IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-05.txt

Christer Holmberg <christer.holmberg@ericsson.com> Tue, 05 November 2019 16:19 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D96871200C3 for <sipcore@ietfa.amsl.com>; Tue, 5 Nov 2019 08:19:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RNoS205KVIpm for <sipcore@ietfa.amsl.com>; Tue, 5 Nov 2019 08:19:04 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10063.outbound.protection.outlook.com [40.107.1.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7D3712001A for <sipcore@ietf.org>; Tue, 5 Nov 2019 08:19:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BEz/dy35izikpAVZFFq0T2hjh77dQJJ6FpaORZhCe45ugyqWmoprmpxcB6TpX3tW0UJtwyowGZCyjc2EzGM8OELA6h4FWS5aWE/0gzM9VtJgK/gtSb6+amlFd51Xq2FfaFDpnDNZXy6xBNibvGj5AAxEF5YCtvXvntmbRYJ33y3nXDqFaaGMLnNI7wIFp8MqR7k8yBR6edtLTVhZEGV4bchBNtiz3tN9ZC9ndtH9aRAnsmVyRVZajFxeLckGZ65ykSgZ+DJG2uvAoSRTocOqWIvz/FKyL7wSiwYwKzLUev7iE53CvHsXWPaYsa7j74X34J35J61Ys0cJZrTvm9ynaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hMLTemjRVgPBeObyNp3r6KugpAPbfs9VPOoXfAOzlRI=; b=P1b9X04uKSkVRAA0QvFFE3XmkL/EsdMea2hTDbBB51Q0wXCmfaXmaNtZjFcCiavuMV5bJbf0fs9vPVbAIWCIxmjIRATYz4AIGvHzLJDq3aGWKZWbTXkO6MUMfej41MPAhX6iEOFLPOVj1aX9S7xCXik5FVXXMZDuWgp3OYckZUDxBndX4QVHTyOniNcO6LS81Km4w7PP0lkUYSbtS2n6hP6TsPMnIM3RzlOE2syLDaVf59xDeIhRrR/mZvG8P4KsZn7f92RLGLyny/nu4Be/V/zbddxs+K35FMjgdpHk2NA6o1cLyHvqkHjhSG77zo+vm9Ng/GHF/ulXYRemLDFnGA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hMLTemjRVgPBeObyNp3r6KugpAPbfs9VPOoXfAOzlRI=; b=iXCW6duOWBKmrJjPptbKCABLTPnZ+d6fju3peREnpsijMv2FT9hf5MRgT1xJGrWbO6txylwmdvqDY9Hp/5g0QQDxaSUyPnPpMk1Ns8YBTprenIEQLegM1g/EsDgxyZQM64PxptJnlbj64pS9YsNB0DbtiRz9J/uOe8Z9pJfTREQ=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3451.eurprd07.prod.outlook.com (10.170.245.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.16; Tue, 5 Nov 2019 16:19:00 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::2ca9:414:cc01:9706]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::2ca9:414:cc01:9706%4]) with mapi id 15.20.2430.014; Tue, 5 Nov 2019 16:19:00 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-05.txt
Thread-Index: AQHVis5uf+6u3SYhJ0+veNzfHpxaXadqh9YAgAjl5ICAABzfoYAJascA
Date: Tue, 05 Nov 2019 16:19:00 +0000
Message-ID: <F37CF633-8E70-4526-865F-E6DEE4B9BCBE@ericsson.com>
References: <157196467780.11350.16529563058309019910@ietfa.amsl.com> <CAGL6ep+4Mi0P-L0wKh1_M6Up1yg6Rv4w2+1wC5V+6Sgf5XYQKg@mail.gmail.com> <e43aff8b-87a4-65a2-1517-5e03bc2b11af@alum.mit.edu> <HE1PR07MB3161AA383EA72E8A74177A1593600@HE1PR07MB3161.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR07MB3161AA383EA72E8A74177A1593600@HE1PR07MB3161.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0bc97c56-4067-4afc-b947-08d7620bde23
x-ms-traffictypediagnostic: HE1PR07MB3451:
x-ms-exchange-purlcount: 6
x-microsoft-antispam-prvs: <HE1PR07MB3451F1A19EE4F65103CADFE3937E0@HE1PR07MB3451.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0212BDE3BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(346002)(366004)(39860400002)(136003)(189003)(199004)(6436002)(4001150100001)(66574012)(81156014)(26005)(229853002)(81166006)(102836004)(186003)(6116002)(3846002)(8676002)(2906002)(76176011)(2501003)(8936002)(6506007)(6486002)(14444005)(256004)(36756003)(478600001)(14454004)(25786009)(966005)(7736002)(606006)(71190400001)(71200400001)(5660300002)(66946007)(66476007)(66556008)(64756008)(66446008)(76116006)(58126008)(110136005)(316002)(99286004)(86362001)(44832011)(6512007)(486006)(66066001)(6246003)(33656002)(2616005)(54896002)(6306002)(236005)(446003)(2171002)(11346002)(476003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3451; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qkNj8Jgccoax0CwrQS4zJWa9foo0JKJkXYPgv++jKjw3eNK7xd/qHQb3lWLMwwkibFBy1R8pgEv3qkLL7mQtqauuPX8enaQHZIZlbMP+hocUKelkXq8yBSNuqX9fQ48Nj1pVlrDUoVyNcTBAJsU/KP+p3umnMaqAGRjFYBbQUcLXB7LpmyzomaZS+nwZU80YwqakyRHdQpwsNyEfgF55GngAtc1CJ5FZ+Zq0678W59qB+ayLfiPQx/Lmo1NyrL4j0oXf1H2Z3BMXZcF/3aqA32vBZT5tAahTp0l5D9lqwwV/FZxqwjAo1smFQi12ZsOEAnNbCA9JUfkjNwTZJMoArsxAu8kT9lAt3pjm2yuQcde3quc6LSCkDEVa3Yyu6r3NxdLQ/1DabG233zCh6FaOXFcVXm0jC81C1Qg0XSuPV1C7cmFuQtY+NXC24xSfU1NePY9jQCkKT/JzDXDpfuwyZpYTRHYRiPljJmqBDNKFk2g=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_F37CF6338E704526865FE6DEE4B9BCBEericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0bc97c56-4067-4afc-b947-08d7620bde23
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2019 16:19:00.6400 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eqgDdIPTQTQZv4sBiyxG5AB6fulnXTrZY6Gt2NSd4il86eyWVIojJKE3EuWKrsRovDmtaMlsihF9KnxILu2ncpeIlNlJtUwibRUKpwbaC7E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3451
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/rASrumnvHRKyK2q6xmWI36XFcRE>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-05.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 16:19:08 -0000

Paul,

Are you ok with the clarifications below?

We are trying to move the draft to WGLC, so we would appreciate if you could reply.

Regards,

Christer


From: sipcore <sipcore-bounces@ietf.org> on behalf of Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>
Date: Wednesday, 30 October 2019 at 21.13
To: "pkyzivat@alum.mit.edu" <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-05.txt

Hi,

>I'm still struggling to understand what the expectations are of the UA
>in this process.
>
>IIUC, when the registrar/server/proxy generates a "Bearer" challenge
>specifying a particular AS, that implies that it has knowledge of that
>AS and how to deal with it. And it may well have relationships with
>multiple ASs, and challenge using them all. And there is an assumption
>that either UA or the *user* of the UA must have a relationship with at
>least on of the ASs to use for authentication.
Correct.

>My thought is that commonly the UA itself *won't* have a relationship
>with the AS. Rather it will expect the user to be the one to have that.
>In this case, can the UA have generic code that deals with any possible AS?
Yes. The interface between the UA and the AS is standardized.

>With web authentication I commonly experience an authentication popup
>that offers alternatives. (E.g., facebook or google or private local
>id/pw authentication.) The user then gets to pick one, and then
>authenticate with a corresponding AS. I am thinking the SIP process
>could be the same. The alternatives offered to the user would correspond
>to all the challenges (both Bearer and digest) for a single realm.
>
>Is this a use case you have in mind as being covered?
I assume that the registrar could offer multiple AS(s), and then the user chooses one that it has a relationship with. Especially if the operator is using 3rd party AS(s), like Facebook, Google etc.

However, the operator might also use its own AS (or have a relationship with a specific 3rd party AS), where the user relationship with the AS is part of the user subscription, and in that case the registrar most likely will only return that AS (because it knows the user has a relationship with it).

>(Of course, it may be that a UA is build to not depend on the user for
>authentication. In that case it must be preconfigured with credentials.
>But that isn't really no different from preloading the credential cache..
>And I guess it might be configured to only work with a single AS.)
>
>Based on your updates, I think I get it that the result from the AS to
>the UA access, refresh and possible id tokens, that only the access
>token is destined to be included in bearer credentials. The UA must know
>to use the refresh token to refresh its access token. And the UA may
>know to use the ID token for something (what?).  Is any of this
>knowledge AS-specific, or is it all generic?
It is part of the standardized OAuth procedures.

Regards,

Christer



> Regards,
>   Rifaat
>
>
> On Thu, Oct 24, 2019 at 8:52 PM <internet-drafts@ietf.org
> <mailto:internet-drafts@ietf.org>> wrote:
>
>
>     A New Internet-Draft is available from the on-line Internet-Drafts
>     directories.
>     This draft is a work item of the Session Initiation Protocol Core WG
>     of the IETF.
>
>              Title           : Third-Party Token-based Authentication
>     and Authorization for Session Initiation Protocol (SIP)
>              Authors         : Rifaat Shekh-Yusef
>                                Christer Holmberg
>                                Victor Pascual
>              Filename        : draft-ietf-sipcore-sip-token-authnz-05.txt
>              Pages           : 14
>              Date            : 2019-10-24
>
>     Abstract:
>         This document updates RFC 3261 and defines a mechanism for SIP, that
>         is based on the OAuth 2.0 and OpenID Connect Core 1.0
>     specifications,
>         to enable the delegation of the user authentication and SIP
>         registration authorization to a dedicated third-party entity that is
>         separate from the SIP network elements that provide the SIP service.
>
>
>     The IETF datatracker status page for this draft is:
>     https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/
>
>     There are also htmlized versions available at:
>     https://tools.ietf.org/html/draft-ietf-sipcore-sip-token-authnz-05
>     https://datatracker.ietf..org/doc/html/draft-ietf-sipcore-sip-token-authnz-05
>     <https://datatracker.ietf.org/doc/html/draft-ietf-sipcore-sip-token-authnz-05>
>
>     A diff from the previous version is available at:
>     https://www.ietf.org/rfcdiff?url2=draft-ietf-sipcore-sip-token-authnz-05
>
>
>     Please note that it may take a couple of minutes from the time of
>     submission
>     until the htmlized version and diff are available at tools.ietf.org
>     <http://tools.ietf.org>.
>
>     Internet-Drafts are also available by anonymous FTP at:
>     ftp://ftp.ietf.org/internet-drafts/
>
>     _______________________________________________
>     sipcore mailing list
>     sipcore@ietf.org <mailto:sipcore@ietf.org>
>     https://www.ietf.org/mailman/listinfo/sipcore
>
>
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>

_______________________________________________
sipcore mailing list
sipcore@ietf.org
https://www.ietf.org/mailman/listinfo/sipcore

v2.23.0 | Report a Bug | By Email