| draft-ietf-kitten-sasl-oauth-04.txt | draft-ietf-kitten-sasl-oauth-05.txt | |||
|---|---|---|---|---|
| KITTEN W. Mills | KITTEN W. Mills | |||
| Internet-Draft Yahoo! Inc. | Internet-Draft Yahoo! Inc. | |||
| Intended status: Standards Track T. Showalter | Intended status: Standards Track T. Showalter | |||
| Expires: February 21, 2013 | Expires: February 24, 2013 | |||
| H. Tschofenig | H. Tschofenig | |||
| Nokia Siemens Networks | Nokia Siemens Networks | |||
| August 20, 2012 | August 23, 2012 | |||
| A SASL and GSS-API Mechanism for OAuth | A set of SASL and GSS-API Mechanisms for OAuth | |||
| draft-ietf-kitten-sasl-oauth-04 | draft-ietf-kitten-sasl-oauth-05 | |||
| Abstract | Abstract | |||
| OAuth enables a third-party application to obtain limited access to a | OAuth enables a third-party application to obtain limited access to a | |||
| protected resource, either on behalf of a resource owner by | protected resource, either on behalf of a resource owner by | |||
| orchestrating an approval interaction, or by allowing the third-party | orchestrating an approval interaction, or by allowing the third-party | |||
| application to obtain access on its own behalf. | application to obtain access on its own behalf. | |||
| This document defines how an application client uses OAuth over the | This document defines how an application client uses credentials | |||
| Simple Authentication and Security Layer (SASL) or the Generic | obtained via OAuth over the Simple Authentication and Security Layer | |||
| Security Service Application Program Interface (GSS-API) to access a | (SASL) or the Generic Security Service Application Program Interface | |||
| protected resource at a resource serve. Thereby, it enables schemes | (GSS-API) to access a protected resource at a resource serve. | |||
| defined within the OAuth framework for non-HTTP-based application | Thereby, it enables schemes defined within the OAuth framework for | |||
| protocols. | non-HTTP-based application protocols. | |||
| Clients typically store the user's long term credential. This does, | Clients typically store the user's long term credential. This does, | |||
| however, lead to significant security vulnerabilities, for example, | however, lead to significant security vulnerabilities, for example, | |||
| when such a credential leaks. A significant benefit of OAuth for | when such a credential leaks. A significant benefit of OAuth for | |||
| usage in those clients is that the password is replaced by a token. | usage in those clients is that the password is replaced by a token. | |||
| Tokens typically provided limited access rights and can be managed | Tokens typically provided limited access rights and can be managed | |||
| and revoked separately from the user's long-term credential | and revoked separately from the user's long-term credential | |||
| (password). | (password). | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 2, line 4 | skipping to change at page 2, line 4 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 21, 2013. | This Internet-Draft will expire on February 24, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3. OAuth SASL Mechanism Specification . . . . . . . . . . . . . . 9 | 3. OAuth SASL Mechanism Specification . . . . . . . . . . . . . . 8 | |||
| 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 9 | 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 9 | |||
| 3.1.1. Reserved Key/Values in OAUTH . . . . . . . . . . . . . 10 | 3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 10 | |||
| 3.1.2. Use of the gs2-header . . . . . . . . . . . . . . . . 11 | 3.1.2. Use of the gs2-header . . . . . . . . . . . . . . . . 10 | |||
| 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 11 | 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 11 | 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 11 | |||
| 3.2.2. Server response to failed authentication. . . . . . . 12 | 3.2.2. Server response to failed authentication. . . . . . . 11 | |||
| 3.2.3. Completing an error message sequence. . . . . . . . . 12 | 3.2.3. Completing an error message sequence. . . . . . . . . 12 | |||
| 3.3. Use of Signature Type Authorization . . . . . . . . . . . 13 | 3.3. Use of Signature Type Authorization . . . . . . . . . . . 12 | |||
| 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 14 | 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 15 | 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 14 | |||
| 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 16 | 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 15 | |||
| 5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 17 | 5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 16 | |||
| 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 18 | 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 19 | 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 18 | |||
| 5.5. SMTP Example of a failed negotiation. . . . . . . . . . . 19 | 5.5. SMTP Example of a failed negotiation. . . . . . . . . . . 18 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 22 | 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 22 | 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 22 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 23 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 23 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 24 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 24 | |||
| Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . . 25 | Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . . 25 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 26 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 26 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 1. Introduction | 1. Introduction | |||
| skipping to change at page 5, line 14 | skipping to change at page 5, line 14 | |||
| The resulting framework allows new protocols to reuse existing | The resulting framework allows new protocols to reuse existing | |||
| mechanisms and allows old protocols to make use of new mechanisms. | mechanisms and allows old protocols to make use of new mechanisms. | |||
| The framework also provides a protocol for securing subsequent | The framework also provides a protocol for securing subsequent | |||
| protocol exchanges within a data security layer. | protocol exchanges within a data security layer. | |||
| The Generic Security Service Application Program Interface (GSS-API) | The Generic Security Service Application Program Interface (GSS-API) | |||
| [RFC2743] provides a framework for applications to support multiple | [RFC2743] provides a framework for applications to support multiple | |||
| authentication mechanisms through a unified interface. | authentication mechanisms through a unified interface. | |||
| This document defines a SASL mechanism for OAuth, but it conforms to | This document defines SASL mechanisms for OAuth, and it conforms to | |||
| the new bridge between SASL and the GSS-API called GS2 [RFC5801]. | the new bridge between SASL and the GSS-API called GS2 [RFC5801]. | |||
| This means that this document defines both a SASL mechanism and a | This means that this document defines both SASL and GSS-API | |||
| GSS-API mechanism. Implementers may be interested in either the | mechanisms. Implementers may be interested in either the SASL, the | |||
| SASL, the GSS-API, or even both mechanisms. To faciliate these two | GSS-API, or even both mechanisms. To faciliate these two variants, | |||
| variants, the description has been split into two parts, one part | the description has been split into two parts, one part that provides | |||
| that provides normative references for those interested in the SASL | normative references for those interested in the SASL OAuth mechanism | |||
| OAuth mechanism (see Section 3), and a second part for those | (see Section 3), and a second part for those implementers that wish | |||
| implementers that wish to implement the GSS-API portion (see | to implement the GSS-API portion (see Section 4). | |||
| Section 4). | ||||
| When OAuth is integrated into SASL and the GSS-API the high-level | When OAuth is integrated into SASL and the GSS-API the high-level | |||
| steps are as follows: | steps are as follows: | |||
| (A) The client requests authorization from the resource owner. | (A) The client requests authorization from the resource owner. | |||
| The authorization request can be made directly to the resource | The authorization request can be made directly to the resource | |||
| owner (as shown), or preferably indirectly via the authorization | owner (as shown), or preferably indirectly via the authorization | |||
| server as an intermediary. | server as an intermediary. | |||
| (B) The client receives an authorization grant which is a | (B) The client receives an authorization grant which is a | |||
| skipping to change at page 6, line 19 | skipping to change at page 6, line 17 | |||
| authentication endpoints (and perhaps the service endpoints) before | authentication endpoints (and perhaps the service endpoints) before | |||
| the OAuth 2.0 protocol exchange messages in steps (A)-(D) are | the OAuth 2.0 protocol exchange messages in steps (A)-(D) are | |||
| executed. The discovery of the resource owner and authorization | executed. The discovery of the resource owner and authorization | |||
| server endpoints is outside the scope of this specification. The | server endpoints is outside the scope of this specification. The | |||
| client must discover those endpoints using a discovery mechanisms | client must discover those endpoints using a discovery mechanisms | |||
| such as Webfinger using host-meta [I-D.jones-appsawg-webfinger]. In | such as Webfinger using host-meta [I-D.jones-appsawg-webfinger]. In | |||
| band discovery is not tenable if clients support the OAuth 2.0 | band discovery is not tenable if clients support the OAuth 2.0 | |||
| password grant. Once credentials are obtained the client proceeds to | password grant. Once credentials are obtained the client proceeds to | |||
| steps (E) and (F) defined in this specification. | steps (E) and (F) defined in this specification. | |||
| The client need not implement more than one authorization scheme, and | ||||
| there are no mandatory to implement schemes. The server MUST | ||||
| advertise at least one scheme if the OAUTH mechanism is offered. | ||||
| During discovery the client might not find any schemes that it | ||||
| supports, an OAuth 2.0 enabled client MAY attempt to fetch a | ||||
| credential for a scheme it supports from a discovered OAuth 2.0 | ||||
| authorization endpoint. If the client finds no schemes it supports | ||||
| the client SHOULD provide feedback to the user that the requested | ||||
| enpoint can not be supported. | ||||
| ----+ | ----+ | |||
| +--------+ +---------------+ | | +--------+ +---------------+ | | |||
| | |--(A)-- Authorization Request --->| Resource | | | | |--(A)-- Authorization Request --->| Resource | | | |||
| | | | Owner | |Plain | | | | Owner | |Plain | |||
| | |<-(B)------ Access Grant ---------| | |OAuth | | |<-(B)------ Access Grant ---------| | |OAuth | |||
| | | +---------------+ |2.0 | | | +---------------+ |2.0 | |||
| | | | | | | | | |||
| | | Client Credentials & +---------------+ | | | | Client Credentials & +---------------+ | | |||
| | |--(C)------ Access Grant -------->| Authorization | | | | |--(C)------ Access Grant -------->| Authorization | | | |||
| | Client | | Server | | | | Client | | Server | | | |||
| skipping to change at page 9, line 8 | skipping to change at page 8, line 8 | |||
| In examples, "C:" and "S:" indicate lines sent by the client and | In examples, "C:" and "S:" indicate lines sent by the client and | |||
| server respectively. Line breaks have been inserted for readability. | server respectively. Line breaks have been inserted for readability. | |||
| Note that the IMAP SASL specification requires base64 encoding | Note that the IMAP SASL specification requires base64 encoding | |||
| message, not this memo. | message, not this memo. | |||
| 3. OAuth SASL Mechanism Specification | 3. OAuth SASL Mechanism Specification | |||
| SASL is used as a generalized authentication method in a variety of | SASL is used as a generalized authentication method in a variety of | |||
| application layer protocols. This document defines two SASL | application layer protocols. This document defines the following | |||
| mechanisms for usage with OAuth: "OAUTH" and "OAUTH-PLUS". The | SASL mechanisms for usage with OAuth: | |||
| "OAUTH" SASL mechanism enables OAuth authorization schemes for SASL, | ||||
| "OAUTH-PLUS" adds channel binding [RFC5056] capability for additional | ||||
| security guarantees. | ||||
| This mechanism is client initiated and lock-step, the server always | OAUTHBEARER Authorization using Bearer tokens. | |||
| replying to a client message. In the case where the client has and | ||||
| correctly uses a valid token the flow is: | OAUTH10A Authorization using OAuth 1.0a tokens. | |||
| OAUTH10A-PLUS Adds channel binding [RFC5056] capability to | ||||
| OAUTH10A for additional security guarantees. | ||||
| Any new OAuth token scheme MAY define a new SASL mechanism compatible | ||||
| with the mechanisms defined here by simply registering the new | ||||
| name(s) and citing this specification for the further definition. | ||||
| New channel binding enabled "-PLUS" mechanisms defined in this way | ||||
| MUST include message integrity protection. | ||||
| These mechanisms are client initiated and lock-step, the server | ||||
| always replying to a client message. In the case where the client | ||||
| has and correctly uses a valid token the flow is: | ||||
| o Client sends a valid and correct initial client response. | o Client sends a valid and correct initial client response. | |||
| o Server responds with a successful authentication. | o Server responds with a successful authentication. | |||
| In the case where authorization fails the server sends an error | In the case where authorization fails the server sends an error | |||
| result, then client MUST then send an additional message to the | result, then client MUST then send an additional message to the | |||
| server in order to allow the server to finish the exchange. Some | server in order to allow the server to finish the exchange. Some | |||
| protocols and common SASL implementations do not support both sending | protocols and common SASL implementations do not support both sending | |||
| a SASL message and finalizing a SASL negotiation, the additional | a SASL message and finalizing a SASL negotiation, the additional | |||
| skipping to change at page 9, line 41 | skipping to change at page 9, line 8 | |||
| o Server responds with an error message. | o Server responds with an error message. | |||
| o Client sends an empty client reponse. | o Client sends an empty client reponse. | |||
| o Server fails the authentication. | o Server fails the authentication. | |||
| 3.1. Initial Client Response | 3.1. Initial Client Response | |||
| Client responses are a key/value pair sequence. The initial client | Client responses are a key/value pair sequence. The initial client | |||
| response includes a gs2-header as defined in GSS-API [RFC5801], which | response includes a gs2-header as defined in GS2 [RFC5801], which | |||
| carries the authorization ID as a hint. These key/value pairs carry | carries the authorization ID. These key/value pairs carry the | |||
| the equivalent values from an HTTP context in order to be able to | equivalent values from an HTTP context in order to be able to | |||
| complete an OAuth style HTTP authorization. The client MUST send an | complete an OAuth style HTTP authorization. The client MUST send an | |||
| authorization ID in the gs2-header. The server MAY use this as a | authorization ID in the gs2-header. The ABNF [RFC5234] syntax is: | |||
| routing or database lookup hint. The server MUST NOT use this as | ||||
| authoritative, the user name MUST be asserted by the OAuth | ||||
| credential. The ABNF [RFC5234] syntax is: | ||||
| kvsep = %x01 | kvsep = %x01 | |||
| key = 1*ALPHA | key = 1*ALPHA | |||
| value = *(VCHAR | SP | HTAB | CR | LF ) | value = *(VCHAR | SP | HTAB | CR | LF ) | |||
| kvpair = key "=" value kvsep | kvpair = key "=" value kvsep | |||
| client_resp = 0*kvpair kvsep | client_resp = 0*kvpair kvsep | |||
| ;; gs2-header = As defined in GSS-API | ;; gs2-header = As defined in GSS-API | |||
| initial_client_resp = gs2-header kvsep client_resp | initial_client_resp = gs2-header kvsep client_resp | |||
| The following key/value pairs are defined in the client response: | The following key/value pairs are defined in the client response: | |||
| auth (REQUIRED): The payload of the HTTP Authorization header for | auth (REQUIRED): The payload of the HTTP Authorization header for | |||
| an equivalent HTTP OAuth authroization. | an equivalent HTTP OAuth authroization. | |||
| user (REQUIRED): The authorization ID. The server MAY use this | ||||
| as a routing or database lookup hint. The server MUST NOT use | ||||
| this as authoritative, the user name MUST be asserted by the | ||||
| OAuth credential. | ||||
| host: Contains the host name to which the client connected. | host: Contains the host name to which the client connected. | |||
| port: Contains the port number represented as a decimal positive | port: Contains the port number represented as a decimal positive | |||
| integer string without leading zeros to which the client | integer string without leading zeros to which the client | |||
| connected. | connected. | |||
| qs: The HTTP query string. In OAUTH this is reserved, the client | qs: The HTTP query string. In non-channel binding mechanisms | |||
| SHOUD NOT send it, and has the default value of "". In OAUTH- | this is reserved, the client SHOUD NOT send it, and has the | |||
| PLUS this carries a single key value pair "cbdata" for the | default value of "". In "-PLUS" variants this carries a single | |||
| channel binding data payload formatted as an HTTP query string. | key value pair "cbdata" for the channel binding data payload | |||
| formatted as an HTTP query string. | ||||
| In authorization schemes that use signatures, the client MUST send | In authorization schemes that use signatures, the client MUST send | |||
| host and port number key/values, and the server MUST fail an | host and port number key/values, and the server MUST fail an | |||
| authorization request requiring signatures that does not have host | authorization request requiring signatures that does not have host | |||
| and port values. For authorization schemes that require a scheme as | and port values. For authorization schemes that require a URI scheme | |||
| part of the URI being signed "http" is always used. | as part of the data being signed "http" is always used. In OAuth | |||
| 1.0a for example, the signature base string includes the | ||||
| reconstructed HTTP URL. | ||||
| 3.1.1. Reserved Key/Values in OAUTH | 3.1.1. Reserved Key/Values | |||
| In the OAUTH mechanism values for path, query string and post body | In these mechanisms values for path, query string and post body are | |||
| are assigned default values. OAuth authorization schemes MAY define | assigned default values. OAuth authorization schemes MAY define | |||
| usage of these in the SASL context and extend this specification. | usage of these in the SASL context and extend this specification. | |||
| For OAuth schemes that use request signatures the default values MUST | For OAuth schemes that use request signatures the default values MUST | |||
| be used unless explict values are provided in the client response. | be used unless explict values are provided in the client response. | |||
| The following key values are reserved for future use: | The following key values are reserved for future use: | |||
| mthd (RESERVED): HTTP method for use in signatures, the default | mthd (RESERVED): HTTP method for use in signatures, the default | |||
| value is "POST". | value is "POST". | |||
| path (RESERVED): HTTP path data, the default value is "/". | path (RESERVED): HTTP path data, the default value is "/". | |||
| post (RESERVED): HTTP post data, the default value is "". | post (RESERVED): HTTP post data, the default value is "". | |||
| 3.1.2. Use of the gs2-header | 3.1.2. Use of the gs2-header | |||
| The gs2-header is used as follows: | The OAuth scheme related mechanisms are also GSS-API mechanisms, see | |||
| Section 4 for further detail. The gs2-header is used as follows: | ||||
| o The "gs2-nonstd-flag" MUST NOT be present. | o The "gs2-nonstd-flag" MUST NOT be present. | |||
| o The "gs2-authzid" carries the authorization identity as specified | o The "gs2-authzid" carries the authorization identity as specified | |||
| in [RFC5801]. | in [RFC5801]. | |||
| In the OAUTH mechanism the "gs2-cb-flag" MUST be set to "n" because | In the non "-PLUS" mechanisms the "gs2-cb-flag" MUST be set to "n" | |||
| channel-binding [RFC5056] data is not expected. In the OAUTH-PLUS | because channel-binding [RFC5056] data is not expected. In the | |||
| mechanism the "gs2-cb-flag" MUST be set appropriately by the client. | OAUTH10A-PLUS mechanism (or other -PLUS variants based on this | |||
| specification) the "gs2-cb-flag" MUST be set appropriately by the | ||||
| client. | ||||
| 3.2. Server's Response | 3.2. Server's Response | |||
| The server validates the response per the specification for the | The server validates the response per the specification for the | |||
| authorization scheme used. If the authorization scheme used includes | authorization scheme used. If the authorization scheme used includes | |||
| signing of the request parameters the client must provide a client | signing of the request parameters the client must provide a client | |||
| response that satisfies the data requirements for the scheme in use. | response that satisfies the data requirements for the scheme in use. | |||
| In the OAUTH-PLUS mechanism the server examines the channel binding | In a "-PLUS" mechanism the server examines the channel binding data, | |||
| data, extracts the channel binding unique prefix, and extracts the | extracts the channel binding unique prefix, and extracts the raw | |||
| raw channel biding data based on the channel binding type used. It | channel biding data based on the channel binding type used. It then | |||
| then computes it's own copy of the channel binding payload and | computes it's own copy of the channel binding payload and compares | |||
| compares that to the payload sent by the client in the cbdata key/ | that to the payload sent by the client in the cbdata key/value. | |||
| value. Those two must be equal for channel binding to succeed. | Those two must be equal for channel binding to succeed. | |||
| The server responds to a successfully verified client message by | The server responds to a successfully verified client message by | |||
| completing the SASL negotiation. The authorization scheme MUST carry | completing the SASL negotiation. The authorization scheme MUST carry | |||
| the user ID to be used as the authorization identity (identity to act | the user ID to be used as the authorization identity (identity to act | |||
| as). The server MUST use the ID obtained from the credential as the | as). The server MUST use the ID obtained from the credential as the | |||
| user being authorized. | user being authorized. | |||
| 3.2.1. Mapping to SASL Identities | 3.2.1. Mapping to SASL Identities | |||
| Some OAuth mechanisms can provide both an authorization identity and | Some OAuth mechanisms can provide both an authorization identity and | |||
| skipping to change at page 12, line 18 | skipping to change at page 11, line 38 | |||
| 3.2.2. Server response to failed authentication. | 3.2.2. Server response to failed authentication. | |||
| For a failed authentication the server returns a JSON [RFC4627] | For a failed authentication the server returns a JSON [RFC4627] | |||
| formatted error result, and fails the authentication. The error | formatted error result, and fails the authentication. The error | |||
| result consists of the following values: | result consists of the following values: | |||
| status (REQUIRED): The authorization error code. Valid error | status (REQUIRED): The authorization error code. Valid error | |||
| codes are defined in the IANA [[need registry name]] registry | codes are defined in the IANA [[need registry name]] registry | |||
| specified in the OAuth 2 core specification. | specified in the OAuth 2 core specification. | |||
| schemes (REQUIRED): A space separated list of the OAuth | ||||
| authorization schemes supported by the server, i.e. "bearer" or | ||||
| "bearer mac". | ||||
| scope (OPTIONAL): An OAuth scope which is valid to access the | scope (OPTIONAL): An OAuth scope which is valid to access the | |||
| service. This may be empty which implies that unscoped tokens | service. This may be empty which implies that unscoped tokens | |||
| are required, or a space separated list. Use of a space | are required, or a space separated list. Use of a space | |||
| separated list is NOT RECOMMENDED. | separated list is NOT RECOMMENDED. | |||
| If the resource server provides a scope the client SHOULD always | If the resource server provides a scope the client SHOULD always | |||
| request scoped tokens from the token endpoint. The client MAY use a | request scoped tokens from the token endpoint. The client MAY use a | |||
| scope other than the one provided by the resource server. Scopes | scope other than the one provided by the resource server. Scopes | |||
| other than those advertised by the resource server are be defined by | other than those advertised by the resource server are be defined by | |||
| the resource owner and provided in service documentation or discovery | the resource owner and provided in service documentation or discovery | |||
| skipping to change at page 12, line 44 | skipping to change at page 12, line 14 | |||
| needed. | needed. | |||
| If channel binding is in use and the channel binding fails the server | If channel binding is in use and the channel binding fails the server | |||
| responds with a status code set to 412 to indicate that the channel | responds with a status code set to 412 to indicate that the channel | |||
| binding precondition failed. If the authentication scheme in use | binding precondition failed. If the authentication scheme in use | |||
| does not include signing the server SHOULD revoke the presented | does not include signing the server SHOULD revoke the presented | |||
| credential and the client SHOULD discard that credential. | credential and the client SHOULD discard that credential. | |||
| 3.2.3. Completing an error message sequence. | 3.2.3. Completing an error message sequence. | |||
| If the client gets an error message form the server it MUST send an | If the client gets an error message from the server it MUST send an | |||
| empty client response consisting of a single %x01 (control A) | empty client response consisting of a single %x01 (control A) | |||
| character, which is a correctly formatted client response with no | character, which is a correctly formatted client response with no | |||
| key/value pairs. The server then completes the SASL negotiation with | key/value pairs. The server then completes the SASL negotiation with | |||
| a failure result. | a failure result. | |||
| 3.3. Use of Signature Type Authorization | 3.3. Use of Signature Type Authorization | |||
| This mechanism supports authorization using signatures, which | This mechanism supports authorization using signatures, which | |||
| requires that both client and server construct the string to be | requires that both client and server construct the string to be | |||
| signed. OAuth 2 is designed for authentication/authorization to | signed. OAuth 2 is designed for authentication/authorization to | |||
| skipping to change at page 13, line 27 | skipping to change at page 12, line 42 | |||
| specific resource authorization, e.g. IMAP access to a specific | specific resource authorization, e.g. IMAP access to a specific | |||
| folder or FTP access limited to a specific directory. | folder or FTP access limited to a specific directory. | |||
| Using the example in the OAuth 1.0a specification as a starting | Using the example in the OAuth 1.0a specification as a starting | |||
| point, on an IMAP server running on port 143 and given the OAuth 1.0a | point, on an IMAP server running on port 143 and given the OAuth 1.0a | |||
| style authorization request (with %x01 shown as ^A and line breaks | style authorization request (with %x01 shown as ^A and line breaks | |||
| added for readability) below: | added for readability) below: | |||
| n,a=user@example.com,^A | n,a=user@example.com,^A | |||
| host=example.com^A | host=example.com^A | |||
| user=user@example.com^A | ||||
| port=143^A | port=143^A | |||
| auth=OAuth realm="Example", | auth=OAuth realm="Example", | |||
| oauth_consumer_key="9djdj82h48djs9d2", | oauth_consumer_key="9djdj82h48djs9d2", | |||
| oauth_token="kkk9d7dh3k39sjv7", | oauth_token="kkk9d7dh3k39sjv7", | |||
| oauth_signature_method="HMAC-SHA1", | oauth_signature_method="HMAC-SHA1", | |||
| oauth_timestamp="137131201", | oauth_timestamp="137131201", | |||
| oauth_nonce="7d8f3e4a", | oauth_nonce="7d8f3e4a", | |||
| oauth_signature="Tm90IGEgcmVhbCBzaWduYXR1cmU%3D"^A^A | oauth_signature="Tm90IGEgcmVhbCBzaWduYXR1cmU%3D"^A^A | |||
| The signature base string would be constructed per the OAuth 1.0 | The signature base string would be constructed per the OAuth 1.0 | |||
| skipping to change at page 14, line 15 | skipping to change at page 13, line 30 | |||
| POST&http%3A%2F%2Fexample.com:143%2F&oauth_consumer_key%3D9djdj82h4 | POST&http%3A%2F%2Fexample.com:143%2F&oauth_consumer_key%3D9djdj82h4 | |||
| 8djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_method%3DHMAC-SH | 8djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_method%3DHMAC-SH | |||
| A1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk9d7dh3k39sjv7 | A1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk9d7dh3k39sjv7 | |||
| 3.4. Channel Binding | 3.4. Channel Binding | |||
| The channel binding data is carried in the "qs" (query string) key | The channel binding data is carried in the "qs" (query string) key | |||
| value pair formatted as a standard HTTP query parameter with the name | value pair formatted as a standard HTTP query parameter with the name | |||
| "cbdata". Channel binding requires that the channel binding data be | "cbdata". Channel binding requires that the channel binding data be | |||
| integrity protected end-to-end in order to protect against man-in- | integrity protected end-to-end in order to protect against man-in- | |||
| the-middle attacks. All authorization schemes offered in an OAUTH- | the-middle attacks. All authorization schemes offered with "-PLUS" | |||
| PLUS mechanism MUST provide integrity protection. It should be noted | mechanisms MUST provide integrity protection. It should be noted | |||
| that while the Bearer token scheme specifies SSL for normal usage it | that while the Bearer token scheme specifies SSL for normal usage it | |||
| offers no integrity protection and is not suitable for use in OAUTH- | offers no integrity protection and is not suitable for use with | |||
| PLUS. | channel binding. | |||
| The channel binding data is computed by the client based on it's | The channel binding data is computed by the client based on it's | |||
| choice of preferred channel binding type. As specified in [RFC5056], | choice of preferred channel binding type. As specified in [RFC5056], | |||
| the channel binding information MUST start with the channel binding | the channel binding information MUST start with the channel binding | |||
| unique prefix, followed by a colon (ASCII 0x3A), followed by a base64 | unique prefix, followed by a colon (ASCII 0x3A), followed by a base64 | |||
| encoded channel binding payload. The channel binding payload is the | encoded channel binding payload. The channel binding payload is the | |||
| raw data from the channel binding type. For example, if the client | raw data from the channel binding type. For example, if the client | |||
| is using tls-unique for channel binding then the raw channel binding | is using tls-unique for channel binding then the raw channel binding | |||
| data is the TLS finished message as specified in section 3.1 of | data is the TLS finished message as specified in section 3.1 of | |||
| [RFC5929]. | [RFC5929]. | |||
| 4. GSS-API OAuth Mechanism Specification | 4. GSS-API OAuth Mechanism Specification | |||
| Note: The normative references in this section are informational for | Note: The normative references in this section are informational for | |||
| SASL implementers, but they are normative for GSS-API implementers. | SASL implementers, but they are normative for GSS-API implementers. | |||
| The SASL OAuth mechanism is also a GSS-API mechanism and the messages | The SASL OAuth mechanism is also a GSS-API mechanism and the messages | |||
| described in Section 3 are the same, but | described in Section 3 are the same with the following changes to the | |||
| GS2 related elements: | ||||
| 1. the initial context token header is prefixed to the client's | 1. the GS2 header on the client's first message and the following | |||
| %x01 (control A) are excluded when used as a GSS-API mechanism. | ||||
| 2. the initial context token header is prefixed to the client's | ||||
| first authentication message (context token), as described in | first authentication message (context token), as described in | |||
| Section 3.1 of RFC 2743, | Section 3.1 of RFC 2743, | |||
| The GSS-API mechanism OID for OAuth is [[TBD: IANA]]. | The GSS-API mechanism OID for OAuth is [[TBD: IANA]]. | |||
| OAuth security contexts always have the mutual_state flag | OAuth security contexts always have the mutual_state flag | |||
| (GSS_C_MUTUAL_FLAG) set to TRUE. OAuth supports credential | (GSS_C_MUTUAL_FLAG) set to TRUE. OAuth supports credential | |||
| delegation, therefore security contexts may have the deleg_state flag | delegation, therefore security contexts may have the deleg_state flag | |||
| (GSS_C_DELEG_FLAG) set to either TRUE or FALSE. | (GSS_C_DELEG_FLAG) set to either TRUE or FALSE. | |||
| skipping to change at page 16, line 21 | skipping to change at page 15, line 21 | |||
| insensitive. One example uses "Bearer" but that could as easily be | insensitive. One example uses "Bearer" but that could as easily be | |||
| "bearer", "BEARER", or "BeArEr". | "bearer", "BEARER", or "BeArEr". | |||
| 5.1. Successful Bearer Token Exchange | 5.1. Successful Bearer Token Exchange | |||
| This example shows a successful OAuth 2.0 bearer token exchange. | This example shows a successful OAuth 2.0 bearer token exchange. | |||
| Note that line breaks are inserted for readability. | Note that line breaks are inserted for readability. | |||
| S: * IMAP4rev1 Server Ready | S: * IMAP4rev1 Server Ready | |||
| C: t0 CAPABILITY | C: t0 CAPABILITY | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH | S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER | |||
| S: t0 OK Completed | S: t0 OK Completed | |||
| C: t1 AUTHENTICATE OAUTH bixhPXVzZXJAZXhhbXBsZS5jb20sAWhvc3Q9c2VydmVy | C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZX | |||
| LmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9QmVhcmVyIHZGOWRmdDRxbVRjMk5 | J2ZXIuZXhhbXBsZS5jb20BdXNlcj11c2VyQGV4YW1wbGUuY29tAXBvcnQ9MTQzA | |||
| 2YjNSbGNrQmhiSFJoZG1semRHRXVZMjl0Q2c9PQEB | WF1dGg9QmVhcmVyIHZGOWRmdDRxbVRjMk52YjNSbGNrQmhiSFJoZG1semRHRXVZ | |||
| Mjl0Q2c9PQEB | ||||
| S: t1 OK SASL authentication succeeded | S: t1 OK SASL authentication succeeded | |||
| As required by IMAP [RFC3501], the payloads are base64-encoded. The | As required by IMAP [RFC3501], the payloads are base64-encoded. The | |||
| decoded initial client response (with %x01 represented as ^A and long | decoded initial client response (with %x01 represented as ^A and long | |||
| lines wrapped for readability) is: | lines wrapped for readability) is: | |||
| n,a=user@example.com,^Ahost=server.example.com^Aport=143^A | n,a=user@example.com^Ahost=server.example.com^Auser=user@example.com^A | |||
| auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==^A^A | port=143^Aauth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==^A^A | |||
| The same credential used in an SMTP exchange is shown below. Note | The same credential used in an SMTP exchange is shown below. Note | |||
| that line breaks are inserted for readability, and that the SMTP | that line breaks are inserted for readability, and that the SMTP | |||
| protocol terminates lines with CR and LF characters (ASCII values | protocol terminates lines with CR and LF characters (ASCII values | |||
| 0x0D and 0x0A), these are not displayed explicitly in the example. | 0x0D and 0x0A), these are not displayed explicitly in the example. | |||
| [connection begins] | [connection begins] | |||
| S: 220 mx.example.com ESMTP 12sm2095603fks.9 | S: 220 mx.example.com ESMTP 12sm2095603fks.9 | |||
| C: EHLO sender.example.com | C: EHLO sender.example.com | |||
| S: 250-mx.example.com at your service,[172.31.135.47] | S: 250-mx.example.com at your service,[172.31.135.47] | |||
| S: 250-SIZE 35651584 | S: 250-SIZE 35651584 | |||
| S: 250-8BITMIME | S: 250-8BITMIME | |||
| S: 250-AUTH LOGIN PLAIN OAUTH | S: 250-AUTH LOGIN PLAIN OAUTHBEARER | |||
| S: 250-ENHANCEDSTATUSCODES | S: 250-ENHANCEDSTATUSCODES | |||
| S: 250-PIPELINING | S: 250-PIPELINING | |||
| C: t1 AUTHENTICATE OAUTH bixhPXVzZXJAZXhhbXBsZS5jb20sAWhvc3Q9c2VydmVy | C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZX | |||
| LmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9QmVhcmVyIHZGOWRmdDRxbVRjMk5 | J2ZXIuZXhhbXBsZS5jb20BdXNlcj11c2VyQGV4YW1wbGUuY29tAXBvcnQ9MTQzA | |||
| 2YjNSbGNrQmhiSFJoZG1semRHRXVZMjl0Q2c9PQEB | WF1dGg9QmVhcmVyIHZGOWRmdDRxbVRjMk52YjNSbGNrQmhiSFJoZG1semRHRXVZ | |||
| Mjl0Q2c9PQEB | ||||
| S: 235 Authentication successful. | S: 235 Authentication successful. | |||
| [connection continues...] | [connection continues...] | |||
| 5.2. OAuth 1.0a Authorization with Channel Binding | 5.2. OAuth 1.0a Authorization with Channel Binding | |||
| This example shows channel binding in the context of an OAuth 1.0a | This example shows channel binding in the context of an OAuth 1.0a | |||
| signed authorization request. Note that line breaks are inserted for | signed authorization request. Note that line breaks are inserted for | |||
| readability. | readability. | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH SASL-IR IMAP4rev1 Server Ready | S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server | |||
| S: t0 OK Completed | Ready | |||
| C: t1 AUTHENTICATE OAUTH-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20sAWhvc3Q9c2Vydm | S: t0 OK Completed | |||
| VyLmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9T0F1dGggcmVhbG09IkV4YW1wbGUi | C: t1 AUTHENTICATE OAUTH10A-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZ | |||
| LG9hdXRoX2NvbnN1bWVyX2tleT0iOWRqZGo4Mmg0OGRqczlkMiIsb2F1dGhfdG9rZW | XJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD1PQXV0aCByZWFsbT0iRXhhb | |||
| 49ImtrazlkN2RoM2szOXNqdjciLG9hdXRoX3NpZ25hdHVyZV9tZXRob2Q9IkhNQUMt | XBsZSIsb2F1dGhfY29uc3VtZXJfa2V5PSI5ZGpkajgyaDQ4ZGpzOWQyIixvYXV0a | |||
| U0hBMSIsb2F1dGhfdGltZXN0YW1wPSIxMzcxMzEyMDEiLG9hdXRoX25vbmNlPSI3ZD | F90b2tlbj0ia2trOWQ3ZGgzazM5c2p2NyIsb2F1dGhfc2lnbmF0dXJlX21ldGhvZ | |||
| hmM2U0YSIsb2F1dGhfc2lnbmF0dXJlPSJTU2R0SUdFZ2JHbDBkR3hsSUhSbFlTQndi | D0iSE1BQy1TSEExIixvYXV0aF90aW1lc3RhbXA9IjEzNzEzMTIwMSIsb2F1dGhfb | |||
| M1F1IgFxcz1jYmRhdGE9dGxzLXVuaXF1ZTpTRzkzSUdKcFp5QnBjeUJoSUZSTVV5Qm | m9uY2U9IjdkOGYzZTRhIixvYXV0aF9zaWduYXR1cmU9IlNTZHRJR0VnYkdsMGRHe | |||
| 1hVzVoYkNCdFpYTnpZV2RsUHdvPQEB | GxJSFJsWVNCd2IzUXUiAXFzPWNiZGF0YT10bHMtdW5pcXVlOlNHOTNJR0pwWnlCc | |||
| S: t1 OK SASL authentication succeeded | GN5QmhJRlJNVXlCbWFXNWhiQ0J0WlhOellXZGxQd289AQE= | |||
| S: t1 OK SASL authentication succeeded | ||||
| As required by IMAP [RFC3501], the payloads are base64-encoded. The | As required by IMAP [RFC3501], the payloads are base64-encoded. The | |||
| decoded initial client response (with %x01 represented as ^A and | decoded initial client response (with %x01 represented as ^A and | |||
| lines wrapped for readability) is: | lines wrapped for readability) is: | |||
| y,a=user@example.com,^A | y,a=user@example.com^A | |||
| host=server.example.com^A | host=server.example.com^A | |||
| user=user@example.com^A | ||||
| port=143^A | port=143^A | |||
| auth=OAuth realm="Example", | auth=OAuth realm="Example", | |||
| oauth_consumer_key="9djdj82h48djs9d2", | oauth_consumer_key="9djdj82h48djs9d2", | |||
| oauth_token="kkk9d7dh3k39sjv7", | oauth_token="kkk9d7dh3k39sjv7", | |||
| oauth_signature_method="HMAC-SHA1", | oauth_signature_method="HMAC-SHA1", | |||
| oauth_timestamp="137131201", | oauth_timestamp="137131201", | |||
| oauth_nonce="7d8f3e4a", | oauth_nonce="7d8f3e4a", | |||
| oauth_signature="SSdtIGEgbGl0dGxlIHRlYSBwb3Qu"^A | oauth_signature="SSdtIGEgbGl0dGxlIHRlYSBwb3Qu"^A | |||
| qs=cbdata=tls-unique:SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A | qs=cbdata=tls-unique:SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A | |||
| skipping to change at page 18, line 32 | skipping to change at page 17, line 33 | |||
| j82h48djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_method%3DHM | j82h48djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_method%3DHM | |||
| AC-SHA1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk9d7dh3k39s | AC-SHA1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk9d7dh3k39s | |||
| jv7 | jv7 | |||
| 5.3. Failed Exchange | 5.3. Failed Exchange | |||
| This example shows a failed exchange because of the empty | This example shows a failed exchange because of the empty | |||
| Authorization header, which is how a client can query for the needed | Authorization header, which is how a client can query for the needed | |||
| scope. Note that line breaks are inserted for readability. | scope. Note that line breaks are inserted for readability. | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH SASL-IR IMAP4rev1 Server Ready | S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER SASL-IR IMAP4rev1 Server | |||
| Ready | ||||
| S: t0 OK Completed | S: t0 OK Completed | |||
| C: t1 AUTHENTICATE OAUTH bixhPXVzZXJAZXhhbXBsZS5jb20sAWhvc3Q9c2Vy | C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD | |||
| dmVyLmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9AQE= | 1zZXJ2ZXIuZXhhbXBsZS5jb20BdXNlcj11c2VyQGV4YW1wbGUuY29tAXBvc | |||
| S: + ewoic3RhdHVzIjoiNDAxIiwKInNjaGVtZXMiOiJiZWFyZXIiLAoic2NvcGUi | nQ9MTQzAWF1dGg9AQE= | |||
| OiJleGFtcGxlX3Njb3BlIgp9 | S: + ewoic3RhdHVzIjoiNDAxIgoic2NvcGUiOiJleGFtcGxlX3Njb3BlIgp9 | |||
| C: + AQ== | C: + AQ== | |||
| S: t1 NO SASL authentication failed | S: t1 NO SASL authentication failed | |||
| The decoded initial client response is: | The decoded initial client response is: | |||
| n,a=user@example.com,^Ahost=server.example.com^Aport=143^Aauth=^A^A | n,a=user@example.com,^Ahost=server.example.com^Auser=user@example. | |||
| com^Aport=143^Aauth=^A^A | ||||
| The decoded server error response is: | The decoded server error response is: | |||
| { | { | |||
| "status":"401", | "status":"401", | |||
| "schemes":"bearer", | ||||
| "scope":"example_scope" | "scope":"example_scope" | |||
| } | } | |||
| The client responds with the required empty response. | The client responds with the required empty response. | |||
| 5.4. Failed Channel Binding | 5.4. Failed Channel Binding | |||
| This example shows a channel binding failure in an empty request. | This example shows a channel binding failure in an empty request. | |||
| The channel binding information is empty. Note that line breaks are | The channel binding information is empty. Note that line breaks are | |||
| inserted for readability. | inserted for readability. | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH OAUTH-PLUS SASL-IR IMAP4rev1 Server | S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server | |||
| Ready | Ready | |||
| S: t0 OK Completed | S: t0 OK Completed | |||
| C: t1 AUTHENTICATE OAUTH-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20sAWhvc3Q9c2Vydm | C: t1 AUTHENTICATE OAUTH10A-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20sAWhv | |||
| VyLmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9AWNiZGF0YT0BAQ== | c3Q9c2VydmVyLmV4YW1wbGUuY29tAXVzZXI9dXNlckBleGFtcGxlLmNvbQF | |||
| S: + ewoic3RhdHVzIjoiNDEyIiwKInNjaGVtZXMiOiJiZWFyZXIgb2F1dGgiLAoi | wb3J0PTE0MwFhdXRoPQFjYmRhdGE9AQE= | |||
| c2NvcGUiOiJleGFtcGxlX3Njb3BlIgp9 | S: + ewoic3RhdHVzIjoiNDEyIiwKInNjb3BlIjoiZXhhbXBsZV9zY29wZSIKfQ== | |||
| C: + AQ== | C: + AQ== | |||
| S: t1 NO SASL authentication failed | S: t1 NO SASL authentication failed | |||
| The decoded initial client response is: | The decoded initial client response is: | |||
| y,a=user@example.com,^A | y,a=user@example.com,^Ahost=server.example.com^A | |||
| host=server.example.com^Aport=143^A | user=user@example.com^Aport=143^Aauth=^Acbdata=^A^A | |||
| auth=^Acbdata=^A^A | ||||
| The decoded server response is: | The decoded server response is: | |||
| { | { | |||
| "status":"412", | "status":"412", | |||
| "schemes":"bearer oauth", | ||||
| "scope":"example_scope" | "scope":"example_scope" | |||
| } | } | |||
| The client responds with the required empty response. | The client responds with the required empty response. | |||
| 5.5. SMTP Example of a failed negotiation. | 5.5. SMTP Example of a failed negotiation. | |||
| This example shows an authorization failure in an SMTP exchange. | This example shows an authorization failure in an SMTP exchange. | |||
| Note that line breaks are inserted for readability, and that the SMTP | Note that line breaks are inserted for readability, and that the SMTP | |||
| protocol terminates lines with CR and LF characters (ASCII values | protocol terminates lines with CR and LF characters (ASCII values | |||
| 0x0D and 0x0A), these are not displayed explicitly in the example. | 0x0D and 0x0A), these are not displayed explicitly in the example. | |||
| [connection begins] | [connection begins] | |||
| S: 220 mx.example.com ESMTP 12sm2095603fks.9 | S: 220 mx.example.com ESMTP 12sm2095603fks.9 | |||
| C: EHLO sender.example.com | C: EHLO sender.example.com | |||
| S: 250-mx.example.com at your service,[172.31.135.47] | S: 250-mx.example.com at your service,[172.31.135.47] | |||
| S: 250-SIZE 35651584 | S: 250-SIZE 35651584 | |||
| S: 250-8BITMIME | S: 250-8BITMIME | |||
| S: 250-AUTH LOGIN PLAIN OAUTH | S: 250-AUTH LOGIN PLAIN OAUTHBEARER | |||
| S: 250-ENHANCEDSTATUSCODES | S: 250-ENHANCEDSTATUSCODES | |||
| S: 250-PIPELINING | S: 250-PIPELINING | |||
| C: AUTH OAUTH dXNlcj1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB2RjlkZn | C: AUTH OAUTHBEARER dXNlcj1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB2 | |||
| Q0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQo= | RjlkZnQ0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQo= | |||
| S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia | S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia | |||
| HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K | HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K | |||
| C: AQ== | C: AQ== | |||
| S: 535-5.7.1 Username and Password not accepted. Learn more at | S: 535-5.7.1 Username and Password not accepted. Learn more at | |||
| S: 535 5.7.1 http://support.example.com/mail/oauth | S: 535 5.7.1 http://support.example.com/mail/oauth | |||
| [connection continues...] | [connection continues...] | |||
| The client responds with the required empty response. | The server returned an error message in the 334 SASL message, the | |||
| client responds with the required empty response, and the server | ||||
| finalizes the negotiation. | ||||
| 6. Security Considerations | 6. Security Considerations | |||
| This mechanism does not provide a security layer, but does provide a | This mechanism does not provide a security layer, but does provide a | |||
| provision for channel binding. The OAuth 2 specification | provision for channel binding. The OAuth 2 specification | |||
| [I-D.ietf-oauth-v2] allows for a variety of usages, and the security | [I-D.ietf-oauth-v2] allows for a variety of usages, and the security | |||
| properties of these profiles vary. The usage of bearer tokens, for | properties of these profiles vary. The usage of bearer tokens, for | |||
| example, provide security features similar to cookies. Applications | example, provide security features similar to cookies. Applications | |||
| using this mechanism SHOULD exercise the same level of care using | using this mechanism SHOULD exercise the same level of care using | |||
| this mechanism as they would in using the SASL PLAIN mechanism. In | this mechanism as they would in using the SASL PLAIN mechanism. In | |||
| skipping to change at page 22, line 11 | skipping to change at page 21, line 11 | |||
| invalid at any time. The client MAY request a new access token for | invalid at any time. The client MAY request a new access token for | |||
| each connection to a resource server, but it SHOULD cache and re-use | each connection to a resource server, but it SHOULD cache and re-use | |||
| access credentials that appear to be valid. | access credentials that appear to be valid. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| 7.1. SASL Registration | 7.1. SASL Registration | |||
| The IANA is requested to register the following SASL profile: | The IANA is requested to register the following SASL profile: | |||
| SASL mechanism profile: OAUTH | SASL mechanism profile: OAUTHBEARER | |||
| Security Considerations: See this document | Security Considerations: See this document | |||
| Published Specification: See this document | Published Specification: See this document | |||
| For further information: Contact the authors of this document. | For further information: Contact the authors of this document. | |||
| Owner/Change controller: the IETF | Owner/Change controller: the IETF | |||
| Note: None | Note: None | |||
| The IANA is requested to register the following SASL profile: | The IANA is requested to register the following SASL profile: | |||
| SASL mechanism profile: OAUTH-PLUS | SASL mechanism profile: OAUTH10A | |||
| Security Considerations: See this document | ||||
| Published Specification: See this document | ||||
| For further information: Contact the authors of this document. | ||||
| Owner/Change controller: the IETF | ||||
| Note: None | ||||
| The IANA is requested to register the following SASL profile: | ||||
| SASL mechanism profile: OAUTH10A-PLUS | ||||
| Security Considerations: See this document | Security Considerations: See this document | |||
| Published Specification: See this document | Published Specification: See this document | |||
| For further information: Contact the authors of this document. | For further information: Contact the authors of this document. | |||
| Owner/Change controller: the IETF | Owner/Change controller: the IETF | |||
| Note: None | Note: None | |||
| 7.2. GSS-API Registration | 7.2. GSS-API Registration | |||
| IANA is further requested to assign an OID for this GSS mechanism in | IANA is further requested to assign an OID for thESE GSS mechanismS | |||
| the SMI numbers registry, with the prefix of | in the SMI numbers registry, with the prefix of | |||
| iso.org.dod.internet.security.mechanisms (1.3.6.1.5.5) and to | iso.org.dod.internet.security.mechanisms (1.3.6.1.5.5) and to | |||
| reference this specification in the registry. | reference this specification in the registry. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [I-D.ietf-oauth-v2] | [I-D.ietf-oauth-v2] | |||
| Hardt, D., "The OAuth 2.0 Authorization Framework", | Hardt, D., "The OAuth 2.0 Authorization Framework", | |||
| draft-ietf-oauth-v2-31 (work in progress), August 2012. | draft-ietf-oauth-v2-31 (work in progress), August 2012. | |||
| skipping to change at page 26, line 9 | skipping to change at page 26, line 9 | |||
| Appendix A. Acknowlegements | Appendix A. Acknowlegements | |||
| The authors would like to thank the members of the Kitten working | The authors would like to thank the members of the Kitten working | |||
| group, and in addition and specifically: Simon Josefson, Torsten | group, and in addition and specifically: Simon Josefson, Torsten | |||
| Lodderstadt, Ryan Troll, and Nico Williams. | Lodderstadt, Ryan Troll, and Nico Williams. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by RFC editor before publication as an RFC ]] | [[ to be removed by RFC editor before publication as an RFC ]] | |||
| -05 | ||||
| o Fixed the GS2 header language again. | ||||
| o Separated out different OAuth schemes into different SASL | ||||
| mechanisms. Took out the scheme in the error return. Tuned up | ||||
| the IANA registrations. | ||||
| o Added the user field back into the SASL message. | ||||
| o Fixed the examples (again). | ||||
| o | ||||
| -04 | -04 | |||
| o Changed user field to be carried in the gs2-header, and made gs2 | o Changed user field to be carried in the gs2-header, and made gs2 | |||
| header explicit in all cases. | header explicit in all cases. | |||
| o Converted MAC examples to OAuth 1.0a. Moved MAC to an informative | o Converted MAC examples to OAuth 1.0a. Moved MAC to an informative | |||
| reference. | reference. | |||
| o Changed to sending an empty client response (single control-A) as | o Changed to sending an empty client response (single control-A) as | |||
| the second message of a failed sequence. | the second message of a failed sequence. | |||
| End of changes. 53 change blocks. | ||||
| 143 lines changed or deleted | 184 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||