--- 1/draft-ietf-kitten-sasl-oauth-06.txt 2012-09-13 09:14:15.373368847 +0200 +++ 2/draft-ietf-kitten-sasl-oauth-07.txt 2012-09-13 09:14:15.413342889 +0200 @@ -1,21 +1,21 @@ KITTEN W. Mills Internet-Draft Yahoo! Inc. Intended status: Standards Track T. Showalter -Expires: March 5, 2013 +Expires: March 17, 2013 H. Tschofenig Nokia Siemens Networks - September 1, 2012 + September 13, 2012 A set of SASL and GSS-API Mechanisms for OAuth - draft-ietf-kitten-sasl-oauth-06 + draft-ietf-kitten-sasl-oauth-07 Abstract OAuth enables a third-party application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction, or by allowing the third-party application to obtain access on its own behalf. This document defines how an application client uses credentials obtained via OAuth over the Simple Authentication and Security Layer @@ -39,21 +39,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on March 5, 2013. + This Internet-Draft will expire on March 17, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -71,37 +71,37 @@ 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 9 3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 10 3.1.2. Use of the gs2-header . . . . . . . . . . . . . . . . 10 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 10 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 11 3.2.2. Canonicalization . . . . . . . . . . . . . . . . . . . 11 3.2.3. Server response to failed authentication. . . . . . . 11 3.2.4. Completing an error message sequence. . . . . . . . . 12 3.3. Use of Signature Type Authorization . . . . . . . . . . . 12 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 13 - 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 14 - 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 - 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 16 - 5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 17 - 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 18 - 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 19 - 5.5. SMTP Example of a failed negotiation. . . . . . . . . . . 19 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 - 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 22 - 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 23 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 - 8.1. Normative References . . . . . . . . . . . . . . . . . . . 24 - 8.2. Informative References . . . . . . . . . . . . . . . . . . 25 - Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . . 26 - Appendix B. Document History . . . . . . . . . . . . . . . . . . 27 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 + 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 15 + 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 + 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 17 + 5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 18 + 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 19 + 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 20 + 5.5. SMTP Example of a failed negotiation. . . . . . . . . . . 20 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 22 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 + 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 23 + 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 24 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 + 8.1. Normative References . . . . . . . . . . . . . . . . . . . 25 + 8.2. Informative References . . . . . . . . . . . . . . . . . . 26 + Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . . 27 + Appendix B. Document History . . . . . . . . . . . . . . . . . . 28 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30 1. Introduction OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction, or by allowing the third-party application to obtain access on its own behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not define the interaction between the client and the resource server with the access to a protected resource using an Access Token. This @@ -278,32 +278,32 @@ server in order to allow the server to finish the exchange. Some protocols and common SASL implementations do not support both sending a SASL message and finalizing a SASL negotiation, the additional client message in the error case deals with this problem. This exchange is: o Client sends an invalid initial client response. o Server responds with an error message. - o Client sends an empty client reponse. + o Client sends a dummy client reponse. o Server fails the authentication. 3.1. Initial Client Response Client responses are a key/value pair sequence. The initial client response includes a gs2-header as defined in GS2 [RFC5801], which carries the authorization ID. These key/value pairs carry the equivalent values from an HTTP context in order to be able to - complete an OAuth style HTTP authorization. The client MUST send an - authorization ID in the gs2-header. The ABNF [RFC5234] syntax is: + complete an OAuth style HTTP authorization. The ABNF [RFC5234] + syntax is: kvsep = %x01 key = 1*ALPHA value = *(VCHAR | SP | HTAB | CR | LF ) kvpair = key "=" value kvsep client_resp = 0*kvpair kvsep ;; gs2-header = As defined in GSS-API initial_client_resp = gs2-header kvsep client_resp The following key/value pairs are defined in the client response: @@ -348,22 +348,23 @@ post (RESERVED): HTTP post data, the default value is "". 3.1.2. Use of the gs2-header The OAuth scheme related mechanisms are also GSS-API mechanisms, see Section 4 for further detail. The gs2-header is used as follows: o The "gs2-nonstd-flag" MUST NOT be present. o The "gs2-authzid" carries the authorization identity as specified - in [RFC5801]. This MUST agree with the identity asserted in the - OAuth credential. + in [RFC5801]. If present the application MUST determine whether + access is granted for the identity asserted in the OAuth + credential, if it does not the server MUST fail the negotiation. In the non "-PLUS" mechanisms the "gs2-cb-flag" MUST be set to "n" because channel-binding [RFC5056] data is not expected. In the OAUTH10A-PLUS mechanism (or other -PLUS variants based on this specification) the "gs2-cb-flag" MUST be set appropriately by the client. 3.2. Server's Response The server validates the response per the specification for the @@ -369,39 +370,43 @@ The server validates the response per the specification for the authorization scheme used. If the authorization scheme used includes signing of the request parameters the client must provide a client response that satisfies the data requirements for the scheme in use. In a "-PLUS" mechanism the server examines the channel binding data, extracts the channel binding unique prefix, and extracts the raw channel biding data based on the channel binding type used. It then computes it's own copy of the channel binding payload and compares that to the payload sent by the client in the cbdata key/value. + Those two must be equal for channel binding to succeed. The server responds to a successfully verified client message by - completing the SASL negotiation. The authorization scheme MUST carry - the user ID to be used as the authorization identity (identity to act - as). The server MUST use the ID obtained from the credential as the - user being authorized. + completing the SASL negotiation. The authenticated identity reported + by the mechanism is the identity which the mechanism has securely + established for the client with the OAuth credential. 3.2.1. Mapping to SASL Identities - Some OAuth mechanisms can provide both an authorization identity and - an authentication identity. An example of this is OAuth 1.0a - [RFC5849] where the consumer key (oauth_consumer_key) identifies the - entity using the token which equates to the SASL authentication - identity, and is authenticated using the shared secret. The server - MAY use a consumer key, a value derived from it, or other comparable - identity in the OAuth authorization scheme to allow SASL an - authentication identity different from the authorization identity to - be set. + Note that the semantics of the authz-id are specified by the SASL + framework [RFC4422]. A SASL application is, of course, free to apply + mappings of the OAuth authcid to authz-ids as per-SASL, and it is + free to apply mappings common to non-SASL OAuth applications. + + Some OAuth schemes can carry both a user identity and a "proxy" + identity, for example an OAuth 1.0a [RFC5849] mechanism where the + consumer key (oauth_consumer_key) identifies the entity using the + token and the token itself identifies the user. If both identities + are needed by an application the developer will need to provide a way + to communicate that from the SASL mechanism back to the application + such as a GS2 [RFC2473] named type like GSS_C_NT_USER_NAME or a + comparable newly defined GS2 attribute. 3.2.2. Canonicalization The identity asserted by the OAuth authorization server is canonical for display. The server MAY provide a different canonical form based on local data. 3.2.3. Server response to failed authentication. For a failed authentication the server returns a JSON [RFC4627] @@ -619,35 +624,35 @@ 5.2. OAuth 1.0a Authorization with Channel Binding This example shows channel binding in the context of an OAuth 1.0a signed authorization request. Note that line breaks are inserted for readability. S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server Ready S: t0 OK Completed - C: t1 AUTHENTICATE OAUTH10A-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZ + C: t1 AUTHENTICATE OAUTH10A-PLUS cCxhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZ XJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD1PQXV0aCByZWFsbT0iRXhhb XBsZSIsb2F1dGhfY29uc3VtZXJfa2V5PSI5ZGpkajgyaDQ4ZGpzOWQyIixvYXV0a F90b2tlbj0ia2trOWQ3ZGgzazM5c2p2NyIsb2F1dGhfc2lnbmF0dXJlX21ldGhvZ D0iSE1BQy1TSEExIixvYXV0aF90aW1lc3RhbXA9IjEzNzEzMTIwMSIsb2F1dGhfb m9uY2U9IjdkOGYzZTRhIixvYXV0aF9zaWduYXR1cmU9IlNTZHRJR0VnYkdsMGRHe GxJSFJsWVNCd2IzUXUiAXFzPWNiZGF0YT10bHMtdW5pcXVlOlNHOTNJR0pwWnlCc GN5QmhJRlJNVXlCbWFXNWhiQ0J0WlhOellXZGxQd289AQE= S: t1 OK SASL authentication succeeded As required by IMAP [RFC3501], the payloads are base64-encoded. The decoded initial client response (with %x01 represented as ^A and lines wrapped for readability) is: - y,a=user@example.com^A + p,a=user@example.com^A host=server.example.com^A port=143^A auth=OAuth realm="Example", oauth_consumer_key="9djdj82h48djs9d2", oauth_token="kkk9d7dh3k39sjv7", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131201", oauth_nonce="7d8f3e4a", oauth_signature="SSdtIGEgbGl0dGxlIHRlYSBwb3Qu"^A qs=cbdata=tls-unique:SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A @@ -681,50 +686,50 @@ n,a=user@example.com,^Ahost=server.example.com^A port=143^Aauth=^A^A The decoded server error response is: { "status":"401", "scope":"example_scope" } - The client responds with the required empty response. + The client responds with the required dummy response. 5.4. Failed Channel Binding This example shows a channel binding failure in an empty request. The channel binding information is empty. Note that line breaks are inserted for readability. S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server Ready S: t0 OK Completed - C: t1 AUTHENTICATE OAUTH10A-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20BaG9z + C: t1 AUTHENTICATE OAUTH10A-PLUS cCxhPXVzZXJAZXhhbXBsZS5jb20BaG9z dD1zZXJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD0BY2JkYXRhPQEB S: + ewoic3RhdHVzIjoiNDEyIiwKInNjb3BlIjoiZXhhbXBsZV9zY29wZSIKfQ== C: + AQ== S: t1 NO SASL authentication failed The decoded initial client response is: - y,a=user@example.com,^Ahost=server.example.com^A + p,a=user@example.com,^Ahost=server.example.com^A port=143^Aauth=^Acbdata=^A^A The decoded server response is: { "status":"412", "scope":"example_scope" } - The client responds with the required empty response. + The client responds with the required dummy response. 5.5. SMTP Example of a failed negotiation. This example shows an authorization failure in an SMTP exchange. Note that line breaks are inserted for readability, and that the SMTP protocol terminates lines with CR and LF characters (ASCII values 0x0D and 0x0A), these are not displayed explicitly in the example. [connection begins] S: 220 mx.example.com ESMTP 12sm2095603fks.9 @@ -738,21 +743,21 @@ C: AUTH OAUTHBEARER bixhPT1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB2 RjlkZnQ0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQ== S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K C: AQ== S: 535-5.7.1 Username and Password not accepted. Learn more at S: 535 5.7.1 http://support.example.com/mail/oauth [connection continues...] The server returned an error message in the 334 SASL message, the - client responds with the required empty response, and the server + client responds with the required dummy response, and the server finalizes the negotiation. 6. Security Considerations This mechanism does not provide a security layer, but does provide a provision for channel binding. The OAuth 2 specification [I-D.ietf-oauth-v2] allows for a variety of usages, and the security properties of these profiles vary. The usage of bearer tokens, for example, provide security features similar to cookies. Applications using this mechanism SHOULD exercise the same level of care using @@ -848,20 +853,23 @@ [I-D.ietf-oauth-v2-bearer] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", draft-ietf-oauth-v2-bearer-23 (work in progress), August 2012. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. + [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in + IPv6 Specification", RFC 2473, December 1998. + [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999. [RFC2743] Linn, J., "Generic Security Service Application Program @@ -925,20 +933,26 @@ Appendix A. Acknowlegements The authors would like to thank the members of the Kitten working group, and in addition and specifically: Simon Josefson, Torsten Lodderstadt, Ryan Troll, and Nico Williams. Appendix B. Document History [[ to be removed by RFC editor before publication as an RFC ]] + -07 + + o Struck the MUST langiage from authzid. + + o + -06 o Removed the user field. Fixed the examples again. o Added canonicalization language. o -05