draft-ietf-kitten-sasl-oauth-01.txt   draft-ietf-kitten-sasl-oauth-02.txt 
KITTEN W. Mills KITTEN W. Mills
Internet-Draft Yahoo! Inc. Internet-Draft Yahoo! Inc.
Intended status: Standards Track T. Showalter Intended status: Standards Track T. Showalter
Expires: December 1, 2012 Expires: February 5, 2013
H. Tschofenig H. Tschofenig
Nokia Siemens Networks Nokia Siemens Networks
May 30, 2012 August 4, 2012
A SASL and GSS-API Mechanism for OAuth A SASL and GSS-API Mechanism for OAuth
draft-ietf-kitten-sasl-oauth-01 draft-ietf-kitten-sasl-oauth-02
Abstract Abstract
OAuth enables a third-party application to obtain limited access to a OAuth enables a third-party application to obtain limited access to a
protected resource, either on behalf of a resource owner by protected resource, either on behalf of a resource owner by
orchestrating an approval interaction, or by allowing the third-party orchestrating an approval interaction, or by allowing the third-party
application to obtain access on its own behalf. application to obtain access on its own behalf.
This document defines how an application client uses OAuth over the This document defines how an application client uses OAuth over the
Simple Authentication and Security Layer (SASL) or the Generic Simple Authentication and Security Layer (SASL) or the Generic
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 1, 2012. This Internet-Draft will expire on February 5, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 11 skipping to change at page 3, line 11
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7
3. OAuth SASL Mechanism Specification . . . . . . . . . . . . . . 8 3. OAuth SASL Mechanism Specification . . . . . . . . . . . . . . 8
3.1. Initial Client Response . . . . . . . . . . . . . . . . . 8 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 8
3.1.1. Reserved Key/Values in OAUTH . . . . . . . . . . . . . 8 3.1.1. Reserved Key/Values in OAUTH . . . . . . . . . . . . . 9
3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 9 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 9
3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 9 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 9
3.2.2. Server response to failed authentication. . . . . . . 10 3.2.2. Server response to failed authentication. . . . . . . 10
3.3. Use of Signature Type Authorization . . . . . . . . . . . 10 3.3. Use of Signature Type Authorization . . . . . . . . . . . 10
3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 11 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 11
4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 12 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 13
5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 13 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 14
5.2. MAC Authentication with Channel Binding . . . . . . . . . 13 5.2. MAC Authentication with Channel Binding . . . . . . . . . 14
5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 14 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 15
5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 15 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 16
6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 17 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 18
7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 17 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 18
8. Appendix A -- Document History . . . . . . . . . . . . . . . . 18 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 8.1. Normative References . . . . . . . . . . . . . . . . . . . 19
9.1. Normative References . . . . . . . . . . . . . . . . . . . 19 8.2. Informative References . . . . . . . . . . . . . . . . . . 20
9.2. Informative References . . . . . . . . . . . . . . . . . . 20 Appendix A. Document History . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain
limited access to a protected resource, either on behalf of a limited access to a protected resource, either on behalf of a
resource owner by orchestrating an approval interaction, or by resource owner by orchestrating an approval interaction, or by
allowing the third-party application to obtain access on its own allowing the third-party application to obtain access on its own
behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not
define the interaction between the client and the resource server define the interaction between the client and the resource server
with the access to a protected resource using an Access Token. This with the access to a protected resource using an Access Token. This
skipping to change at page 8, line 17 skipping to change at page 8, line 17
SASL is used as a generalized authentication method in a variety of SASL is used as a generalized authentication method in a variety of
application layer protocols. This document defines two SASL application layer protocols. This document defines two SASL
mechanisms for usage with OAuth: "OAUTH" and "OAUTH-PLUS". The mechanisms for usage with OAuth: "OAUTH" and "OAUTH-PLUS". The
"OAUTH" SASL mechanism enables OAuth authorizattion schemes for SASL, "OAUTH" SASL mechanism enables OAuth authorizattion schemes for SASL,
"OAUTH-PLUS" adds channel binding [RFC5056] capability for additional "OAUTH-PLUS" adds channel binding [RFC5056] capability for additional
security guarantees. security guarantees.
3.1. Initial Client Response 3.1. Initial Client Response
Client responses are a key/value pair sequence. These key/value Client responses are a key/value pair sequence. These key/value
pairs carry the equivalent values form an HTTP context in order to be pairs carry the equivalent values from an HTTP context in order to be
able to complete an OAuth style HTTP authorization. The ABNF able to complete an OAuth style HTTP authorization. The ABNF
[RFC2234] syntax is: [RFC5234] syntax is
kvsep = %x01 kvsep = %x01
key = 1*ALPHA key = 1*ALPHA
value = *(VCHAR | SP | HTAB | CR | LF ) value = *(VCHAR | SP | HTAB | CR | LF )
kvpair = key "=" value kvsep kvpair = key "=" value kvsep
client_resp = 1*kvpair kvsep client_resp = 1*kvpair kvsep
The following key/value pairs are defined in the client response: The following key/value pairs are defined in the client response:
auth (REQUIRED): The payload of the HTTP Authorization header for auth (REQUIRED): The payload of the HTTP Authorization header for
an equivalent HTTP OAuth authroization. an equivalent HTTP OAuth authroization.
user (REQUIRED): Contains the user name being authenticated. The
server MAY use this as a routing or database lookup hint. The
server MUST NOT use this as authoritative, the user name MUST
be asserted by the OAuth credential.
host: Contains the host name to which the client connected. host: Contains the host name to which the client connected.
port: Contains the port number represented as a decimal positive port: Contains the port number represented as a decimal positive
integer string without leading zeros to which the client integer string without leading zeros to which the client
connected. connected.
In authorization schemes that use signatures, the client MUST send In authorization schemes that use signatures, the client MUST send
host and port number key/values, and the server MUST fail host and port number key/values, and the server MUST fail an
authorization request requiring signatures that do not have host and authorization request requiring signatures that does not have host
port values. and port values.
3.1.1. Reserved Key/Values in OAUTH 3.1.1. Reserved Key/Values in OAUTH
In the OAUTH mechanism values for path, query string and post body In the OAUTH mechanism values for path, query string and post body
are assigned default values. OAuth authorization schemes MAY define are assigned default values. OAuth authorization schemes MAY define
usage of these in the SASL context and extend this specification. usage of these in the SASL context and extend this specification.
For OAuth schemes that use request signatures the default values MUST For OAuth schemes that use request signatures the default values MUST
be used unless explict values are provided in the client response. be used unless explict values are provided in the client response.
The following key values are reserved for future use: The following key values are reserved for future use:
skipping to change at page 9, line 38 skipping to change at page 9, line 45
completing the SASL negotiation. The authentication scheme MUST completing the SASL negotiation. The authentication scheme MUST
carry the user ID to be used as the authorization identity (identity carry the user ID to be used as the authorization identity (identity
to act as). The server MUST use the ID obtained from the credential to act as). The server MUST use the ID obtained from the credential
as the user being authorized. as the user being authorized.
3.2.1. Mapping to SASL Identities 3.2.1. Mapping to SASL Identities
Some OAuth mechanisms can provide both an authorization identity and Some OAuth mechanisms can provide both an authorization identity and
an authentication identity. An example of this is OAuth 1.0a an authentication identity. An example of this is OAuth 1.0a
[RFC5849] where the consumer key (oauth_consumer_key) identifies the [RFC5849] where the consumer key (oauth_consumer_key) identifies the
entity using to token which equates to the SASL authentication entity using the token which equates to the SASL authentication
identity, and is authenticated using the shared secret. The identity, and is authenticated using the shared secret. The
authorization identity in the OAuth 1.0a case is carried in the token authorization identity in the OAuth 1.0a case is carried in the token
(per the requirement above), which SHOULD validated independently. (per the requirement above), which SHOULD be validated independently.
The server MAY use a consumer key, a value derived from it, or other The server MAY use a consumer key, a value derived from it, or other
comparable identity in the OAuth authorization scheme as the SASL comparable identity in the OAuth authorization scheme as the SASL
authentication identity. If an appropriate authentication identity authentication identity. If an appropriate authentication identity
is not available the server MUST use the authorization identity as is not available the server MUST use the authorization identity as
the wuthentication identity. the authentication identity.
3.2.2. Server response to failed authentication. 3.2.2. Server response to failed authentication.
For a failed authentication the server returns a JSON [RFC4627] For a failed authentication the server returns a JSON [RFC4627]
formatted error result, and fails the authentication. The error formatted error result, and fails the authentication. The error
result consists of the following values: result consists of the following values:
status (REQUIRED): The authorization error code. Valid error status (REQUIRED): The authorization error code. Valid error
codes are defined in the IANA [[need registry name]] registry codes are defined in the IANA [[need registry name]] registry
specified in the OAuth 2 core specification. specified in the OAuth 2 core specification.
schemes (REQUIRED): A space separated list of the OAuth
authroization schemes supported by the server, i.e. "bearer" or
"bearer mac".
scope (OPTIONAL): The OAuth scope required to access the service. scope (OPTIONAL): The OAuth scope required to access the service.
If the resource server provides a scope the client SHOULD always If the resource server provides a scope the client SHOULD always
request scoped tokens from the token endpoint. The client MAY use a request scoped tokens from the token endpoint. The client MAY use a
scope other than the one provided by the resource server. Scopes scope other than the one provided by the resource server. Scopes
other than those advertised by the resource server are be defined by other than those advertised by the resource server are be defined by
the resource owner and provided in service documentation or discovery the resource owner and provided in service documentation or discovery
information (which is beyond the scope of this memo). If not present information (which is beyond the scope of this memo). If not present
then the client SHOULD presume an empty scope (unscoped token) is then the client SHOULD presume an empty scope (unscoped token) is
needed. needed.
skipping to change at page 18, line 5 skipping to change at page 19, line 5
Note: None Note: None
7.2. GSS-API Registration 7.2. GSS-API Registration
IANA is further requested to assign an OID for this GSS mechanism in IANA is further requested to assign an OID for this GSS mechanism in
the SMI numbers registry, with the prefix of the SMI numbers registry, with the prefix of
iso.org.dod.internet.security.mechanisms (1.3.6.1.5.5) and to iso.org.dod.internet.security.mechanisms (1.3.6.1.5.5) and to
reference this specification in the registry. reference this specification in the registry.
8. Appendix A -- Document History 8. References
[[ to be removed by RFC editor before publication as an RFC ]]
-01
o Ripping out discovery. Changed to refer to I-D.jones-appsawg-
webfinger instead of WF and SWD older drafts.
o Replacing HTTP as the message format and adjusted all examples.
-00
o Renamed draft into proper IETF naming format now that it's
adopted.
o Minor fixes.
-00
o Initial revision
9. References
9.1. Normative References 8.1. Normative References
[I-D.ietf-oauth-v2] [I-D.ietf-oauth-v2]
Hammer-Lahav, E., Recordon, D., and D. Hardt, "The OAuth Hardt, D., "The OAuth 2.0 Authorization Framework",
2.0 Authorization Framework", draft-ietf-oauth-v2-26 (work draft-ietf-oauth-v2-31 (work in progress), August 2012.
in progress), May 2012.
[I-D.ietf-oauth-v2-bearer] [I-D.ietf-oauth-v2-bearer]
Jones, M., Hardt, D., and D. Recordon, "The OAuth 2.0 Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
Authorization Protocol: Bearer Tokens", Framework: Bearer Token Usage",
draft-ietf-oauth-v2-bearer-19 (work in progress), draft-ietf-oauth-v2-bearer-23 (work in progress),
April 2012. August 2012.
[I-D.ietf-oauth-v2-http-mac] [I-D.ietf-oauth-v2-http-mac]
Hammer-Lahav, E., "HTTP Authentication: MAC Access Hammer-Lahav, E., "HTTP Authentication: MAC Access
Authentication", draft-ietf-oauth-v2-http-mac-01 (work in Authentication", draft-ietf-oauth-v2-http-mac-01 (work in
progress), February 2012. progress), February 2012.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication", Authentication: Basic and Digest Access Authentication",
RFC 2617, June 1999. RFC 2617, June 1999.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
skipping to change at page 20, line 6 skipping to change at page 19, line 51
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006. Security Layer (SASL)", RFC 4422, June 2006.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006. JavaScript Object Notation (JSON)", RFC 4627, July 2006.
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007. Channels", RFC 5056, November 2007.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5801] Josefsson, S. and N. Williams, "Using Generic Security [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security
Service Application Program Interface (GSS-API) Mechanisms Service Application Program Interface (GSS-API) Mechanisms
in Simple Authentication and Security Layer (SASL): The in Simple Authentication and Security Layer (SASL): The
GS2 Mechanism Family", RFC 5801, July 2010. GS2 Mechanism Family", RFC 5801, July 2010.
[RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, [RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849,
April 2010. April 2010.
skipping to change at page 20, line 28 skipping to change at page 20, line 27
for TLS", RFC 5929, July 2010. for TLS", RFC 5929, July 2010.
[RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010. [RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011. Security (TLS)", RFC 6125, March 2011.
9.2. Informative References 8.2. Informative References
[I-D.jones-appsawg-webfinger] [I-D.jones-appsawg-webfinger]
Jones, P., Salgueiro, G., and J. Smarr, "WebFinger", Jones, P., Salgueiro, G., and J. Smarr, "WebFinger",
draft-jones-appsawg-webfinger-05 (work in progress), draft-jones-appsawg-webfinger-06 (work in progress),
May 2012. June 2012.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, March 2003. 4rev1", RFC 3501, March 2003.
Appendix A. Document History
[[ to be removed by RFC editor before publication as an RFC ]]
-02
o Added the user data element back in.
o Minor editorial changes.
-01
o Ripping out discovery. Changed to refer to I-D.jones-appsawg-
webfinger instead of WF and SWD older drafts.
o Replacing HTTP as the message format and adjusted all examples.
-00
o Renamed draft into proper IETF naming format now that it's
adopted.
o Minor fixes.
-00
o Initial revision
Authors' Addresses Authors' Addresses
William Mills William Mills
Yahoo! Inc. Yahoo! Inc.
Phone: Phone:
Email: wmills@yahoo-inc.com Email: wmills@yahoo-inc.com
Tim Showalter Tim Showalter
 End of changes. 23 change blocks. 
65 lines changed or deleted 79 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/