IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 11 July 2019 13:57 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C67B61200A3 for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 06:57:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NUnwxramv3Fm for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 06:57:00 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130084.outbound.protection.outlook.com [40.107.13.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E73B8120077 for <sipcore@ietf.org>; Thu, 11 Jul 2019 06:56:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AlP0oHRQ+ppu51M7wsSnYBXp0rsB6V35p0T+NYk/vnO+BesspAQRT6dD61wF5/cD6RLIrgd/UeEh/hCOgDRrnVaa5lnjYF7xK2MRcGiBLEeVt5ueX2nzPwumX7nvZI8bCZBFxQmiHTeQV2vpMqIRNtV0FXj0jgWe2CX3KsV3G2mr49oVEOzyuVXsb3yehtdEuA009det7bP9A3ykL3NBF2nzqV0/mowec7fdr0OARPIBIBq+qDXakftR0f+ehBAhxSb6Tiz0/b3kTwP5i6EPR4v9IgrHJB3Ie5v8wQaJ4aMBJdyn/ECKXt4TvoiqzDIatMnLh9Yko/bWG92k4P77Lw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S6zdO/o9afKaOiMuLeArCVWQ5CBSCnH7oImoK+Cko+o=; b=TMJ3HP9Z2xbMcbgk3/Rwd680o+9MnNQRSrgu6rvx/UUiQhqcBBvAqEqqtgVMOuEi6Ut0PT872L2ggVcMIvdqQ0qrddBOzZ++hm34jkYkAWSMag7K7HH+/ariBRV4KqGnol7ZPgGfWbQxYzjL3hHGjrj3dRGD9n80GWa/U+87EhqBHsulYm7U0E1Ib9OELYueKgJrw9gyxTeNX2CqKN2Yk6hvXXlkdFdhM2wIb3Sj4n05gqZyblNo85JxiIQdzg0LxEXsqSuopcwQsFib64/2Sz58V1n2aJtOKp5JWw9i9L01HbbHRSRZPvL+zsTR2uyq4Z7IZR2tFcerWcKWQwM/dA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S6zdO/o9afKaOiMuLeArCVWQ5CBSCnH7oImoK+Cko+o=; b=OuABkJYDnV7XEIgSblx2n1W8eORBYI39rOR+CzrQyXh23Mb3DiI7PQIAmu4nxk1rRHsX6t1UR37dd4oEyz76SHTX5mip4tpBxMpZY9qF8IdxaydALHEjkjxqH4+rcOChUxofM13OGyletMAWddgCNy4Ngk+BV+a8EBhLN/FbH44=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1SPR01MB01.eurprd07.prod.outlook.com (10.160.67.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.3; Thu, 11 Jul 2019 13:56:56 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Thu, 11 Jul 2019 13:56:56 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgABAXACAATj+gIABDXaAgAA3igD//9RDgAALc6uA///Q/4CAADuIAP//1FUAgAAgpQCAADVWAA==
Date: Thu, 11 Jul 2019 13:56:56 +0000
Message-ID: <178C3837-A525-4DF9-91D6-9659966D55C5@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <5ABB2F7B-8928-4581-8AAD-C8EFDBE95F7E@edvina.net> <99649808-9894-42B4-ADD1-52D0F70A3FB3@ericsson.com> <BCFE43BD-86FF-457E-9006-1DA7C8F3F6BE@edvina.net> <C3BFE2FE-0797-4E54-BAD4-B24E32CB183F@ericsson.com> <BD0B9B14-1E35-42C4-BF51-430C7E052145@edvina.net> <C5597D63-1B58-44D0-A2CE-4170CC1BE23E@ericsson.com> <7CE54346-6558-4605-A5DB-84C539400A19@edvina.net> <56f4ed60-15b7-5bbe-63a5-10f447ae9094@alum.mit.edu>
In-Reply-To: <56f4ed60-15b7-5bbe-63a5-10f447ae9094@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f413e95f-a88a-4735-4861-08d70607a32a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1SPR01MB01;
x-ms-traffictypediagnostic: HE1SPR01MB01:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <HE1SPR01MB01DB5CB2967C3AD475D94493F30@HE1SPR01MB01.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(39860400002)(346002)(396003)(136003)(366004)(189003)(199004)(6486002)(66556008)(476003)(99286004)(66446008)(229853002)(6306002)(6116002)(8676002)(3846002)(44832011)(76176011)(14454004)(6436002)(7736002)(64756008)(446003)(305945005)(76116006)(33656002)(25786009)(2501003)(5660300002)(11346002)(66476007)(966005)(2616005)(478600001)(66946007)(110136005)(71200400001)(86362001)(486006)(71190400001)(8936002)(68736007)(36756003)(58126008)(66066001)(256004)(6246003)(14444005)(186003)(26005)(316002)(102836004)(53936002)(6512007)(81166006)(81156014)(2906002)(53546011)(2171002)(6506007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1SPR01MB01; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: yvSDvDY+Bg5YdI9oz6q8USFA+o2xRqYSapmqIF1QEHOrPx4KJ78npl2G3jU2MFIPJO+bhQ9bIccVLYKn2SGEjfagLux3MleK93MzINi6XbKAmi3klvIFzKb7Ll+LwTJ+p776KiGr7hLsa0QAmYE/yMdOYZKtwy2bfSWx4gmDvDFdY95t+oEciVcdXgvN+iSpM97t5hzezNBLbTyPuwZE31kATfZ5K8WSzJmrk5841+jrCZiwC/aiatiAl6Pr3opCJyRy0j2BtAc1HlBGKn1dnnk1hoRmx4LxjpApWelLpa+dD59tdnLeO2yWllLPslYaJpK9EhTfl5br9EFZC7OwajaaFCEoVFNJfhhyhApxo4dOL5ty74q9KwFJf+izdRXXiOy08EnedftoXgxJCjJ3CNmaCz8eGYl3+G0O1gdy5Hg=
Content-Type: text/plain; charset="utf-8"
Content-ID: <8D4494F0BD57BD428830C71E64073E86@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f413e95f-a88a-4735-4861-08d70607a32a
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2019 13:56:56.6400 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1SPR01MB01
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/oouSCtuTq454RWoV45MyQRbD76w>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 13:57:04 -0000

Hi,

>    This discussion is wandering in many directions. I don't know very much 
>    (anything?) about OAuth so it is pretty abstract for me. But what is 
>    becoming clear is that the people discussing this have *many* unstated 
>    assumptions about how this is to work and how it is to be used. And 
>    those don't appear to be well aligned with one another.
>    
>    I've been pushing for more of these assumptions (and implications) to be 
>    written down in the document. I still want that. But I'm beginning to 
>    think that the issue is bigger than what is likely to fit into this 
>    document as it is currently conceived.
>    
>    I think what may be needed is a framework document. (Perhaps "Framework 
>    for using OAuth(2?) with SIP", though maybe that isn't quite right. This 
>    would discuss why this is important, how it relates to the sip 
>    environment, how it fits into a broader authentication environment, etc.
  
Let's try to document and clarify everything we need in this document.

The draft tries to map the OAuth architecture to the SIP architecture. If something is unclear we should of course clarify it.

Regards,

Christer



    
    On 7/11/19 7:49 AM, Olle E. Johansson wrote:
    > 
    > 
    >> On 11 Jul 2019, at 13:25, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
    >>
    >> Hi,
    >>
    >>>>>>> The tokens generally, but if I understand it right not always, are JWT structures that contain various data. In
    >>>>>>> OpenID connect both the access and identity token are JWTs.
    >>>>>>> We can either specify specific claims that  are standardised for various SIP functions or let that be open for
    >>>>>>> the SIP implementors to specify or a combination.
    >>>>>>
    >>>>>> For backward compatibility, we should at least let SIP implementors specify
    >>>>> Maybe, but at least we should write something about the usage of claims and scopes.
    >>>>> I think a base level for this draft is specifying a way to say “this access token is valid for SIP usage” or
    >>>>> “this is also a SIP identity"
    >>>>
    >>>>    Perhaps we can add some text about scope and claims, but I don't want to mandate usage of specific values, because that
    >>>>    may not be backward compatible with existing implementations using JWT.
    >>>
    >>> We can mandate *if* the access token is a jwt (and there’s an identity token like OpenID Connect).
    >>
    >>     It may not work with existing implementations that DO use JWT access tokens (not sure whether they use OpenID Connect, though).
    > 
    > Ok, you are making me interested - what are these implementations?
    > When writing a new standard document, should we really be blocked by pre-standard implementations? I would assume that we
    > should be inspired by them, learn by their experiences, but not be hindered by them.
    > 
    >>
    >>>> I see interoperability problems if every implementation is using different data structures for stuff like SIP AOR, SIP usage claim
    >>>> and maybe a few more that we will come up with as we continue working. Standardizing some of these basic data points in tokens will help interoperability.
    >>>
    >>> If the access token is a random blob we don’t require any change.
    >>>
    >>> In addition I think we should change the “sip.token” label to something more specific like “sip.oauth2”.
    >>
    >>     I think it was me who suggested to use sip.token, but I don't have a strong opinion about it. It was added recently, so existing implementations currently don't use it anyway.
    > 
    > We have already been confused by discussions about “the token” when in fact there are multiple tokens…
    > 
    > /O
    > _______________________________________________
    > sipcore mailing list
    > sipcore@ietf.org
    > https://www.ietf.org/mailman/listinfo/sipcore
    > 
    
    _______________________________________________
    sipcore mailing list
    sipcore@ietf.org
    https://www.ietf.org/mailman/listinfo/sipcore

v2.23.0 | Report a Bug | By Email