IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 10 July 2019 12:22 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065911200FB for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 05:22:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmXdO0J9RbZS for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 05:22:53 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02on062c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe05::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02B01120129 for <sipcore@ietf.org>; Wed, 10 Jul 2019 05:22:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eAEK8hprPaC6tSl64eqFM9SGTj3MX59pUNtOXUEHrK2J26iKgCytS1X/mW6XKoW0HNUMILC8aHIYnY2TtfoQNrqhLgyzVchUNukKgPEuDtBp161eC3Kw+4acHrQ78MhotSHALwY9KwkbxbclDqXaYHtB0fjVNqgN2hq+teKujbN5H37Sy6fhZ9V+X5qOW2EEFva5IMX0hDzgRz4lB+wZbHSHpJ0X7YFqdFAdF+dkFRK4fSGoNElwi6NsaKuKzVWB6dW8gvuLNYuRPat4UufSfN85/dwVjmF1Tt5SpTCj0K//upUMePUmj/sJUK+A46IQ3us0bfwq3a0GWyIIWveA9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pIrdacj+ru4tSvalt8/SWNbgPUoNLF5YjVNgY3aQ38E=; b=mWoj0VJ2hZSfuYPbV9rO5M1Z59jtIRY2siyXDvtRaUqxUKB88dyfL8q/aR9hvN7jnmisGdTt5gmxE2JX2Ix8JnFPGxWfcy2qlpoiHUIInGFBzqBzHh9HNz+i20u4pkHl6ycNYtSB8kMUXKWp2WXPRgJGVRYxq6p6LIiuuwhWx+b3C0M4eN2nLqepeOk4nL3tIBOhSrk9Ws2iciJoWkYuBJc3EnU23gaLPlM1ZqUXBTMWr/w6oNM8zwdh8rNHv72YUZFimFjVaj5Pd9SF61CEwRcRuCU7Jj+n8xahdY0t6VPwvulE129fZ+FvO551xeoYlmybKqBlNXQq1mWVS5+1BQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pIrdacj+ru4tSvalt8/SWNbgPUoNLF5YjVNgY3aQ38E=; b=GLxar9anL+ATIfmTpS/6aVKUt38Ji57cQ8myMNjZYi/6YMq+dWO4Ly/EimX6H75+y5OXZefBUmxX6AsrXF7NEFAeFbbUbSX5GLovecULI1iHs9t/ALQq5IPxEpGr2XqnD+0+rvkTbb9XqJ73OCCAJh4920HTbjBBgZPTn7AiWkw=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3114.eurprd07.prod.outlook.com (10.170.245.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.10; Wed, 10 Jul 2019 12:22:50 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Wed, 10 Jul 2019 12:22:50 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "Olle E. Johansson" <oej@edvina.net>
CC: "sipcore@ietf.org" <sipcore@ietf.org>, Roman Shpount <roman@telurix.com>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///8CoCAAAq/0IAABmoAgAAeAYCAABzUAIAABQKAgAACsgCAABGcAIAABn4AgABh5YCAAFWlgIAAAYkAgAAGSICAADN8gA==
Date: Wed, 10 Jul 2019 12:22:49 +0000
Message-ID: <ED23A599-08C6-4359-B2CA-4DF287E29608@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <CAD5OKxuK_2+JcbGvo6LNeRbCYXWXQmhKQPNUzoZvZEOupPWyjw@mail.gmail.com> <HE1PR07MB3161612130F07C8F727A2BB693F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <CAD5OKxtR-WBhfa4msbAfXoK7JowYaKK3fSCbw0cXm6SRGwkLxg@mail.gmail.com> <CAGL6epK8Z938pnMKVyWGBK=6fMzNq6+gmxro-AAO2nzvGT4jeg@mail.gmail.com> <CAD5OKxs6g+6mLbMRc9C0q5BSSn=+7HHzKf5Ya5uL-+RbhVfEaA@mail.gmail.com> <CAGL6epKfLWA=RW3T84feSud9sZ+TcpB=XRA6fvTzP-jL3h4+4A@mail.gmail.com> <CAD5OKxs3=XdOFYThY1gCu23M4nqJV-bJOSCU7-Ogn0J=xy+E3A@mail.gmail.com> <CAGL6epJWXBTcnNk3nMN3Yfsh5y6+pddQSW_MbkAdNZbmWf6_Gg@mail.gmail.com> <CAD5OKxt=sJhKGRRFPUon=JokbJ2Vb=P7GcfJ8LpXt_Yp-eOg3Q@mail.gmail.com> <393C0E68-5D0F-4AB5-B839-424C239E84A9@edvina.net> <CAGL6ep+Ovj0qQZZUvv1BA8ptNZBpp--GucJg6bbb7mUg3grN6g@mail.gmail.com> <BF387FC7-C951-420B-9C26-CC17C12738F0@edvina.net> <CAGL6epKrG1dBBKhrWKz=1Xa7Pmijscm_dwyBmA4=LdvFScQzmg@mail.gmail.com>
In-Reply-To: <CAGL6epKrG1dBBKhrWKz=1Xa7Pmijscm_dwyBmA4=LdvFScQzmg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 18ddc4c9-d026-46bc-7d03-08d70531530c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB3114;
x-ms-traffictypediagnostic: HE1PR07MB3114:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <HE1PR07MB3114D49E3581A37D120C8CEC93F00@HE1PR07MB3114.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0094E3478A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(376002)(346002)(136003)(396003)(39860400002)(189003)(199004)(229853002)(66556008)(66946007)(44832011)(76116006)(4326008)(2906002)(14444005)(256004)(53546011)(7736002)(68736007)(6506007)(64756008)(54896002)(26005)(186003)(102836004)(71190400001)(81156014)(71200400001)(81166006)(53936002)(236005)(446003)(66446008)(6306002)(8676002)(66066001)(5660300002)(86362001)(6246003)(6436002)(6486002)(6512007)(66476007)(476003)(2616005)(6116002)(3846002)(966005)(33656002)(110136005)(316002)(58126008)(14454004)(478600001)(99286004)(25786009)(76176011)(8936002)(486006)(36756003)(11346002)(54906003)(606006); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3114; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: LMIeKMlFM9BUiu6JxsGSTEmBD6pRRA9hSwkahxbkjH/pUYt7EiWeIF7sFMoa68N8TuViHpnD1FSaYZ8cBOtvH0hthv9jcvZHSFkClVBUnHVMwcYt+wmJfqbbEyYK3YwgGr7M8ipwq+L6Gk273OvzGq5cr1AAWiMJQ7svVCdKto5zHcURbRVkPvT7Ng8haDaSoKwzG0Cll8um0xrFIESCn6WBoArgsyDcL9bFk9/fURKfkKisS5HsfJvxSGGKsBFbCTAN/SWc00MEdHhYpKABPvj+EkL+Smyuc3HSf8COh0WDLktHJ8F8ZtIH0yXo5bdXNHkgmc74is1jWjUH5ay79YnotCDrZDAua22c1PHd4tJeSXEpfFGKOA3mnKhJ1X1ufFS5LJQqkEQJEj5N8mgjQCK6s4QwblqZLIHej/CCkMo=
Content-Type: multipart/alternative; boundary="_000_ED23A59908C64359B2CA4DF287E29608ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 18ddc4c9-d026-46bc-7d03-08d70531530c
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2019 12:22:49.7080 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3114
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/_IKdxq8ijaSwyiAHFfpSqAjKXoE>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 12:22:58 -0000

Hi,

Maybe we want to point out that token expiration and registration expiration are two separate things, but I don’t think they should be coupled.

Regards,

Christer

From: sipcore <sipcore-bounces@ietf.org> on behalf of Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Wednesday, 10 July 2019 at 15.19
To: Olle Johansson <oej@edvina.net>
Cc: "sipcore@ietf.org" <sipcore@ietf.org>, Roman Shpount <roman@telurix.com>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

The UA is expected to obtain a valid access token to get service, and should be able to use that to refresh its registration when the registration expires.
Is this coupling of expiry times needed?

Regards,
 Rifaat


On Wed, Jul 10, 2019 at 7:56 AM Olle E. Johansson <oej@edvina.net<mailto:oej@edvina.net>> wrote:



On 10 Jul 2019, at 13:50, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>> wrote:

When the UA authenticates to the AS, it obtains a number of tokens: access token and refresh token, and depends on the AS, maybe ID token.
It is the UAs responsibility to use the refresh token to obtain a new access token before the expiry of the existing access token.
Absolutely - my thought was what the server is supposed to do. Reading the STUN/Oauth docs, I see a requirement for expiry
being less than token validity time. In SIP REGISTER/SUBSCRIBE terms, the expiry time in SIP should be less
than the time the token is valid.

 If the token expires, the server needs to reauth or deny services. It is important that no services are delivered to an expired authentication.

/O


Regards,
 Rifaat


On Wed, Jul 10, 2019 at 2:44 AM Olle E. Johansson <oej@edvina.net<mailto:oej@edvina.net>> wrote:



On 10 Jul 2019, at 02:53, Roman Shpount <roman@telurix.com<mailto:roman@telurix.com>> wrote:

On Tue, Jul 9, 2019 at 8:30 PM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>> wrote:
The document clearly allows the use of access token to authenticate non-REGISTER requests when challenged in the context of the same realm.

Whether that is needed or not is a different discussion.
Assuming the UA was able to authenticate the user and obtain an access token, then establish an authenticated TLS channel with the server, and register the user; is there a need for further challenges from server?

When the token expires, you certainly need a new token from the user. With SIP Outbound, we’re more connection oriented than before, so we should propably consider what the
server does with the connection when a token expires (if it’s not already in the draft).
/O


Typically, for SIP, user authentication is not tied to the TLS connection. One of the reasons for this is that multiple users can use the same TLS connection in federated systems.. This is especially true for Confidential UA, which have trust relationship with a proxy and can maintain a secure connection to the registrar/proxy on behalf of multiple clients.

Once again, it would be much easier to discuss if you can provide a use specific case for OAuth with confidential UA. I can easily think of a OAuth use case for Public User Agent, but only have a vague idea what OAuth with Confidential UA would be.

The example I can think of, would be some sort of hot desk application, where user allows a Local PBX to register with User Home PBX to accept calls on behalf of user in a remote location. In this case, Local PBX and User Home PBX will be federated systems which will use a single TLS connection for multiple calls or end user devices.. Local PBX and User Home PBX will have a trust relationship, possibly with mutual TLS certificate authentications. A company wide directory server will be used to store actual user credentials and will be used to authenticate the user and generate the token.

Best Regards,
_____________
Roman Shpount

_______________________________________________
sipcore mailing list
sipcore@ietf.org<mailto:sipcore@ietf.org>
https://www.ietf.org/mailman/listinfo/sipcore

_______________________________________________
sipcore mailing list
sipcore@ietf.org<mailto:sipcore@ietf.org>
https://www.ietf.org/mailman/listinfo/sipcore

v2.23.0 | Report a Bug | By Email