Re: [sipcore] A SIP OAuth use case

I understand that OAuth can be altered from its basic flows to provide tokens for OpenID, and IdP could be bound to OAuth, and while this is all very interesting it doesn't change much about the requirements discussion I think we need to have: the one about what kinds of use cases we want to satisfy and who the relying parties are in those cases. Once we understand that, we will understand what tools are applicable to these use cases - preferably, not tools that need to be twisted into a different shape to be applicable.

It would helpful, in the enterprise SSO case, for us to understand what kinds of application servers a user might need to access, and what exactly those application servers need to know about the user in order to accomplish their function.

Jon Peterson
Neustar, Inc.

From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>>
Date: Thursday, September 4, 2014 at 8:31 AM
To: Jon Peterson <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>>
Cc: Paul Kyzivat <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>>, "sipcore@ietf.org<mailto:sipcore@ietf.org>" <sipcore@ietf.org<mailto:sipcore@ietf.org>>
Subject: Re: [sipcore] A SIP OAuth use case

On Wed, Sep 3, 2014 at 4:00 PM, Peterson, Jon <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>> wrote:

While I would echo Paul's thoughts below about the plausibility of service
providers using this model to authorize recording, I also agree that
third-party recording is an excellent example of a service architecture
that requires an authorization mechanism like OAuth. An end user needs to
authorize a third party to participate in the session under certain
constraints, and coordinate the association between the third party and
the VoIP service. This example also (rightly, in my opinion) conducts the
majority of the flow in HTTP where it belongs.

I agree with that.

Many of the use cases under discussion in this thread, though, are of the
form where there are really only two involved parties: an end user and a
service provider. If you are my service provider, then in traditional SIP
I share a secret with you that I use to REGISTER my devices. I don't think
you need OAuth for that.

If you assume that there is one server that provides all the services, then you are right.
But that is not the case all the time. I think that Dale articulated that clearly in the following response:
http://www.ietf.org/mail-archive/web/sipcore/current/msg06233.html

I do understand that OAuth 2.0 is used in the
wild for SSO, though I sympathize with Matt that the base flow shown in
RFC6749 Sec 1.2 just doesn't map onto the requirements for SSO.

I agree that the OAuth 2.0 "as is" does not address the SSO requirements.
The SIP OAuth proposal is not just using OAuth 2.0 "as is", but it is extending the framework to authenticate and provide a *user* specific token.

Since Matt mentioned OpenID few times, I looked at the OpenID specification.
What they are doing there is that they defined a new token, called ID Token, that is associated with the *user*; which is exactly what the SIP OAuth proposal is doing.
http://openid.net/specs/openid-connect-core-1_0.html#IDToken

My plan is to use the same terminology, ID Token, in the next version of the SIP OAuth document to clarify that, and to differentiate it from the access token.

I think, though, we might usefully break uses cases here down by who the
intended relying party is:

- The user's own SIP service provider (my enterprise, my carrier, my OTT
provider)
- A third party that a user wants to authorize for a service (recording
service... But anything else?)

I would also append some use cases where the relying party:

- Someone with no association with the user (caller ID sorts of cases)

This last is where I've argued things like IdP might be relevant.

EKR has a nice description for binding IdP to OAuth in his WebRTC Security Architecture document here:
https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-10#appendix-A.2

We could use the same idea for SIP.

Regards,
 Rifaat

Are there any other high-level buckets of use cases here?

Jon Peterson
Neustar, Inc.

On 8/25/14, 11:44 AM, "Paul Kyzivat" <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>> wrote:

>On 8/25/14 11:50 AM, Rifaat Shekh-Yusef wrote:
>> Hi Matt,
>>
>> The use case and the solution provided assumes that the VoIP Provider
>> makes the decision on when and what to record.
>> While this is a valid use case, there are other use cases that allow the
>> user to decide on when and what to record; take a look at RFC6341 for
>> more info.
>> http://datatracker.ietf.org/doc/rfc6341/
>
>SIPREC supports numerous topologies.
>It would support the one that Matt outlines as well as end-user
>controlled ones.
>
>I found Matt's use case interesting. I think it would be nice if such
>services were available in that form. But I have difficulty imagining
>any of the VoIP providers I'm aware of supporting this model. My
>impression is that this means that they are giving up a value added
>revenue market, that they are loath to do. The most likely justification
>I can imagine that they don't want to legal consequences of doing
>recording.
>
>       Thanks,
>       Paul
>
>> For these use cases, where the user is in control, you need to away to
>> authenticate and control which users are allowed to record and the level
>> of service provided for that specific user.
>> This is where the solutions provided in section 3 or section 4 of the
>> SIP OAuth proposal come into play.
>> Obviously, in this case the authorization server is different from
>> authorization server used to establish the trust relationship between
>> the VoIP Provider and the CRS Provider.
>> In this case, the authorization server must authenticate the user and
>> provide his UA with an access token or a code that controls the user's
>> access to the service.
>>
>> Regards,
>>   Rifaat
>>
>>
>>
>> On Sat, Aug 23, 2014 at 9:05 AM, Matt Ryan <ietf@mvryan.org<mailto:ietf@mvryan.org>
>> <mailto:ietf@mvryan.org<mailto:ietf@mvryan.org>>> wrote:
>>
>>     Included is the use case I spoke of before.  My apologies for the
>>delay.
>>
>>     This is written as though it could be included in
>>     [draft-yusef-sipcore-sip-oauth] at section 6.
>>
>>
>>     6. Examples
>>
>>     6.1. Example: Call Recording Service
>>
>>     This example illustrates the use of SIP OAuth between three
>>     parties:  A hosted VoIP service provider, a Call Recording Service
>>     provider, and a phone system end-user.  In this example:
>>     - The phone system end-user is a customer of both the hosted VoIP
>>     provider and the Call Recording Service provider
>>     - The hosted VoIP service provider is a standard provider of hosted
>>     business-class VoIP telephone service using SIP
>>     - The Call Recording Service provider is a distinct entity from the
>>     hosted VoIP provider
>>
>>     The Call Recording Service provides to customers both the call
>>     recording abilities and management of call recordings
>>     (configuration, sharing and distribution, retention, etc.).  This
>>     service can accept and record RTP traffic, associate all RTP streams
>>     with a single call together, and store and catalog the recorded data
>>     for future searching and retrieval.  The service also offers a web
>>     interface where customers may view and retrieve stored calls.
>>     Stored calls may range from simple person-to-person voice calls to
>>     multi-party conferences with a multitude of audio and video
>>     streams.  In this example, customers are billed based on the amount
>>     of data they store, although other models are certainly possible.
>>
>>     6.1.1. OAuth 2.0 Roles
>>
>>     In this example, each party assumes the following OAuth 2.0 roles as
>>     defined in [RFC6749] Section 1.1:
>>     - The end-user assumes the role of resource owner
>>     - The hosted VoIP service provider assumes the role of client
>>     - The Call Recording Service provider assumes the role of resource
>>     server as well as the role of authorization server
>>
>>     6.1.2. Description
>>
>>     There are two parts to the example:  Initial configuration and
>>     real-time recording authorization.
>>
>>     Each section includes a simplified flow diagram for the purpose of
>>     describing the corresponding portion of the example.  For the sake
>>     of brevity, certain parts of the OAuth dialog have been eliminated.
>>     Implements should refer to [RFC6749] for details on OAuth.
>>
>>     6.1.2.1 Initial Configuration
>>
>>        +-------------+     +---------------+     +--------------+
>>        |  End-User   |     | VoIP Provider |     | CRS Provider |
>>        | Web Browser |     |    Website    |     |              |
>>        +-------------+     +---------------+     +--------------+
>>               |                    |                     |
>>               | HTTP 1             |                     |
>>               | (Configure CRS)    |                     |
>>               |------------------->|                     |
>>               |                    |                     |
>>               | HTTP 2             |                     |
>>               | (OAuth Redirect    |                     |
>>               |  to CRS Website)   |                     |
>>               |<-------------------|                     |
>>               |                    |                     |
>>               | HTTP 3             |                     |
>>               | (Authorize SIP from VoIP provider        |
>>               |----------------------------------------->|
>>               |                    |                     |
>>               | HTTP 4             |                     |
>>               | (OAuth Redirect back to VoIP portal)     |
>>               |<-----------------------------------------|
>>               |                    |                     |
>>               | HTTP 5             |                     |
>>               |------------------->|                     |
>>               |                    | HTTP 6              |
>>               |                    | (Request Access and |
>>               |                    |  refresh tokens)    |
>>               |                    |-------------------->|
>>               |                    |                     |
>>
>>     Some time after having signed up for both services, but prior to
>>     attempting to record any calls, the end-user logs into the web
>>     portal of the hosted VoIP provider with a web browser and configures
>>     their call recording service (HTTP 1).  This configuration includes
>>     providing a URI where the call recording service may be reached,
>>     along with a set of API credentials, provided by the call recording
>>     service, which will allow the client to initiate an OAuth exchange.
>>     The end-user also configures the conditions under which call
>>     recordings should take place.  For example, the end-user may request
>>     to record every multi-party (conference) call, or every call
>>     involving a specific set of users.  The end-user may also specify
>>     other restrictions, such as restricting codec negotiation to G.711u
>>     for audio and H.264 for video in order to record the RTP streams.
>>     Once the end-user saves the configuration, the hosted VoIP provider
>>     web portal redirects the end-user's web browser to the call
>>     recording service website and a standard HTTP OAuth dialog begins
>>     (HTTP 2).  The end-user authorizes the hosted VoIP provider to
>>     access (i.e. send SIP and RTP traffic to) the call recording
>>     service, for the purpose of recording calls, so long as the
>>     configured conditions are met (HTTP 3).  The result of this
>>     interaction is that the hosted VoIP provider ends up receiving an
>>     OAuth access token and refresh token from the call recording service
>>     (HTTP 4, HTTP 5, HTTP 6).  These tokens are saved in the end-user's
>>     hosted VoIP account database.
>>
>>     6.1.2.2 Real-time Recording Authorization
>>
>>        +-------------+     +---------------+      +--------------+
>>        |  End-User   |     | VoIP Provider |      | CRS Provider |
>>        |  SIP Phone  |     |    Website    |      |              |
>>        +-------------+     +---------------+      +--------------+
>>               |                    |                      |
>>               | SIP INVITE 1       |                      |
>>               |------------------->|                      |
>>               |                    | SIP INVITE 2         |
>>               |                    | (with access token)  |
>>               |                    |--------------------->|
>>               |                    |                      |
>>               |                    | SIP 401 Unauthorized |
>>               |                    |<---------------------|
>>               |                    |                      |
>>               |                    | SIP INVITE 3         |
>>               |                    | (with refresh token) |
>>               |                    |--------------------->|
>>               |                    |                      |
>>               |                    | SIP 200 1            |
>>               |                    | (new access token)   |
>>               |                    |<---------------------|
>>               |                    |                      |
>>               |                    | SIP INVITE 4         |
>>               |                    | (with access token)  |
>>               |                    |--------------------->|
>>               |                    |                      |
>>               |                    | SIP 200 2            |
>>               |                    |<---------------------|
>>               |                    |                      |
>>
>>     Independently of and after the initial configuration phase, the
>>     end-user makes a telephone call using the hosted VoIP provider (SIP
>>     INVITE 1).  When this call takes place, the hosted VoIP provider
>>     looks to see whether it believes this call should be recorded.  If
>>     so, at this point it would branch the call session to the call
>>     recording service, using SIP OAuth to pass the previously provided
>>     access token for authorization (SIP INVITE 2).  Once the access
>>     token is validated by the call recording service (perhaps after
>>     first providing a new access token based on receipt of a valid
>>     refresh token), the call recording service will check the rights
>>     that were previously authorized and examine the SIP to determine
>>     whether it can accept the call.  If so, it completes the
>>     establishment of the session and begins receiving and recording the
>>     RTP stream(s) (SIP 200 OK).  The call recording service provider
>>     could also deny the request, either because the tokens are invalid
>>     or because the content of
>>       the SIP invite does not match the previously authorized
>>     conditions, in which case a SIP 403 would be returned by the call
>>     recording service provider and the call would not be recorded -
>>     however, the initial call branch would continue without
>>interruption.
>>
>>     Note:
>>     [RFC6749] specifies that when a client uses a refresh token to
>>     request a new access token, the response is HTTP 200 with the new
>>     access token and optionally a new refresh token included in the
>>     payload.  In this example, a SIP 200 response (SIP 200 1) is sent
>>     which contains the new token(s).  However, this could be confusing
>>     as SIP 200 is generally viewed as the acceptance of the INVITE,
>>     which is not what is happening in this case.  Should SIP 200 be used
>>     for consistency, or should another mechanism be used?
>>
>>     6.1.3. Justification
>>
>>     6.1.3.1. Hosted VoIP Service Provider
>>
>>     In this example, the hosted VoIP service provider can allow their
>>     customers to enable call recording in their VoIP service by
>>     selecting from any of a number of supported call recording service
>>     providers.  This allows the hosted VoIP service provider to offer
>>     this feature to customers without requiring that the hosted VoIP
>>     service provider implement and support this feature themselves.
>>
>>     6.1.3.2. Call Recording Service Provider
>>
>>     In this example, the Call Recording Service provider can focus on
>>     value and innovation in the area of recording calls and managing
>>     recorded calls without having to build a full-featured telephony
>>     offering.
>>
>>     6.1.3.3. Customer
>>
>>     In this example, the customer has more flexibility in choosing a
>>     complete solution that meets all of the customer needs.  The
>>     customer does not have to settle for a substandard call recording
>>     service offering in order to obtain other features they seek in a
>>     hosted VoIP provider, and vice versa.
>>
>>     6.1.4. Variants
>>
>>     A simple variant of this example is one wherein one of the services
>>     (either the VoIP service or the call recording service) is managed
>>     directly by the end-user, but the other is not.  For example, the
>>     end-user may wish to make use of an external hosted VoIP service
>>     provider, but may have business or legal reasons that forbid the
>>     end-user from allowing a third party to store and manage recorded
>>     calls.  The end-user could choose to set up their own call recording
>>     service as described in this example, and use SIP OAuth to
>>     facilitate interaction between the hosted VoIP service and the
>>     end-user's own call recording service.
>>
>>     6.2. Other SIP OAuth examples
>>
>>     Many other SIP-based services could leverage SIP OAuth to provide
>>     value-added service to an end-user of a hosted VoIP service
>>     provider.  Some examples of these types of services are listed
>>below.
>>
>>     Voicemail service provider:  The end-user configures their hosted
>>     VoIP service provider to manage voicemail through a separate
>>     voicemail service provider, which chooses whether to store voicemail
>>     based on existing quotas, Caller ID, etc.
>>
>>     Conferencing service provider:  A conferencing service may wish to
>>     bill customers in a more granular fashion, for example, based on the
>>     number of participants and attendees in a conference, the duration
>>     of conference, whether video was also included, which codecs were
>>     being used, etc. instead of a flat monthly rate.  SIP OAuth would
>>     facilitate metered authorization for a client's use of the service,
>>     instead of all-or-nothing access.
>>
>>     Call center service provider:  A third party may provide ring groups
>>     or call queues for a hosted VoIP provider along with detailed
>>     reports and dashboards.  The end-user uses OAuth over SIP to control
>>     who can log into which queues or ring groups, etc.
>>
>>
>>
>>     --
>>     Matt Ryan
>>     code slinger | zoomulus.com<http://zoomulus.com> <http://zoomulus.com>
>>     ietf at mvryan dot org
>>
>>
>>
>>
>>     _______________________________________________
>>     sipcore mailing list
>>     sipcore@ietf.org<mailto:sipcore@ietf.org> <mailto:sipcore@ietf.org<mailto:sipcore@ietf.org>>
>>     https://www.ietf.org/mailman/listinfo/sipcore
>>
>>
>>
>>
>> _______________________________________________
>> sipcore mailing list
>> sipcore@ietf.org<mailto:sipcore@ietf.org>
>> https://www.ietf.org/mailman/listinfo/sipcore
>>
>
>_______________________________________________
>sipcore mailing list
>sipcore@ietf.org<mailto:sipcore@ietf.org>
>https://www.ietf.org/mailman/listinfo/sipcore

_______________________________________________
sipcore mailing list
sipcore@ietf.org<mailto:sipcore@ietf.org>
https://www.ietf.org/mailman/listinfo/sipcore