IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 11 July 2019 13:24 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B904120077 for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 06:24:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VB7cNiV3AcEu for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 06:24:33 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0601.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::601]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B74A81200A3 for <sipcore@ietf.org>; Thu, 11 Jul 2019 06:24:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dJoRmg1TZQNkQWh061pbNaeLeIUeGe43e4jOROC/hX8yAxGQB/j9+8Iv3SLnQJj7dx2hX8EscJ2RewLzgpmhm7HWBcfCGwwoX6lUnbp9JejMdTBsDRFUZx+xxhCAqSqO3+P8shCPwunK2d4dU5GUhcr654y/4COPd+c2IEa58IG0ThZIoMW1jkh3O4AaNfCpFM1zmH/2GWIWBhB1A/au4OFzxoqabqpYVpZEytzPsw5qkjlikObax5inwT7x3cXW1dkMZ02fYjS/iUc/pylsp3HcEp6mvF8Igwk3rAKYgUsv0u3NEXVStuu8NJungFi5ochmqM91UFduoIPNdF6ZWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FAgRG2cMOaMopNrCjZ8luu33jzn5Y6yedRn/X97qmbY=; b=RjqUh0UD8kQdHMsCY1cXgFBXHTgfrYLeuR9Wn9LGckCnM+jqVbYHoVGxp5y8Cr/hdegHTdmOj7+yGsvc/hajMhEzxGx54UF4XOWzY2/BGFl/FfX8LS+yciYluBBqh0zrx61s+mzmhJVFF1PdMynIW8yhzCpRtL5YMKnx3CsLCNZl4yugN501NjMFM+NIqeG6Sdbr9xzUX/EZhPAOVpql6fVK8Z/E61sIghq8Z/WcpqJ/n72fUP866PoZc6SIYz9Q1Ly/N4C9Qe0BDlSMBbn/etyHLuS/GDUrKOThUyDVdZAMKUj8waSaVoUR09H/9wHCw4TOd8r4V9CtHBAd5ES8vg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FAgRG2cMOaMopNrCjZ8luu33jzn5Y6yedRn/X97qmbY=; b=iBpHU6DmSgwTQV/7VQ4m1A/OeD4O286wmkwV0PNQgmTRFCFtTbkETzwmkktXb5temG55wmpg7iYpc8Lmie5Yw/ZCFBKyW3aS/cMc2UfF4jhUozMt9viXOJ4FTbRWdGDwmvdwmP6+h6IP9cbXCX94jZNpB9DPyRxzZ0yZnVqGyN0=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3353.eurprd07.prod.outlook.com (10.170.247.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.10; Thu, 11 Jul 2019 13:24:30 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Thu, 11 Jul 2019 13:24:30 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Olle E. Johansson" <oej@edvina.net>
CC: "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgABAXACAATj+gIABDXaAgAA3igD//9RDgAALc6uA///Q/4CAADuIAP//1FUAgAA3WQD//86pAIAAP5UA///QEYAABuhJgA==
Date: Thu, 11 Jul 2019 13:24:30 +0000
Message-ID: <0E4BF760-5E56-4A0E-A6B4-CE538C739D24@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <5ABB2F7B-8928-4581-8AAD-C8EFDBE95F7E@edvina.net> <99649808-9894-42B4-ADD1-52D0F70A3FB3@ericsson.com> <BCFE43BD-86FF-457E-9006-1DA7C8F3F6BE@edvina.net> <C3BFE2FE-0797-4E54-BAD4-B24E32CB183F@ericsson.com> <BD0B9B14-1E35-42C4-BF51-430C7E052145@edvina.net> <C5597D63-1B58-44D0-A2CE-4170CC1BE23E@ericsson.com> <7CE54346-6558-4605-A5DB-84C539400A19@edvina.net> <1C6CBDE3-EAD4-4470-A528-8EDA7F2487D2@ericsson.com> <A5F3B221-86C3-48A8-8D2C-3C04838ABCCD@edvina.net> <45418731-F319-4C03-B543-1398E2EF49E1@ericsson.com> <1521246D-E64A-4CB6-AA48-B90070E45575@edvina.net>
In-Reply-To: <1521246D-E64A-4CB6-AA48-B90070E45575@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 84b661cf-c711-47d4-b667-08d706031b01
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB3353;
x-ms-traffictypediagnostic: HE1PR07MB3353:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <HE1PR07MB3353F45BDD493D62352C7F5B93F30@HE1PR07MB3353.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(366004)(396003)(136003)(376002)(346002)(199004)(189003)(6486002)(6916009)(3846002)(2616005)(6506007)(81156014)(8676002)(229853002)(6116002)(26005)(64756008)(2906002)(81166006)(66446008)(6246003)(6436002)(102836004)(4326008)(476003)(36756003)(11346002)(44832011)(486006)(99286004)(33656002)(76176011)(66066001)(8936002)(446003)(14454004)(86362001)(71200400001)(66946007)(5660300002)(71190400001)(76116006)(58126008)(478600001)(966005)(53936002)(256004)(6306002)(7736002)(305945005)(186003)(316002)(66556008)(6512007)(66476007)(25786009)(14444005)(68736007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3353; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ENeodba8orH74y3vbkASvcJxVCc5GbVDV76IypAwozWvtHxODc6q5VQbFiREELRwzQfXh2Lc+9QMOGXYH6Xo6DvK7paU/ktY5zHiKb4p4fg3069M+FUQpoK/LuBvJETrTPHVmkF97+lXyll3AwYDQVbKNXxt6v40tH0xwiSXAKWkOUmgbzAOCmWQ+EfPbxmgGRKAYfQhtknM5n3eT5OHrvUvPbIYMYIHTYpiIlYUw4VCrwiyOkc9e1Ntr2PCWkBEm4qtmrA1Y4wdMAYJqSX/emghtUn8rM73ptkaFmSc1Wts1q7X/21ocSvr+VL1hgjZQoChorUQdaE/6gqafJLEmUmNa2gw3Gtb5aAdKBtijdT7RWvOwd5rhow8NgNjuyH6qSJ00mUP+Vz2V1Faoja1q22j+ULkZN3cgxQyhW47B8s=
Content-Type: text/plain; charset="utf-8"
Content-ID: <08C2E33D33F2154EA4BB46D822256AA3@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 84b661cf-c711-47d4-b667-08d706031b01
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2019 13:24:30.2361 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3353
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/TZGN58Jie6hxhOGdClXzOBeyZe8>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 13:24:37 -0000

Hi,

>>   What we are discussing is standardizing scope information in the draft. If I understand correctly, you don't need that for the basic mechanism to work - you only need it if you want to include authorization information in the token. In case of registration, if the SIP server has that information, it is not needed.
>
>   Also, in the case of SSO, couldn't you use the token for more things than SIP? In that case I assume you don't want to scope it to SIP only.
>
> Please read section 3.3 of the Oauth 2.0 Security Best Current Practise.
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13
>
> "In particular, access tokens SHOULD be restricted to certain resource servers, preferably to a single resource server. “

Fair enough. I'll let Rifaat continue the SSO discussion, if needed, because he is more interested in that.

My main interest is using Oauth tokens for SIP registrations only, so that should be aligned with the BCP :)

> So no, I don’t wan’t the access token used for SIP used for anything else. When the client requests authorization you propably want to request a specific resource server (SIP domain)
> that this token applies to. Most examples in the docs refer to HTTPS URI’s, but the spec keeps saying “URI” so I assume a SIP domain uri or a sip server URI would work too. 
> This is all in theory of course, I don’t know what kind of core dump or other hiccup a SIP URI would generate in current OAuth2 implementations ;-)

HTTP is referring to the OAuth2 interfaces etc (we are not defining a SIP OAuth interface) We can double check whether instances of "URI" should be more specific.

> Any recommendations on Open Source Oauth2 servers to play around with, btw?

Unfortunately not.

Regards,

Christer

v2.23.0 | Report a Bug | By Email