Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-04.txt
Paul Kyzivat <pkyzivat@alum.mit.edu> Wed, 23 October 2019 15:38 UTC
Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CE54120A84 for <sipcore@ietfa.amsl.com>; Wed, 23 Oct 2019 08:38:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cudvPyQP4n0L for <sipcore@ietfa.amsl.com>; Wed, 23 Oct 2019 08:37:58 -0700 (PDT)
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710078.outbound.protection.outlook.com [40.107.71.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 866D0120A39 for <sipcore@ietf.org>; Wed, 23 Oct 2019 08:37:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J0B96Cxev6at2uWsvGv0N+F1Yg17sC4i2PHnaiLnfCUnyrjHC84Y86L7Gfe73iIpE1hFmFphQtuaXA+TcIDsnZGUlQf0rbI1K5Y3o/FyiYg3En7QXb4d3cafWSJ/7gXlas+AKW4F0Qb5FjnAyrsDCvn34XH/6QD9BQREsyaWWBYtwM6De8ri0E28GHUxQsC58yKJv1cXQJJNIx1GdPweAJ0LDLCUoaOpV//SWTxbxUOl26Gklau7yTix1O66UaWegy3ZVqllLitj16uIy3XMxofyIMM/M5IOpeaZP3Uz1i2LlJ7fJQDb2WMn7ROARrJs9LswudKmu4/jbJylMvZw4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AOoMEZDLgzcoJDXumhcGfkKDkM1SeuAvPDa/wyy5jG8=; b=VsD1y4Kd+9nuPg2j7X6Pggs/HpAGnvswPFodOF5uGEduTbUx2JDHSxXVcvmkqDm1gKLDxFhNnoslTkhI6YzQVgbeWHIt3OUeFlUiS06ivL7111nUAoSMVP2DDDYmN9Xbh9dDVEXdjJgoibR4pt5TGyTZbm+mlYm5oWi02yUFdmAmROzn8mXeRDMAGKoNczSa8av3LrKKsz+V4mMebbqy88YsS7WgIt6OvotQKMK6Hqasy6YIe4+I3I5/+GOKWHW/ipavqZhpbkpbun5xPThxnMo91o2iGB728ZUkd3+rHObigqp9Xuh32/+hm8BE4W/sVk6JWi0jItdrY//gXXNBSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=gmail.com smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AOoMEZDLgzcoJDXumhcGfkKDkM1SeuAvPDa/wyy5jG8=; b=AX+KHk5g/4Bj9DHbSF3j/58iOG6OXthahKUhEtaKPRTXNjSWxMRn6OiDyfswwSMe67vzIO7ldE67p0+nC4p5PJJyvWohXivZ7zajDEKGlgndm1xF9P61ORrlEUveA6zpc3jss+UvoRDtafGKFZwqTNdFS4Xi/gEP5KonZUpTBRM=
Received: from CY4PR12CA0048.namprd12.prod.outlook.com (2603:10b6:903:129::34) by BN8PR12MB3395.namprd12.prod.outlook.com (2603:10b6:408:43::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.20; Wed, 23 Oct 2019 15:37:50 +0000
Received: from BL2NAM02FT025.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e46::200) by CY4PR12CA0048.outlook.office365.com (2603:10b6:903:129::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.20 via Frontend Transport; Wed, 23 Oct 2019 15:37:50 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by BL2NAM02FT025.mail.protection.outlook.com (10.152.77.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2367.14 via Frontend Transport; Wed, 23 Oct 2019 15:37:50 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id x9NFbl0V024346 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 23 Oct 2019 11:37:49 -0400
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: SIPCORE <sipcore@ietf.org>
References: <157151641170.5128.8434066501744885978@ietfa.amsl.com> <CAGL6epLPKsZO=-2gX+MZA2yDSZQshvAkwoZ9vjM1dSmtjd_JCg@mail.gmail.com> <73c0eeaf-1341-8480-3379-7562a6d0e62c@alum.mit.edu> <CAGL6epKSAYYm-xzN2ikJ005fwpvbfbgmnmTLO-m7BZJDLnY8Mg@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <ff08881f-a91f-51c3-296a-5bad242d3854@alum.mit.edu>
Date: Wed, 23 Oct 2019 11:37:47 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CAGL6epKSAYYm-xzN2ikJ005fwpvbfbgmnmTLO-m7BZJDLnY8Mg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(396003)(136003)(376002)(346002)(39860400002)(199004)(189003)(246002)(4326008)(6246003)(31686004)(5660300002)(229853002)(6306002)(2906002)(88552002)(2870700001)(58126008)(4001150100001)(305945005)(106002)(7596002)(786003)(6916009)(36906005)(316002)(356004)(76130400001)(70206006)(70586007)(66574012)(26005)(8676002)(8936002)(75432002)(2616005)(31696002)(478600001)(50466002)(86362001)(26826003)(14444005)(23676004)(2486003)(11346002)(446003)(956004)(65956001)(336012)(76176011)(53546011)(65806001)(126002)(186003)(486006)(47776003)(476003)(966005); DIR:OUT; SFP:1101; SCL:1; SRVR:BN8PR12MB3395; H:outgoing-alum.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-alum.mit.edu; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0b33a994-329f-405e-2da8-08d757cef632
X-MS-TrafficTypeDiagnostic: BN8PR12MB3395:
X-MS-Exchange-PUrlCount: 7
X-Microsoft-Antispam-PRVS: <BN8PR12MB339502832E6574C39FD0D4F9F96B0@BN8PR12MB3395.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 019919A9E4
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: wlWWXYrhFL0JHWiRnq4BXz5yr5KRWbYX4JYSeB3YNsut4x+bA7ScCpLsLdWqGJso9t9d081hCSSb1WRZPNbq4Wy+xweYCrSFJACUGjrr5O8JxXCfnIY0ZMbp2DkQ9PtDz+xzW5rk8WHt5JtztfTAAM78LSg2uM+jLJqmHBgXZNJvn8jSQxgtf6YrW4dNls8dY09HIiT0mQxd1euqY66saTEMSj5qTXbzv+1RBto5/SbZqUSBUCkHOy+Nx93/D3lBYS2OHraiLMGX5HYFJiznOyECywAwg1IgU1zNKuIgfxuO45DWN6yzb+S4dzGOR+6/O//2hmVbhZr6Yk7TYqnfUO32ug3hOvBmx9sIw+vZfxKU8gUhXGhveNAObSAG38ORq2S73SYbozK6eBFH1pn46SJ741VeS7mpA1kZJOMkxAmtljkvUw4F2aE5xC+fnltbMLTtDlu1/AAxV2BWaYRs+i1a24khgjaJ1dOwaSWTgYg=
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Oct 2019 15:37:50.0987 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0b33a994-329f-405e-2da8-08d757cef632
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR12MB3395
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/RsyXU8Y_ZyQPD93ku0TKNdOJhnQ>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-04.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 15:38:01 -0000
On 10/22/19 8:45 PM, Rifaat Shekh-Yusef wrote: > > > On Mon, Oct 21, 2019 at 11:40 AM Paul Kyzivat <pkyzivat@alum.mit.edu > <mailto:pkyzivat@alum.mit.edu>> wrote: > > Rifaat, > > On 10/19/19 4:23 PM, Rifaat Shekh-Yusef wrote: > > All, > > > > We update the draft based on the latest comments, mainly from Paul. > > Please, take a look and let us know what you think. > > Thanks. This is better. I have some followup questions to broaden my > understanding. (Once I understand better, I may have some > suggestions on > how to make the document clearer in this regard.) > > IIUC, upon getting a challenge for which there is no cached response, > the typical expected behavior for a UA is to launch a browser using the > URL from the authz-server-value in the challenge. Is that right? > > I'm not clear on the sequence of events following that. IOW, I'm > looking > for more detail on step [3] in the figure in section 5.1. I would > expect > that this first action of the browser will result in the AS returning a > form to the browser that will be displayed to the user. Then the user > will presumably need to fill in that form and send it to the AS. And > this may involve a dialog of multiple exchanges. This will presumably > eventually end with a response from the AS containing a token. How does > the UA recognize this as the completion of the dialog? > > In this specific case, take a look at the following flow in the RFC that > defines this mechanism: > https://tools.ietf.org/html/rfc8252#section-4.1 I don't find that at all useful because it abstracts away all the useful bits. This implies an interface between the client app and the browser. What is that interface? Where is it defined? This is needed to implement a client app. Specifically: - what information is passed in (1)? (Just the URL?) And how? - what information does the client app expect back in (4)? How is it encoded? - the figure shows just one round trip (2) and (3) between the broswer and the AS. Is that always the case? Doesn't this potentially require multiple round trips? How does the browser know it is time to return to the client app? - is the SIP UAS that is requesting authorization (e.g. registrar) the token endpoint in figure 4.1? > In particular, does the UA need to know anything about the AS or the > authentication environment in which it is operating? Or is this > consistent across all types of AS? > > The UA needs to know if it is an OAuth AS or and OpenID Connect server > to know to request access and refresh tokens only or in addition to ask > for an id token. How does it know that? Isn't that a function of what the SIP UAS requesting authorization wants? > Also, I gather there can be different kinds of token in the > response. Is > this of concern to the UA? Or does the UA blindly pass the resulting > token on to the registrar, so that the registrar can decide what to do > with it? > > The UA will only pass the Access Token to the registrar. > The refresh token is used by the UA to obtain new access token from the > AS and will never be passed to any other entity. > The id token is consumed by the UA only to get more information about > the user, e.g. SIP AOR. None of this is clear from your draft. Perhaps you could start by reproducing Figure 1 from https://tools.ietf.org/html/rfc8252#section-4.1 but changing the labels of the components to map them on to the elements in your draft. > Another point I want to follow up on is: you have now clarified that > the > authz-server-value contains a URL referencing the AS. Why not tighten > the syntax to specify the allowed value types? > > Can you elaborate on what you mean "value types"? Instead of defining the syntax as a quoted string, you could use ABNF for an HTTP/HTTPS URL. Or if you want it more general than that you could give generic URL syntax and use text to describe which kinds of URL are (and are not) suitable. (E.g. I imagine that SIP: and FILE: URLs are probably not suitable. I don't know what would be beyond HTTP and HTTPS.) Thanks, Paul > Regards, > Rifaat > > I presume you intend this > to be something that a browser can use to query the AS. The obvious > type > for this is an HTTPS URL. I am guessing that you are leaving this vague > to allow other types that might be supported by browsers and ASs. But > presumably there is something you can say about the properties expected > of this URL. I guess it ought to be something that is generally > supported by browsers, and that can be used to reference forms. > (E.g., a > SIP URL wouldn't be appropriate here.) > > Thanks, > Paul > > > > > Regards, > > Rifaat > > > > > > On Sat, Oct 19, 2019 at 4:21 PM <internet-drafts@ietf.org > <mailto:internet-drafts@ietf.org> > > <mailto:internet-drafts@ietf.org > <mailto:internet-drafts@ietf.org>>> wrote: > > > > > > A New Internet-Draft is available from the on-line > Internet-Drafts > > directories. > > This draft is a work item of the Session Initiation Protocol > Core WG > > of the IETF. > > > > Title : Third-Party Token-based Authentication > > and Authorization for Session Initiation Protocol (SIP) > > Authors : Rifaat Shekh-Yusef > > Christer Holmberg > > Victor Pascual > > Filename : > draft-ietf-sipcore-sip-token-authnz-04.txt > > Pages : 14 > > Date : 2019-10-19 > > > > Abstract: > > This document defines a mechanism for SIP, that is based > on the > > OAuth > > 2.0 and OpenID Connect Core 1.0 specifications, to enable the > > delegation of the user authentication and SIP registration > > authorization to a dedicated third-party entity that is > separate > > from > > the SIP network elements that provide the SIP service. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-sipcore-sip-token-authnz-04 > > > https://datatracker.ietf..org/doc/html/draft-ietf-sipcore-sip-token-authnz-04 > > > <https://datatracker.ietf.org/doc/html/draft-ietf-sipcore-sip-token-authnz-04> > > > > A diff from the previous version is available at: > > > https://www.ietf.org/rfcdiff?url2=draft-ietf-sipcore-sip-token-authnz-04 > > > > > > Please note that it may take a couple of minutes from the time of > > submission > > until the htmlized version and diff are available at > tools.ietf.org <http://tools.ietf.org> > > <http://tools.ietf.org>. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > sipcore mailing list > > sipcore@ietf.org <mailto:sipcore@ietf.org> > <mailto:sipcore@ietf.org <mailto:sipcore@ietf.org>> > > https://www.ietf.org/mailman/listinfo/sipcore > > > > > > _______________________________________________ > > sipcore mailing list > > sipcore@ietf.org <mailto:sipcore@ietf.org> > > https://www.ietf.org/mailman/listinfo/sipcore > > > > _______________________________________________ > sipcore mailing list > sipcore@ietf.org <mailto:sipcore@ietf.org> > https://www.ietf.org/mailman/listinfo/sipcore >
- [sipcore] I-D Action: draft-ietf-sipcore-sip-toke… internet-drafts
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Christer Holmberg
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Paul Kyzivat
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Paul Kyzivat
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef