--- 1/draft-ietf-kitten-sasl-oauth-01.txt 2012-08-04 08:14:21.701425966 +0200 +++ 2/draft-ietf-kitten-sasl-oauth-02.txt 2012-08-04 08:14:21.733425849 +0200 @@ -1,21 +1,21 @@ KITTEN W. Mills Internet-Draft Yahoo! Inc. Intended status: Standards Track T. Showalter -Expires: December 1, 2012 +Expires: February 5, 2013 H. Tschofenig Nokia Siemens Networks - May 30, 2012 + August 4, 2012 A SASL and GSS-API Mechanism for OAuth - draft-ietf-kitten-sasl-oauth-01 + draft-ietf-kitten-sasl-oauth-02 Abstract OAuth enables a third-party application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction, or by allowing the third-party application to obtain access on its own behalf. This document defines how an application client uses OAuth over the Simple Authentication and Security Layer (SASL) or the Generic @@ -39,21 +39,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 1, 2012. + This Internet-Draft will expire on February 5, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -62,41 +62,41 @@ include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. OAuth SASL Mechanism Specification . . . . . . . . . . . . . . 8 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 8 - 3.1.1. Reserved Key/Values in OAUTH . . . . . . . . . . . . . 8 + 3.1.1. Reserved Key/Values in OAUTH . . . . . . . . . . . . . 9 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 9 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 9 3.2.2. Server response to failed authentication. . . . . . . 10 3.3. Use of Signature Type Authorization . . . . . . . . . . . 10 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 11 - 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 12 - 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 - 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 13 - 5.2. MAC Authentication with Channel Binding . . . . . . . . . 13 - 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 14 - 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 15 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 - 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 17 - 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 17 - 8. Appendix A -- Document History . . . . . . . . . . . . . . . . 18 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 - 9.1. Normative References . . . . . . . . . . . . . . . . . . . 19 - 9.2. Informative References . . . . . . . . . . . . . . . . . . 20 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 + 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 13 + 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 + 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 14 + 5.2. MAC Authentication with Channel Binding . . . . . . . . . 14 + 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 15 + 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 16 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 + 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 18 + 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 18 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 + 8.1. Normative References . . . . . . . . . . . . . . . . . . . 19 + 8.2. Informative References . . . . . . . . . . . . . . . . . . 20 + Appendix A. Document History . . . . . . . . . . . . . . . . . . 21 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 1. Introduction OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction, or by allowing the third-party application to obtain access on its own behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not define the interaction between the client and the resource server with the access to a protected resource using an Access Token. This @@ -247,45 +247,50 @@ SASL is used as a generalized authentication method in a variety of application layer protocols. This document defines two SASL mechanisms for usage with OAuth: "OAUTH" and "OAUTH-PLUS". The "OAUTH" SASL mechanism enables OAuth authorizattion schemes for SASL, "OAUTH-PLUS" adds channel binding [RFC5056] capability for additional security guarantees. 3.1. Initial Client Response Client responses are a key/value pair sequence. These key/value - pairs carry the equivalent values form an HTTP context in order to be + pairs carry the equivalent values from an HTTP context in order to be able to complete an OAuth style HTTP authorization. The ABNF - [RFC2234] syntax is: + [RFC5234] syntax is kvsep = %x01 key = 1*ALPHA value = *(VCHAR | SP | HTAB | CR | LF ) kvpair = key "=" value kvsep client_resp = 1*kvpair kvsep The following key/value pairs are defined in the client response: auth (REQUIRED): The payload of the HTTP Authorization header for an equivalent HTTP OAuth authroization. + user (REQUIRED): Contains the user name being authenticated. The + server MAY use this as a routing or database lookup hint. The + server MUST NOT use this as authoritative, the user name MUST + be asserted by the OAuth credential. + host: Contains the host name to which the client connected. port: Contains the port number represented as a decimal positive integer string without leading zeros to which the client connected. In authorization schemes that use signatures, the client MUST send - host and port number key/values, and the server MUST fail - authorization request requiring signatures that do not have host and - port values. + host and port number key/values, and the server MUST fail an + authorization request requiring signatures that does not have host + and port values. 3.1.1. Reserved Key/Values in OAUTH In the OAUTH mechanism values for path, query string and post body are assigned default values. OAuth authorization schemes MAY define usage of these in the SASL context and extend this specification. For OAuth schemes that use request signatures the default values MUST be used unless explict values are provided in the client response. The following key values are reserved for future use: @@ -313,40 +318,44 @@ completing the SASL negotiation. The authentication scheme MUST carry the user ID to be used as the authorization identity (identity to act as). The server MUST use the ID obtained from the credential as the user being authorized. 3.2.1. Mapping to SASL Identities Some OAuth mechanisms can provide both an authorization identity and an authentication identity. An example of this is OAuth 1.0a [RFC5849] where the consumer key (oauth_consumer_key) identifies the - entity using to token which equates to the SASL authentication + entity using the token which equates to the SASL authentication identity, and is authenticated using the shared secret. The authorization identity in the OAuth 1.0a case is carried in the token - (per the requirement above), which SHOULD validated independently. + (per the requirement above), which SHOULD be validated independently. The server MAY use a consumer key, a value derived from it, or other comparable identity in the OAuth authorization scheme as the SASL authentication identity. If an appropriate authentication identity is not available the server MUST use the authorization identity as - the wuthentication identity. + the authentication identity. 3.2.2. Server response to failed authentication. For a failed authentication the server returns a JSON [RFC4627] formatted error result, and fails the authentication. The error result consists of the following values: status (REQUIRED): The authorization error code. Valid error codes are defined in the IANA [[need registry name]] registry specified in the OAuth 2 core specification. + schemes (REQUIRED): A space separated list of the OAuth + authroization schemes supported by the server, i.e. "bearer" or + "bearer mac". + scope (OPTIONAL): The OAuth scope required to access the service. If the resource server provides a scope the client SHOULD always request scoped tokens from the token endpoint. The client MAY use a scope other than the one provided by the resource server. Scopes other than those advertised by the resource server are be defined by the resource owner and provided in service documentation or discovery information (which is beyond the scope of this memo). If not present then the client SHOULD presume an empty scope (unscoped token) is needed. @@ -660,68 +669,42 @@ Note: None 7.2. GSS-API Registration IANA is further requested to assign an OID for this GSS mechanism in the SMI numbers registry, with the prefix of iso.org.dod.internet.security.mechanisms (1.3.6.1.5.5) and to reference this specification in the registry. -8. Appendix A -- Document History - - [[ to be removed by RFC editor before publication as an RFC ]] - - -01 - - o Ripping out discovery. Changed to refer to I-D.jones-appsawg- - webfinger instead of WF and SWD older drafts. - - o Replacing HTTP as the message format and adjusted all examples. - - -00 - - o Renamed draft into proper IETF naming format now that it's - adopted. - - o Minor fixes. - - -00 - - o Initial revision - -9. References +8. References -9.1. Normative References +8.1. Normative References [I-D.ietf-oauth-v2] - Hammer-Lahav, E., Recordon, D., and D. Hardt, "The OAuth - 2.0 Authorization Framework", draft-ietf-oauth-v2-26 (work - in progress), May 2012. + Hardt, D., "The OAuth 2.0 Authorization Framework", + draft-ietf-oauth-v2-31 (work in progress), August 2012. [I-D.ietf-oauth-v2-bearer] - Jones, M., Hardt, D., and D. Recordon, "The OAuth 2.0 - Authorization Protocol: Bearer Tokens", - draft-ietf-oauth-v2-bearer-19 (work in progress), - April 2012. + Jones, M. and D. Hardt, "The OAuth 2.0 Authorization + Framework: Bearer Token Usage", + draft-ietf-oauth-v2-bearer-23 (work in progress), + August 2012. [I-D.ietf-oauth-v2-http-mac] Hammer-Lahav, E., "HTTP Authentication: MAC Access Authentication", draft-ietf-oauth-v2-http-mac-01 (work in progress), February 2012. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. - [RFC2234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax - Specifications: ABNF", RFC 2234, November 1997. - [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999. [RFC2743] Linn, J., "Generic Security Service Application Program @@ -732,20 +715,23 @@ [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and Security Layer (SASL)", RFC 4422, June 2006. [RFC4627] Crockford, D., "The application/json Media Type for JavaScript Object Notation (JSON)", RFC 4627, July 2006. [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure Channels", RFC 5056, November 2007. + [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax + Specifications: ABNF", STD 68, RFC 5234, January 2008. + [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family", RFC 5801, July 2010. [RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, April 2010. @@ -754,30 +740,58 @@ for TLS", RFC 5929, July 2010. [RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010. [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)", RFC 6125, March 2011. -9.2. Informative References +8.2. Informative References [I-D.jones-appsawg-webfinger] Jones, P., Salgueiro, G., and J. Smarr, "WebFinger", - draft-jones-appsawg-webfinger-05 (work in progress), - May 2012. + draft-jones-appsawg-webfinger-06 (work in progress), + June 2012. [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1", RFC 3501, March 2003. +Appendix A. Document History + + [[ to be removed by RFC editor before publication as an RFC ]] + + -02 + + o Added the user data element back in. + + o Minor editorial changes. + + -01 + + o Ripping out discovery. Changed to refer to I-D.jones-appsawg- + webfinger instead of WF and SWD older drafts. + + o Replacing HTTP as the message format and adjusted all examples. + + -00 + + o Renamed draft into proper IETF naming format now that it's + adopted. + + o Minor fixes. + + -00 + + o Initial revision + Authors' Addresses William Mills Yahoo! Inc. Phone: Email: wmills@yahoo-inc.com Tim Showalter