IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

"Olle E. Johansson" <oej@edvina.net> Wed, 10 July 2019 06:40 UTC

Return-Path: <oej@edvina.net>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61386120103 for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 23:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vtz-TOl2XZZ7 for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 23:40:29 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [212.3.14.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA6971200D6 for <sipcore@ietf.org>; Tue, 9 Jul 2019 23:40:28 -0700 (PDT)
Received: from [192.168.1.80] (static-212-247-19-62.cust.tele2.se [212.247.19.62]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp7.webway.se (Postfix) with ESMTPSA id 4322FA40; Wed, 10 Jul 2019 08:40:25 +0200 (CEST)
From: "Olle E. Johansson" <oej@edvina.net>
Message-Id: <42F6AA81-773C-46DB-8BE7-D76951C24B47@edvina.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CD869C58-610D-40E1-8AB7-8B33A3717210"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 10 Jul 2019 08:40:23 +0200
In-Reply-To: <CAD5OKxsmXUjFP0mGELdPxCgXKwDs+9iYKE327fB1Jtn0jsXAbg@mail.gmail.com>
Cc: Olle E Johansson <oej@edvina.net>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "sipcore@ietf.org" <sipcore@ietf.org>
To: Roman Shpount <roman@telurix.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <CAD5OKxuK_2+JcbGvo6LNeRbCYXWXQmhKQPNUzoZvZEOupPWyjw@mail.gmail.com> <HE1PR07MB3161612130F07C8F727A2BB693F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <CAD5OKxtR-WBhfa4msbAfXoK7JowYaKK3fSCbw0cXm6SRGwkLxg@mail.gmail.com> <CAGL6epK8Z938pnMKVyWGBK=6fMzNq6+gmxro-AAO2nzvGT4jeg@mail.gmail.com> <CAD5OKxs6g+6mLbMRc9C0q5BSSn=+7HHzKf5Ya5uL-+RbhVfEaA@mail.gmail.com> <CAGL6epKfLWA=RW3T84feSud9sZ+TcpB=XRA6fvTzP-jL3h4+4A@mail.gmail.com> <CAD5OKxs3=XdOFYThY1gCu23M4nqJV-bJOSCU7-Ogn0J=xy+E3A@mail.gmail.com> <CAGL6epJWXBTcnNk3nMN3Yfsh5y6+pddQSW_MbkAdNZbmWf6_Gg@mail.gmail.com> <CAD5OKxt=sJhKGRRFPUon=JokbJ2Vb=P7GcfJ8LpXt_Yp-eOg3Q@mail.gmail.com> <CAGL6ep+CGEs8OW4vO2vNuGg8co9rXiUiD1JWaR9W7BBm8+SpQw@mail.gmail.com> <CAD5OKxsmXUjFP0mGELdPxCgXKwDs+9iYKE327fB1Jtn0jsXAbg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/RXf2FUz5Jom80EJFyFnx6C2hgLc>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 06:40:32 -0000


> On 10 Jul 2019, at 03:44, Roman Shpount <roman@telurix.com> wrote:
> 
> On Tue, Jul 9, 2019 at 9:29 PM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com <mailto:rifaat.ietf@gmail.com>> wrote:
> For me, the main motivation is SSO.
> The user would use one set of corporate credentials to authenticate, login to a deskphone, and get access to SIP and non-SIP services.
> 
> I am not sure I am following your use case.
> How would the user authenticate and obtain a an access token in this case?
> 
> 
> The use case is the same SSO in combination with hot desks and multiple PBXs. User picks a desk at a remote office, goes to a web page to login, enters his credentials and desk location. Expected result is that the phone on this temporary desk will ring when user gets a call on user's extension on the user home PBX. Internally, SSO system produces a token, which is sent to the PBX in the remote office. PBX in the remote office registers using this token with use home PBX, and configures that all the calls for this registration are forwarded to the phone on the user temporary desk. All the calls placed from that desk are also placed through user home PBX so that correct line is used and user home caller ID is displayed.

That seems very complex. How is the token transferred from the web browser to the phone? And how does the home PBX validate the token sent on behalf of the user by the remove office PBX?

Many chains of trust or many leaps of faith.

But interesting.

/O :-)

v2.23.0 | Report a Bug | By Email