IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Wed, 10 July 2019 22:52 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06C0F12006A for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 15:52:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Ve71NLBY1H1 for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 15:52:14 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8F8A120086 for <sipcore@ietf.org>; Wed, 10 Jul 2019 15:52:14 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id z3so8424377iog.0 for <sipcore@ietf.org>; Wed, 10 Jul 2019 15:52:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=P/fS7l7r/ScU399T3+U5ZQMbtGyqh3ZEEdMkjdHVg+c=; b=X7jd9zdwDWiFV71Z7AjsVdj80HqTTr0ckugcmBBObG0Tyy50h2YvhBho1H9Pqw67MK bD7M1DJKjGoXYIDVoy05I7FGreky2JdNIWvCGiiIGbOYJ/b5gxh/8uncBaDqN4foLtWE iInW9W2h7sapd0Z0MnBNlR2obhW9LGt3AKoV1mHe2vbuVkQrbwfta7j3RrJ+hYLvpiMT dsGcZyDxpQOssIn2LqSjaLA+8AA9Va2RdMTXur6+nzEoGRoo5TwQTf2A53peV9FSfGiE RasPtDaR0eIobFmqtkQc9w2VJhi6JuOsnPxQC4zewKKWgiUSPjMdb2dEZE9Zw3BtbpHX FxgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=P/fS7l7r/ScU399T3+U5ZQMbtGyqh3ZEEdMkjdHVg+c=; b=GJaJ3itk2gz6ybemKxhSopRckAwDHoT0BDlFF4SAbJm7qfPbzJySmPLw+rniNN0zv8 uWpfcwql9b8yUMON8PNUUrYIiQYALmYRq8V+QsKXLAY1YdPkDeJN02AKOgaIhYtdboAb cke7hw8H73MCRc+wnBWpEAXM/1w9JpO1BcIFzRrkCyGWLPPKL/tkblSlhPmNC27WoWI4 NGJs6BuXj22iy0GE3zF54MuQE7TfNKudN7vyWTYRYCB2Ae/HsIyZi/o4A1MYinme59Pr MQuqSrnvZoxwDw1fer7gOd84nRjb744GB0nq0J1C/BLV+RenMKbLrfl6WI81IHRrXWeh LPLg==
X-Gm-Message-State: APjAAAX5WLsr0Z89VWJTVQEs/Aj7LAtwBt/MzDWc4ZzPZRVHfezUTEGV /KmGjzcGZ7wKXKTlz+YTz4dlUECwcC0Uq84lDZovYFk09Kc=
X-Google-Smtp-Source: APXvYqyfCUc/LX457zjVcuIXOuldGEh5+xxCKtndUP9hWNbK2lkNcH7m5ZVl8Mck3nNZ3s45ENnzY15PNH9Mdw/L1fI=
X-Received: by 2002:a02:4005:: with SMTP id n5mr690299jaa.73.1562799133903; Wed, 10 Jul 2019 15:52:13 -0700 (PDT)
MIME-Version: 1.0
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <CAD5OKxuK_2+JcbGvo6LNeRbCYXWXQmhKQPNUzoZvZEOupPWyjw@mail.gmail.com> <HE1PR07MB3161612130F07C8F727A2BB693F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <CAD5OKxtR-WBhfa4msbAfXoK7JowYaKK3fSCbw0cXm6SRGwkLxg@mail.gmail.com> <CAGL6epK8Z938pnMKVyWGBK=6fMzNq6+gmxro-AAO2nzvGT4jeg@mail.gmail.com> <CAD5OKxs6g+6mLbMRc9C0q5BSSn=+7HHzKf5Ya5uL-+RbhVfEaA@mail.gmail.com> <CAGL6epKfLWA=RW3T84feSud9sZ+TcpB=XRA6fvTzP-jL3h4+4A@mail.gmail.com> <CAD5OKxs3=XdOFYThY1gCu23M4nqJV-bJOSCU7-Ogn0J=xy+E3A@mail.gmail.com> <CAGL6epJWXBTcnNk3nMN3Yfsh5y6+pddQSW_MbkAdNZbmWf6_Gg@mail.gmail.com> <CAD5OKxt=sJhKGRRFPUon=JokbJ2Vb=P7GcfJ8LpXt_Yp-eOg3Q@mail.gmail.com> <393C0E68-5D0F-4AB5-B839-424C239E84A9@edvina.net> <CAGL6ep+Ovj0qQZZUvv1BA8ptNZBpp--GucJg6bbb7mUg3grN6g@mail.gmail.com> <BF387FC7-C951-420B-9C26-CC17C12738F0@edvina.net> <CAGL6epKrG1dBBKhrWKz=1Xa7Pmijscm_dwyBmA4=LdvFScQzmg@mail.gmail.com> <161D4FCD-FA4D-4494-AA72-27DF363BEA3B@edvina.net> <CAGL6epK=ma58LHQHd1=XQxBhr_-9r6xKupY6WFgs6RprFXgeew@mail.gmail.com> <B17C6499-C8BF-4204-B628-619F81A969DD@edvina.net> <5240BC21-613D-4C21-93A9-244C1AA3BAF4@edvina.net>
In-Reply-To: <5240BC21-613D-4C21-93A9-244C1AA3BAF4@edvina.net>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Wed, 10 Jul 2019 18:52:02 -0400
Message-ID: <CAGL6epKPCK65FEYsrfqxPAKvj+_EfaANTaUGjUsts+7mpwgoDw@mail.gmail.com>
To: "Olle E. Johansson" <oej@edvina.net>
Cc: "sipcore@ietf.org" <sipcore@ietf.org>, Roman Shpount <roman@telurix.com>
Content-Type: multipart/alternative; boundary="0000000000003b5269058d5b877d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/RpOXTfwgR0HMWdKW3GSyNAhQG9g>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 22:52:18 -0000

Typically, access token is short lived, and in this case it should be used
only to allow the UA to register the user.
When the time comes to refresh the registration, the UA should use the
refresh token, which is long lived as it stays with the UA, to obtain a new
access token to update the registration.
If you tie it to the registration expiry, then the access token might be
valid for a long time, which degrades the security of the token.

There are better mechanisms for a proper indication of account revocation,
like the mechanisms defined by the Security Events WG:
https://datatracker.ietf.org/wg/secevent/documents/

Regards,
 Rifaat



On Wed, Jul 10, 2019 at 9:17 AM Olle E. Johansson <oej@edvina.net> wrote:

>
>
> On 10 Jul 2019, at 15:08, Olle E. Johansson <oej@edvina.net> wrote:
>
>
>
> On 10 Jul 2019, at 14:30, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> wrote:
>
> This does not explain the reason for such a requirement.
> Why do you think we need to couple these together for SIP?
>
> I don’t want to continue delivering services to clients that are deleted
> or blocked in the customer database.
> With Oauth, the way to block an account is to remove it or change
> authorization in the authentication server (IDP) data base.
>
> The idea with auth tokens and refresh tokens is to be able to revocate
> authorization quickly.
> Delivering a service beyond revocation is not a good thing in my book.
>
> From the definition of Access Token in section 1.4 in RFC 6749:
>
> "Access tokens are credentials used to access protected resources. An
>
>    access token is a string representing an authorization issued to the
>    client.  The string is usually opaque to the client.  Tokens
>    represent specific scopes and durations of access, granted by the
>    resource owner, and enforced by the resource server and authorization
>    server.
>
> “
>
> "Duration of access" is in my world coupled to SIP
> registration/subscription expiry.
>
>
> You have actually implicitly written that expiry time accords to token
> expiry :
>
> "2.3
> <https://tools.ietf.org/html/draft-ietf-sipcore-sip-token-authnz-02#section-2.3>.
> Subsequent Registrations
>
>    All subsequent REGISTER requests from the UA MUST include a valid
>    access token.  The UA MUST obtain a new access token before the
>    access token expiry period to continue to get service from the
>    system.
>
> “
>
> You just need to add that the server MUST not allow an expiry that is
> greater than
> the access token expiry time.
>
> /O
>
>
> Cheers
> /O
>
>
> Regards,
>  Rifaat
>
>
>
>
> On Wed, Jul 10, 2019 at 8:25 AM Olle E. Johansson <oej@edvina.net> wrote:
>
>>
>>
>> On 10 Jul 2019, at 14:18, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
>> wrote:
>>
>> The UA is expected to obtain a valid access token to get service, and
>> should be able to use that to refresh its registration when the
>> registration expires.
>> Is this coupling of expiry times needed?
>>
>> Absolutely. If we grant a REGISTER expiry time that is much longer than
>> the expiry of the token, we’re in deep waters.
>>
>> Example from RFC 7635 Stun/Oauth - which I think we can borrow a lot from:
>>
>> “ o The lifetime provided by the TURN server in the Allocate and
>>
>>       Refresh responses MUST be less than or equal to the lifetime of
>>       the token.  It is RECOMMENDED that the TURN server calculate the
>>       maximum allowed lifetime value using the formula:
>>
>>         lifetime + Delta - abs(RDnew - TS)
>>
>>       The RECOMMENDED value for the allowed Delta is 5 seconds.
>>
>> “
>>
>> Note that they have a “MUST” on this. I think we MUST do the same :-)
>> /O
>>
>>
>> Regards,
>>  Rifaat
>>
>>
>> On Wed, Jul 10, 2019 at 7:56 AM Olle E. Johansson <oej@edvina.net> wrote:
>>
>>>
>>>
>>> On 10 Jul 2019, at 13:50, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
>>> wrote:
>>>
>>> When the UA authenticates to the AS, it obtains a number of tokens:
>>> access token and refresh token, and depends on the AS, maybe ID token.
>>> It is the UAs responsibility to use the refresh token to obtain a new
>>> access token before the expiry of the existing access token.
>>>
>>> Absolutely - my thought was what the server is supposed to do. Reading
>>> the STUN/Oauth docs, I see a requirement for expiry
>>> being less than token validity time. In SIP REGISTER/SUBSCRIBE terms,
>>> the expiry time in SIP should be less
>>> than the time the token is valid.
>>>
>>>  If the token expires, the server needs to reauth or deny services. It
>>> is important that no services are delivered to an expired authentication.
>>>
>>> /O
>>>
>>>
>>> Regards,
>>>  Rifaat
>>>
>>>
>>> On Wed, Jul 10, 2019 at 2:44 AM Olle E. Johansson <oej@edvina.net>
>>> wrote:
>>>
>>>>
>>>>
>>>> On 10 Jul 2019, at 02:53, Roman Shpount <roman@telurix.com> wrote:
>>>>
>>>> On Tue, Jul 9, 2019 at 8:30 PM Rifaat Shekh-Yusef <
>>>> rifaat.ietf@gmail.com> wrote:
>>>>
>>>>> The document clearly allows the use of access token to authenticate
>>>>> non-REGISTER requests when challenged in the context of the same realm.
>>>>>
>>>>> Whether that is needed or not is a different discussion.
>>>>> Assuming the UA was able to authenticate the user and obtain an access
>>>>> token, then establish an authenticated TLS channel with the server, and
>>>>> register the user; is there a need for further challenges from server?
>>>>>
>>>>> When the token expires, you certainly need a new token from the user.
>>>> With SIP Outbound, we’re more connection oriented than before, so we should
>>>> propably consider what the
>>>> server does with the connection when a token expires (if it’s not
>>>> already in the draft).
>>>> /O
>>>>
>>>>
>>>> Typically, for SIP, user authentication is not tied to the TLS
>>>> connection. One of the reasons for this is that multiple users can use the
>>>> same TLS connection in federated systems. This is especially true for
>>>> Confidential UA, which have trust relationship with a proxy and can
>>>> maintain a secure connection to the registrar/proxy on behalf of multiple
>>>> clients.
>>>>
>>>> Once again, it would be much easier to discuss if you can provide a use
>>>> specific case for OAuth with confidential UA. I can easily think of a OAuth
>>>> use case for Public User Agent, but only have a vague idea what OAuth with
>>>> Confidential UA would be.
>>>>
>>>> The example I can think of, would be some sort of hot desk application,
>>>> where user allows a Local PBX to register with User Home PBX to accept
>>>> calls on behalf of user in a remote location. In this case, Local PBX and
>>>> User Home PBX will be federated systems which will use a single TLS
>>>> connection for multiple calls or end user devices. Local PBX and User Home
>>>> PBX will have a trust relationship, possibly with mutual TLS certificate
>>>> authentications. A company wide directory server will be used to store
>>>> actual user credentials and will be used to authenticate the user and
>>>> generate the token.
>>>>
>>>> Best Regards,
>>>> _____________
>>>> Roman Shpount
>>>>
>>>> _______________________________________________
>>>> sipcore mailing list
>>>> sipcore@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/sipcore
>>>>
>>>>
>>>> _______________________________________________
>>> sipcore mailing list
>>> sipcore@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sipcore
>>>
>>>
>>>
>> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>
>
>
>

v2.23.0 | Report a Bug | By Email