IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 11 July 2019 07:49 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B98712025D for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 00:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0xQ6mW7RvJAq for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 00:49:22 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00066.outbound.protection.outlook.com [40.107.0.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01391201AA for <sipcore@ietf.org>; Thu, 11 Jul 2019 00:49:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ef6Al+xN/Wppj0E+vwxPYZjYpP1L3eo2d9kq2rAjrBjDAdiFr3B0JM9l71xy9rWLttS6LtGPYzNyTASR8mT3xGseNi5cmZRkxuXfQbVc79lmcc2RTlPmlDz1BtPiWq/Kz8VKYIwoWlEXxjSLwHdaBEMGlRMg/B8BQ+ALS/7o2bhP4WV6HirvKTZ5RgUEOUzidXBOruGT4f0O6M7cf290DxdZxYQ1MeiBOMHguR3rpiFlbrZcM/vh1DzJJk9afevKEHrbwQg5LPT02vWhSYoCad4qelgxCftIKpz4iGYF90pKSJpvGc/nO+EpVFqChHhz7bVqkkTrqOh1+yWvtLlCWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CyrOlM3zjMjL6PzjaF6hyY93xO5T4qPh3Ehb0ECcc6Q=; b=VZReCigqHyxNbLtTDfz0N74r3pP4NA9TvJPoEvsqSNWc9zsz+wLbbdH1Qly6Cmww1d6tZOUCU89gxCfrTNAA15MoqBBihaj0094VY6rBWOvR3TGpQViQx/DeU/mb7zrMGAf6T+OuHjbg9AzDEmJaDIkMuCPYhXwJtwn+jj4H5Sk+ZcMALJxjNuwV7z/9gMsXef1Q1flbRNpjXHmzOOmUfooK/DIwZ1c3LSYdROmGSaRtRSGL4xILAE0+Mk63BYFQMhxJo9oiXFIM0P9wI3IkgBB277bPDviWBNxM0cREpNBqeVozFH6rEzrXRBtz4c7GIBTkWNDdLIwsSCWHOynHrA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CyrOlM3zjMjL6PzjaF6hyY93xO5T4qPh3Ehb0ECcc6Q=; b=LakpO66BgdpZc8FwKNCZ3D6MCQvAx6S5IJDTDm+XG6deFnAWUWgBGUra3V0kdkd+tGYkKF+hj0xCpKXze968w6fJsBoJgoNHuCOMCFrdRnkOl2+n+U1tmywZ2VGIFL1KjM9zVBZ8/S/4mcYeoFneEcbG9PptPcEheIRdyUiReqY=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1SPR01MB01.eurprd07.prod.outlook.com (10.160.67.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.3; Thu, 11 Jul 2019 07:49:18 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Thu, 11 Jul 2019 07:49:18 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Olle E. Johansson" <oej@edvina.net>, Paul Kyzivat <pkyzivat@alum.mit.edu>
CC: "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgABAXACAATj+gIABDXaAgAA3igA=
Date: Thu, 11 Jul 2019 07:49:18 +0000
Message-ID: <99649808-9894-42B4-ADD1-52D0F70A3FB3@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <5ABB2F7B-8928-4581-8AAD-C8EFDBE95F7E@edvina.net>
In-Reply-To: <5ABB2F7B-8928-4581-8AAD-C8EFDBE95F7E@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5e187884-b7fe-4dbb-35c2-08d705d4479f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1SPR01MB01;
x-ms-traffictypediagnostic: HE1SPR01MB01:
x-microsoft-antispam-prvs: <HE1SPR01MB019EA40A4216CB27A0F5A493F30@HE1SPR01MB01.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(39860400002)(346002)(396003)(136003)(366004)(189003)(199004)(6486002)(66556008)(66446008)(229853002)(99286004)(476003)(7736002)(64756008)(305945005)(6116002)(44832011)(3846002)(76176011)(8676002)(14454004)(6436002)(446003)(76116006)(33656002)(25786009)(11346002)(5660300002)(66476007)(2616005)(478600001)(66946007)(4326008)(110136005)(71190400001)(71200400001)(86362001)(486006)(8936002)(66066001)(68736007)(36756003)(58126008)(256004)(14444005)(186003)(26005)(316002)(102836004)(53936002)(6512007)(81166006)(81156014)(6506007)(2171002)(6246003)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1SPR01MB01; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 1AGFy/HbB2CvrXxPAgb3O6arC8nXbbb7KeTUOoKrOOAzDZCeKt/3dGKU2pq6SFl3xLhIDdIY20fXbHuCbvhTV+HDtmaPRsdvkowKZ/6+BEiOrcDpwKNpdwlcdxgPc/nMbYZ1zexOwIzHJPrdVFzF1q+r3JOQrW5iTGXFBfuWrQm5ESIsb6mUGGLPk0fovaCq7Wldd+hpacZfauPmb+cABMkXZMblgyh0++28LkI0U+VAlEm9FgPEJCZmRjChdSsMEsZsY3CzfwSzwThe0mu7cA4Ec7MPl37TyERaGFBwKaj3ixua2AJSnbRGBvIE6sP2rD0yEf9gfyfgO9TbIxyMvf5OLq0dQ/7GrUE+dTlg3uBas6+djU68G3sVIFtYIhlMYjqvjfrzVfsXfwIdnAeQ90K7eqliwKWqiJAo/lhFhSs=
Content-Type: text/plain; charset="utf-8"
Content-ID: <86C9D24286DE7F498C01C267D469E38C@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e187884-b7fe-4dbb-35c2-08d705d4479f
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2019 07:49:18.7687 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1SPR01MB01
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/SR6SAQdPCf3NTuTzJ_4e0LVnBPM>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 07:49:24 -0000

Hi,
 
>>> OAuth allows you to re-use the token as many times as you want (until it expires) for the same service. So, for SIP, re-using 
>>> the token in binding refresh REGISTER requests is fine.
>>> But, you should not re-use a token you got for one "service" (e.g., your registration authentication) with another 
>>> "service" (e.g., user-to-user authentication for a SIP call). It most likely wouldn't even work.
>> 
>> Is the token somehow bound to the "registration service"? (Whatever that is.)
>
> In Oauth2 there are two tokens - access token and refresh token. If you add OpenID Connect, there’s an Identity token. Can we please be more
> specific in our discussions? 

Good point. When I have been talking about tokens, I refer to Oauth2 tokens. Perhaps we should always indicate that explicitly.

...

 > The tokens generally, but if I understand it right not always, are JWT structures that contain various data. In 
> OpenID connect both the access and identity token are JWTs.
> We can either specify specific claims that  are standardised for various SIP functions or let that be open for 
> the SIP implementors to specify or a combination. 
   
For backward compatibility, we should at least let SIP implementors specify.

> I would suggest that a generic specifier meaning “this access token is valid for SIP services” would be a good thing. 
>    
> As a service provider I would like to add authorizations like “this user is authorized for calls to international destinations” 
> or “this user belongs to the support queue”.
   
Such information could also be stored in the user profile in the registrar.

Regards,

Christer

v2.23.0 | Report a Bug | By Email