| draft-ietf-kitten-sasl-oauth-12.txt | draft-ietf-kitten-sasl-oauth-13.txt | |||
|---|---|---|---|---|
| KITTEN W. Mills | KITTEN W. Mills | |||
| Internet-Draft Yahoo! Inc. | Internet-Draft Yahoo! Inc. | |||
| Intended status: Standards Track T. Showalter | Intended status: Standards Track T. Showalter | |||
| Expires: June 18, 2014 | Expires: August 18, 2014 | |||
| H. Tschofenig | H. Tschofenig | |||
| Nokia Solutions and Networks | ARM Ltd. | |||
| December 15, 2013 | February 14, 2014 | |||
| A set of SASL Mechanisms for OAuth | A set of SASL Mechanisms for OAuth | |||
| draft-ietf-kitten-sasl-oauth-12.txt | draft-ietf-kitten-sasl-oauth-13.txt | |||
| Abstract | Abstract | |||
| OAuth enables a third-party application to obtain limited access to a | OAuth enables a third-party application to obtain limited access to a | |||
| protected resource, either on behalf of a resource owner by | protected resource, either on behalf of a resource owner by | |||
| orchestrating an approval interaction, or by allowing the third-party | orchestrating an approval interaction, or by allowing the third-party | |||
| application to obtain access on its own behalf. | application to obtain access on its own behalf. | |||
| This document defines how an application client uses credentials | This document defines how an application client uses credentials | |||
| obtained via OAuth over the Simple Authentication and Security Layer | obtained via OAuth over the Simple Authentication and Security Layer | |||
| skipping to change at page 2, line 4 | skipping to change at page 2, line 4 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 18, 2014. | This Internet-Draft will expire on August 18, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. OAuth SASL Mechanism Specifications . . . . . . . . . . . . . 6 | 3. OAuth SASL Mechanism Specifications . . . . . . . . . . . . . 6 | |||
| 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 7 | 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 7 | |||
| 3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 7 | 3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 7 | |||
| 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 8 | 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.2.1. OAuth Identifiers in the SASL Context . . . . . . . . 8 | 3.2.1. OAuth Identifiers in the SASL Context . . . . . . . . 8 | |||
| 3.2.2. Server Response to Failed Authentication . . . . . . 8 | 3.2.2. Server Response to Failed Authentication . . . . . . 8 | |||
| 3.2.3. Completing an Error Message Sequence . . . . . . . . 9 | 3.2.3. Completing an Error Message Sequence . . . . . . . . 9 | |||
| 3.3. OAuth Access Token Types using Keyed Message Digests . . 9 | 3.3. OAuth Access Token Types using Keyed Message Digests . . 9 | |||
| 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.1. Successful Bearer Token Exchange . . . . . . . . . . . . 11 | 4.1. Successful Bearer Token Exchange . . . . . . . . . . . . 10 | |||
| 4.2. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 11 | 4.2. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4.3. SMTP Example of a Failed Negotiation . . . . . . . . . . 12 | 4.3. SMTP Example of a Failed Negotiation . . . . . . . . . . 12 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 6. Internationalization Considerations . . . . . . . . . . . . . 14 | 6. Internationalization Considerations . . . . . . . . . . . . . 14 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 14 | 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 14 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 15 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 15 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 16 | 8.2. Informative References . . . . . . . . . . . . . . . . . 16 | |||
| Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . 16 | Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . 16 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 16 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 17 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 1. Introduction | 1. Introduction | |||
| OAuth 1.0a [RFC5849] and OAuth 2.0 [RFC6749] are protocol frameworks | OAuth 1.0a [RFC5849] and OAuth 2.0 [RFC6749] are protocol frameworks | |||
| that enable a third-party application to obtain limited access to a | that enable a third-party application to obtain limited access to a | |||
| protected resource, either on behalf of a resource owner by | protected resource, either on behalf of a resource owner by | |||
| orchestrating an approval interaction, or by allowing the third-party | orchestrating an approval interaction, or by allowing the third-party | |||
| application to obtain access on its own behalf. | application to obtain access on its own behalf. | |||
| skipping to change at page 16, line 18 | skipping to change at page 16, line 18 | |||
| [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC | [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC | |||
| 6749, October 2012. | 6749, October 2012. | |||
| [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization | [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization | |||
| Framework: Bearer Token Usage", RFC 6750, October 2012. | Framework: Bearer Token Usage", RFC 6750, October 2012. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [I-D.ietf-oauth-json-web-token] | [I-D.ietf-oauth-json-web-token] | |||
| Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", draft-ietf-oauth-json-web-token-13 (work in | (JWT)", draft-ietf-oauth-json-web-token-15 (work in | |||
| progress), November 2013. | progress), January 2014. | |||
| [I-D.ietf-oauth-v2-http-mac] | [I-D.ietf-oauth-v2-http-mac] | |||
| Richer, J., Mills, W., Tschofenig, H., and P. Hunt, "OAuth | Richer, J., Mills, W., Tschofenig, H., and P. Hunt, "OAuth | |||
| 2.0 Message Authentication Code (MAC) Tokens", draft-ietf- | 2.0 Message Authentication Code (MAC) Tokens", draft-ietf- | |||
| oauth-v2-http-mac-04 (work in progress), July 2013. | oauth-v2-http-mac-05 (work in progress), January 2014. | |||
| [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION | [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION | |||
| 4rev1", RFC 3501, March 2003. | 4rev1", RFC 3501, March 2003. | |||
| [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, | [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, | |||
| October 2008. | October 2008. | |||
| [RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0 | [RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0 | |||
| Threat Model and Security Considerations", RFC 6819, | Threat Model and Security Considerations", RFC 6819, | |||
| January 2013. | January 2013. | |||
| skipping to change at page 17, line 4 | skipping to change at page 17, line 8 | |||
| Lodderstadt, Ryan Troll, Alexey Melnikov, Jeffrey Hutzelman, and Nico | Lodderstadt, Ryan Troll, Alexey Melnikov, Jeffrey Hutzelman, and Nico | |||
| Williams. | Williams. | |||
| This document was produced under the chairmanship of Alexey Melnikov, | This document was produced under the chairmanship of Alexey Melnikov, | |||
| Tom Yu, Shawn Emery, Josh Howlett, Sam Hartman. The supervising area | Tom Yu, Shawn Emery, Josh Howlett, Sam Hartman. The supervising area | |||
| directors was Stephen Farrell. | directors was Stephen Farrell. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by RFC editor before publication as an RFC ]] | [[ to be removed by RFC editor before publication as an RFC ]] | |||
| -13 | ||||
| o Changed affiliation. | ||||
| -12 | -12 | |||
| o Removed -PLUS components from the specification. | o Removed -PLUS components from the specification. | |||
| -11 | -11 | |||
| o Removed GSS-API components from the specification. | o Removed GSS-API components from the specification. | |||
| o Updated security consideration section. | o Updated security consideration section. | |||
| skipping to change at page 19, line 24 | skipping to change at page 19, line 31 | |||
| William Mills | William Mills | |||
| Yahoo! Inc. | Yahoo! Inc. | |||
| Email: wmills_92105@yahoo.com | Email: wmills_92105@yahoo.com | |||
| Tim Showalter | Tim Showalter | |||
| Email: tjs@psaux.com | Email: tjs@psaux.com | |||
| Hannes Tschofenig | Hannes Tschofenig | |||
| Nokia Solutions and Networks | ARM Ltd. | |||
| Linnoitustie 6 | 110 Fulbourn Rd | |||
| Espoo 02600 | Cambridge CB1 9NJ | |||
| Finland | Great Britain | |||
| Phone: +358 (50) 4871445 | Email: Hannes.tschofenig@gmx.net | |||
| Email: Hannes.Tschofenig@gmx.net | ||||
| URI: http://www.tschofenig.priv.at | URI: http://www.tschofenig.priv.at | |||
| End of changes. 13 change blocks. | ||||
| 18 lines changed or deleted | 22 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||