700 (PDT)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E215120026 for <sipcore@ietf.org>; Wed, 10 Jul 2019 05:18:45 -0700 (PDT)
Received: by mail-io1-xd2b.google.com with SMTP id g20so4145478ioc.12 for <sipcore@ietf.org>; Wed, 10 Jul 2019 05:18:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LFKHqeh3UEqz4ktbtM37AbYsQo73CpcqZv0P5QJDyDI=; b=FYTDztPf0q6nXpPd8jDmrFd7E2ZO//k0XX3Oq1j3oKBNZeEPh6N6/qoWTse/VEDwL+ F9r15mUsys/Mn/PbIG4XyGg5lETCZix+S/+eFlJHrrwGRKa7U1G71e1wIkmWz7ylp4+9 uj/zbeVUvmumwwwAiNr8mpmVNjSwE9v8ynra0T+F4wzMReu8SQN1iu1Un8WmEq7woyLW 39jf51UFDwIOm+hKAbsiIhqNb74hCtabYo1YGFqWr+PQFr5hI/L/s+t53IHV1zXNklGQ 2fE8sIGmwzIDzm16x0yMUo8bIovuzBmv/guW9+LjWbXMyzptEcCq6uijcoInHmKec617 vVpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LFKHqeh3UEqz4ktbtM37AbYsQo73CpcqZv0P5QJDyDI=; b=EQvlsnTsdyFLYcEFf//CdRyqleX75T4ueWNoPWo4cpN1laHTE/D5zS9l6I4pD6N0yK 9JKX3K+FAK5+Wd00bPfacfOFHt3gy2jN0v/cJQCUkymoy9xvdymaQ98rl+WvmXx9FXLe m1SIsWLK52gWrxmKU3tC2vEnR5sOGFOysnKniyxEa27QEcoBAQhg4h5bCwAjigZyKGp1 MYDpurbUlSMvZFsQ+eZYPzPYgUEYPjHfR6hEJYYVnJVp8DALblNHPb+ATP1KyQWA2UqD C0tcJj1aLmifNq9UVbWjwzblKMapM7YJzUFcCH2tavjwek3Q7J5wbvahtg8R1jgqoY9I Wgcw==
X-Gm-Message-State: APjAAAVxIBJg7kHUO9PsydIyWIR/09zhz2cHEI81C8gm6RwezOSPvrhE a+J6Z9wmziVY3/IbQcxBBWgWDjn3QiOBPBS8Y2c=
X-Google-Smtp-Source: APXvYqxE7xv6YNtFealrRCepSUol1lR4zCQE8smjdQMRRzQZbvYWch5HhMUQD6zBvRTJfCvZBcmMJEA+VdSMDOS7mfk=
X-Received: by 2002:a5d:9642:: with SMTP id d2mr13900922ios.278.1562761124591; Wed, 10 Jul 2019 05:18:44 -0700 (PDT)
MIME-Version: 1.0
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <CAD5OKxuK_2+JcbGvo6LNeRbCYXWXQmhKQPNUzoZvZEOupPWyjw@mail.gmail.com> <HE1PR07MB3161612130F07C8F727A2BB693F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <CAD5OKxtR-WBhfa4msbAfXoK7JowYaKK3fSCbw0cXm6SRGwkLxg@mail.gmail.com> <CAGL6epK8Z938pnMKVyWGBK=6fMzNq6+gmxro-AAO2nzvGT4jeg@mail.gmail.com> <CAD5OKxs6g+6mLbMRc9C0q5BSSn=+7HHzKf5Ya5uL-+RbhVfEaA@mail.gmail.com> <CAGL6epKfLWA=RW3T84feSud9sZ+TcpB=XRA6fvTzP-jL3h4+4A@mail.gmail.com> <CAD5OKxs3=XdOFYThY1gCu23M4nqJV-bJOSCU7-Ogn0J=xy+E3A@mail.gmail.com> <CAGL6epJWXBTcnNk3nMN3Yfsh5y6+pddQSW_MbkAdNZbmWf6_Gg@mail.gmail.com> <CAD5OKxt=sJhKGRRFPUon=JokbJ2Vb=P7GcfJ8LpXt_Yp-eOg3Q@mail.gmail.com> <393C0E68-5D0F-4AB5-B839-424C239E84A9@edvina.net> <CAGL6ep+Ovj0qQZZUvv1BA8ptNZBpp--GucJg6bbb7mUg3grN6g@mail.gmail.com> <BF387FC7-C951-420B-9C26-CC17C12738F0@edvina.net>
In-Reply-To: <BF387FC7-C951-420B-9C26-CC17C12738F0@edvina.net>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Wed, 10 Jul 2019 08:18:33 -0400
Message-ID: <CAGL6epKrG1dBBKhrWKz=1Xa7Pmijscm_dwyBmA4=LdvFScQzmg@mail.gmail.com>
To: "Olle E. Johansson" <oej@edvina.net>
Cc: "sipcore@ietf.org" <sipcore@ietf.org>, Roman Shpount <roman@telurix.com>
Content-Type: multipart/alternative; boundary="000000000000b33d85058d52ad6c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/QP1Xa-nUmUNgOygjGuhIQ3YnMKc>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 12:18:48 -0000

The UA is expected to obtain a valid access token to get service, and
should be able to use that to refresh its registration when the
registration expires.
Is this coupling of expiry times needed?

Regards,
 Rifaat


On Wed, Jul 10, 2019 at 7:56 AM Olle E. Johansson <oej@edvina.net> wrote:

>
>
> On 10 Jul 2019, at 13:50, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> wrote:
>
> When the UA authenticates to the AS, it obtains a number of tokens: access
> token and refresh token, and depends on the AS, maybe ID token.
> It is the UAs responsibility to use the refresh token to obtain a new
> access token before the expiry of the existing access token.
>
> Absolutely - my thought was what the server is supposed to do. Reading the
> STUN/Oauth docs, I see a requirement for expiry
> being less than token validity time. In SIP REGISTER/SUBSCRIBE terms, the
> expiry time in SIP should be less
> than the time the token is valid.
>
>  If the token expires, the server needs to reauth or deny services. It is
> important that no services are delivered to an expired authentication.
>
> /O
>
>
> Regards,
>  Rifaat
>
>
> On Wed, Jul 10, 2019 at 2:44 AM Olle E. Johansson <oej@edvina.net> wrote:
>
>>
>>
>> On 10 Jul 2019, at 02:53, Roman Shpount <roman@telurix.com> wrote:
>>
>> On Tue, Jul 9, 2019 at 8:30 PM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
>> wrote:
>>
>>> The document clearly allows the use of access token to authenticate
>>> non-REGISTER requests when challenged in the context of the same realm.
>>>
>>> Whether that is needed or not is a different discussion.
>>> Assuming the UA was able to authenticate the user and obtain an access
>>> token, then establish an authenticated TLS channel with the server, and
>>> register the user; is there a need for further challenges from server?
>>>
>>> When the token expires, you certainly need a new token from the user.
>> With SIP Outbound, we’re more connection oriented than before, so we should
>> propably consider what the
>> server does with the connection when a token expires (if it’s not already
>> in the draft).
>> /O
>>
>>
>> Typically, for SIP, user authentication is not tied to the TLS
>> connection. One of the reasons for this is that multiple users can use the
>> same TLS connection in federated systems. This is especially true for
>> Confidential UA, which have trust relationship with a proxy and can
>> maintain a secure connection to the registrar/proxy on behalf of multiple
>> clients.
>>
>> Once again, it would be much easier to discuss if you can provide a use
>> specific case for OAuth with confidential UA. I can easily think of a OAuth
>> use case for Public User Agent, but only have a vague idea what OAuth with
>> Confidential UA would be.
>>
>> The example I can think of, would be some sort of hot desk application,
>> where user allows a Local PBX to register with User Home PBX to accept
>> calls on behalf of user in a remote location. In this case, Local PBX and
>> User Home PBX will be federated systems which will use a single TLS
>> connection for multiple calls or end user devices. Local PBX and User Home
>> PBX will have a trust relationship, possibly with mutual TLS certificate
>> authentications. A company wide directory server will be used to store
>> actual user credentials and will be used to authenticate the user and
>> generate the token.
>>
>> Best Regards,
>> _____________
>> Roman Shpount
>>
>> _______________________________________________
>> sipcore mailing list
>> sipcore@ietf.org
>> https://www.ietf.org/mailman/listinfo/sipcore
>>
>>
>> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>
>
>

v2.23.0 | Report a Bug | By Email