--- 1/draft-ietf-kitten-sasl-oauth-07.txt 2012-09-17 02:14:16.797425963 +0200 +++ 2/draft-ietf-kitten-sasl-oauth-08.txt 2012-09-17 02:14:16.837426329 +0200 @@ -1,21 +1,21 @@ KITTEN W. Mills Internet-Draft Yahoo! Inc. Intended status: Standards Track T. Showalter -Expires: March 17, 2013 +Expires: March 21, 2013 H. Tschofenig Nokia Siemens Networks - September 13, 2012 + September 17, 2012 A set of SASL and GSS-API Mechanisms for OAuth - draft-ietf-kitten-sasl-oauth-07 + draft-ietf-kitten-sasl-oauth-08 Abstract OAuth enables a third-party application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction, or by allowing the third-party application to obtain access on its own behalf. This document defines how an application client uses credentials obtained via OAuth over the Simple Authentication and Security Layer @@ -39,21 +39,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on March 17, 2013. + This Internet-Draft will expire on March 21, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -65,21 +65,21 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. OAuth SASL Mechanism Specifications . . . . . . . . . . . . . 8 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 9 3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 10 3.1.2. Use of the gs2-header . . . . . . . . . . . . . . . . 10 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 10 - 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 11 + 3.2.1. OAuth Identities in the SASL Context . . . . . . . . . 11 3.2.2. Canonicalization . . . . . . . . . . . . . . . . . . . 11 3.2.3. Server response to failed authentication. . . . . . . 11 3.2.4. Completing an error message sequence. . . . . . . . . 12 3.3. Use of Signature Type Authorization . . . . . . . . . . . 12 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 13 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 15 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 17 5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 18 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 19 @@ -375,38 +375,38 @@ In a "-PLUS" mechanism the server examines the channel binding data, extracts the channel binding unique prefix, and extracts the raw channel biding data based on the channel binding type used. It then computes it's own copy of the channel binding payload and compares that to the payload sent by the client in the cbdata key/value. Those two must be equal for channel binding to succeed. The server responds to a successfully verified client message by completing the SASL negotiation. The authenticated identity reported - by the mechanism is the identity which the mechanism has securely - established for the client with the OAuth credential. - -3.2.1. Mapping to SASL Identities + by the SASL mechanism is the identity securely established for the + client with the OAuth credential. The application, not the SASL + mechanism, based on local access policy determines whether the + identity reported by the mechanism is allowed access to the requested + resource. Note that the semantics of the authz-id is specified by + the SASL framework [RFC4422]. - Note that the semantics of the authz-id are specified by the SASL - framework [RFC4422]. A SASL application is, of course, free to apply - mappings of the OAuth authcid to authz-ids as per-SASL, and it is - free to apply mappings common to non-SASL OAuth applications. +3.2.1. OAuth Identities in the SASL Context - Some OAuth schemes can carry both a user identity and a "proxy" - identity, for example an OAuth 1.0a [RFC5849] mechanism where the - consumer key (oauth_consumer_key) identifies the entity using the - token and the token itself identifies the user. If both identities - are needed by an application the developer will need to provide a way - to communicate that from the SASL mechanism back to the application - such as a GS2 [RFC2473] named type like GSS_C_NT_USER_NAME or a - comparable newly defined GS2 attribute. + Some OAuth schemes can carry both an owner or resource identity and a + "proxy" identity, for example an OAuth 1.0a [RFC5849] mechanism where + the consumer key (oauth_consumer_key) identifies the entity using the + token and the token itself identifies the owner or resouce. If both + identities are needed by an application the developer will need to + provide a way to communicate that from the SASL mechanism back to the + application such as a GSS-API [RFC2473] named type like + GSS_C_NT_USER_NAME or a comparable newly defined GSS-API name type or + name attribute [RFC6680]. 3.2.2. Canonicalization The identity asserted by the OAuth authorization server is canonical for display. The server MAY provide a different canonical form based on local data. 3.2.3. Server response to failed authentication. For a failed authentication the server returns a JSON [RFC4627] @@ -624,35 +624,35 @@ 5.2. OAuth 1.0a Authorization with Channel Binding This example shows channel binding in the context of an OAuth 1.0a signed authorization request. Note that line breaks are inserted for readability. S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server Ready S: t0 OK Completed - C: t1 AUTHENTICATE OAUTH10A-PLUS cCxhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZ - XJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD1PQXV0aCByZWFsbT0iRXhhb - XBsZSIsb2F1dGhfY29uc3VtZXJfa2V5PSI5ZGpkajgyaDQ4ZGpzOWQyIixvYXV0a - F90b2tlbj0ia2trOWQ3ZGgzazM5c2p2NyIsb2F1dGhfc2lnbmF0dXJlX21ldGhvZ - D0iSE1BQy1TSEExIixvYXV0aF90aW1lc3RhbXA9IjEzNzEzMTIwMSIsb2F1dGhfb - m9uY2U9IjdkOGYzZTRhIixvYXV0aF9zaWduYXR1cmU9IlNTZHRJR0VnYkdsMGRHe - GxJSFJsWVNCd2IzUXUiAXFzPWNiZGF0YT10bHMtdW5pcXVlOlNHOTNJR0pwWnlCc - GN5QmhJRlJNVXlCbWFXNWhiQ0J0WlhOellXZGxQd289AQE= + C: t1 AUTHENTICATE OAUTH10A-PLUS cD10bHMtdW5pcXVlLGE9dXNlckBleGFtcGxlL + mNvbQFob3N0PXNlcnZlci5leGFtcGxlLmNvbQFwb3J0PTE0MwFhdXRoPU9BdXRoI + HJlYWxtPSJFeGFtcGxlIixvYXV0aF9jb25zdW1lcl9rZXk9IjlkamRqODJoNDhka + nM5ZDIiLG9hdXRoX3Rva2VuPSJra2s5ZDdkaDNrMzlzanY3IixvYXV0aF9zaWduY + XR1cmVfbWV0aG9kPSJITUFDLVNIQTEiLG9hdXRoX3RpbWVzdGFtcD0iMTM3MTMxM + jAxIixvYXV0aF9ub25jZT0iN2Q4ZjNlNGEiLG9hdXRoX3NpZ25hdHVyZT0iU1Nkd + ElHRWdiR2wwZEd4bElIUmxZU0J3YjNRdSIBcXM9Y2JkYXRhPXRscy11bmlxdWU6U + 0c5M0lHSnBaeUJwY3lCaElGUk1VeUJtYVc1aGJDQnRaWE56WVdkbFB3bz0BAQ== S: t1 OK SASL authentication succeeded As required by IMAP [RFC3501], the payloads are base64-encoded. The decoded initial client response (with %x01 represented as ^A and lines wrapped for readability) is: - p,a=user@example.com^A + p=tls-unique,a=user@example.com^A host=server.example.com^A port=143^A auth=OAuth realm="Example", oauth_consumer_key="9djdj82h48djs9d2", oauth_token="kkk9d7dh3k39sjv7", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131201", oauth_nonce="7d8f3e4a", oauth_signature="SSdtIGEgbGl0dGxlIHRlYSBwb3Qu"^A qs=cbdata=tls-unique:SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A @@ -668,22 +668,23 @@ 5.3. Failed Exchange This example shows a failed exchange because of the empty Authorization header, which is how a client can query for the needed scope. Note that line breaks are inserted for readability. S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER SASL-IR IMAP4rev1 Server Ready S: t0 OK Completed - C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD - 1zZXJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD0BAQ== + C: t1 AUTHENTICATE OAUTHBEARER cD10bHMtdW5pcXVlLGE9dXNlckBleGFtcG + xlLmNvbQFob3N0PXNlcnZlci5leGFtcGxlLmNvbQFwb3J0PTE0MwFhdXRoP + QFjYmRhdGE9AQE= S: + ewoic3RhdHVzIjoiNDAxIgoic2NvcGUiOiJleGFtcGxlX3Njb3BlIgp9 C: + AQ== S: t1 NO SASL authentication failed The decoded initial client response is: n,a=user@example.com,^Ahost=server.example.com^A port=143^Aauth=^A^A The decoded server error response is: @@ -705,21 +706,21 @@ Ready S: t0 OK Completed C: t1 AUTHENTICATE OAUTH10A-PLUS cCxhPXVzZXJAZXhhbXBsZS5jb20BaG9z dD1zZXJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD0BY2JkYXRhPQEB S: + ewoic3RhdHVzIjoiNDEyIiwKInNjb3BlIjoiZXhhbXBsZV9zY29wZSIKfQ== C: + AQ== S: t1 NO SASL authentication failed The decoded initial client response is: - p,a=user@example.com,^Ahost=server.example.com^A + p=tls-unique,a=user@example.com,^Ahost=server.example.com^A port=143^Aauth=^Acbdata=^A^A The decoded server response is: { "status":"412", "scope":"example_scope" } The client responds with the required dummy response. @@ -908,20 +909,25 @@ for TLS", RFC 5929, July 2010. [RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010. [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)", RFC 6125, March 2011. + [RFC6680] Williams, N., Johansson, L., Hartman, S., and S. + Josefsson, "Generic Security Service Application + Programming Interface (GSS-API) Naming Extensions", + RFC 6680, August 2012. + 8.2. Informative References [I-D.ietf-oauth-v2-http-mac] Hammer-Lahav, E., "HTTP Authentication: MAC Access Authentication", draft-ietf-oauth-v2-http-mac-01 (work in progress), February 2012. [I-D.jones-appsawg-webfinger] Jones, P., Salgueiro, G., and J. Smarr, "WebFinger", draft-jones-appsawg-webfinger-06 (work in progress), @@ -933,20 +939,26 @@ Appendix A. Acknowlegements The authors would like to thank the members of the Kitten working group, and in addition and specifically: Simon Josefson, Torsten Lodderstadt, Ryan Troll, and Nico Williams. Appendix B. Document History [[ to be removed by RFC editor before publication as an RFC ]] + -08 + + o Fixed the channel binding examples for p=$cbtype + + o More tuning of the authcid language and edited and renamed 3.2.1. + -07 o Struck the MUST langiage from authzid. o -06 o Removed the user field. Fixed the examples again.