| draft-ietf-ace-oauth-authz-32.txt | draft-ietf-ace-oauth-authz-33.txt | |||
|---|---|---|---|---|
| ACE Working Group L. Seitz | ACE Working Group L. Seitz | |||
| Internet-Draft Combitech | Internet-Draft Combitech | |||
| Intended status: Standards Track G. Selander | Intended status: Standards Track G. Selander | |||
| Expires: August 4, 2020 Ericsson | Expires: August 10, 2020 Ericsson | |||
| E. Wahlstroem | E. Wahlstroem | |||
| S. Erdtman | S. Erdtman | |||
| Spotify AB | Spotify AB | |||
| H. Tschofenig | H. Tschofenig | |||
| Arm Ltd. | Arm Ltd. | |||
| February 1, 2020 | February 7, 2020 | |||
| Authentication and Authorization for Constrained Environments (ACE) | Authentication and Authorization for Constrained Environments (ACE) | |||
| using the OAuth 2.0 Framework (ACE-OAuth) | using the OAuth 2.0 Framework (ACE-OAuth) | |||
| draft-ietf-ace-oauth-authz-32 | draft-ietf-ace-oauth-authz-33 | |||
| Abstract | Abstract | |||
| This specification defines a framework for authentication and | This specification defines a framework for authentication and | |||
| authorization in Internet of Things (IoT) environments called ACE- | authorization in Internet of Things (IoT) environments called ACE- | |||
| OAuth. The framework is based on a set of building blocks including | OAuth. The framework is based on a set of building blocks including | |||
| OAuth 2.0 and the Constrained Application Protocol (CoAP), thus | OAuth 2.0 and the Constrained Application Protocol (CoAP), thus | |||
| transforming a well-known and widely used authorization solution into | transforming a well-known and widely used authorization solution into | |||
| a form suitable for IoT devices. Existing specifications are used | a form suitable for IoT devices. Existing specifications are used | |||
| where possible, but extensions are added and profiles are defined to | where possible, but extensions are added and profiles are defined to | |||
| skipping to change at page 1, line 45 ¶ | skipping to change at page 1, line 45 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 4, 2020. | This Internet-Draft will expire on August 10, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 37 ¶ | skipping to change at page 3, line 37 ¶ | |||
| 8.4. OAuth Grant Type CBOR Mappings . . . . . . . . . . . . . 51 | 8.4. OAuth Grant Type CBOR Mappings . . . . . . . . . . . . . 51 | |||
| 8.5. OAuth Access Token Types . . . . . . . . . . . . . . . . 52 | 8.5. OAuth Access Token Types . . . . . . . . . . . . . . . . 52 | |||
| 8.6. OAuth Access Token Type CBOR Mappings . . . . . . . . . . 52 | 8.6. OAuth Access Token Type CBOR Mappings . . . . . . . . . . 52 | |||
| 8.6.1. Initial Registry Contents . . . . . . . . . . . . . . 52 | 8.6.1. Initial Registry Contents . . . . . . . . . . . . . . 52 | |||
| 8.7. ACE Profile Registry . . . . . . . . . . . . . . . . . . 53 | 8.7. ACE Profile Registry . . . . . . . . . . . . . . . . . . 53 | |||
| 8.8. OAuth Parameter Registration . . . . . . . . . . . . . . 53 | 8.8. OAuth Parameter Registration . . . . . . . . . . . . . . 53 | |||
| 8.9. OAuth Parameters CBOR Mappings Registry . . . . . . . . . 53 | 8.9. OAuth Parameters CBOR Mappings Registry . . . . . . . . . 53 | |||
| 8.10. OAuth Introspection Response Parameter Registration . . . 54 | 8.10. OAuth Introspection Response Parameter Registration . . . 54 | |||
| 8.11. OAuth Token Introspection Response CBOR Mappings Registry 54 | 8.11. OAuth Token Introspection Response CBOR Mappings Registry 54 | |||
| 8.12. JSON Web Token Claims . . . . . . . . . . . . . . . . . . 55 | 8.12. JSON Web Token Claims . . . . . . . . . . . . . . . . . . 55 | |||
| 8.13. CBOR Web Token Claims . . . . . . . . . . . . . . . . . . 55 | 8.13. CBOR Web Token Claims . . . . . . . . . . . . . . . . . . 56 | |||
| 8.14. Media Type Registrations . . . . . . . . . . . . . . . . 56 | 8.14. Media Type Registrations . . . . . . . . . . . . . . . . 56 | |||
| 8.15. CoAP Content-Format Registry . . . . . . . . . . . . . . 57 | 8.15. CoAP Content-Format Registry . . . . . . . . . . . . . . 57 | |||
| 8.16. Expert Review Instructions . . . . . . . . . . . . . . . 57 | 8.16. Expert Review Instructions . . . . . . . . . . . . . . . 58 | |||
| 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 58 | 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 58 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 59 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 59 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 61 | 10.2. Informative References . . . . . . . . . . . . . . . . . 62 | |||
| Appendix A. Design Justification . . . . . . . . . . . . . . . . 64 | Appendix A. Design Justification . . . . . . . . . . . . . . . . 64 | |||
| Appendix B. Roles and Responsibilities . . . . . . . . . . . . . 67 | Appendix B. Roles and Responsibilities . . . . . . . . . . . . . 68 | |||
| Appendix C. Requirements on Profiles . . . . . . . . . . . . . . 70 | Appendix C. Requirements on Profiles . . . . . . . . . . . . . . 70 | |||
| Appendix D. Assumptions on AS knowledge about C and RS . . . . . 71 | Appendix D. Assumptions on AS knowledge about C and RS . . . . . 71 | |||
| Appendix E. Deployment Examples . . . . . . . . . . . . . . . . 71 | Appendix E. Deployment Examples . . . . . . . . . . . . . . . . 71 | |||
| E.1. Local Token Validation . . . . . . . . . . . . . . . . . 71 | E.1. Local Token Validation . . . . . . . . . . . . . . . . . 72 | |||
| E.2. Introspection Aided Token Validation . . . . . . . . . . 76 | E.2. Introspection Aided Token Validation . . . . . . . . . . 76 | |||
| Appendix F. Document Updates . . . . . . . . . . . . . . . . . . 80 | Appendix F. Document Updates . . . . . . . . . . . . . . . . . . 80 | |||
| F.1. Version -21 to 22 . . . . . . . . . . . . . . . . . . . . 81 | F.1. Version -21 to 22 . . . . . . . . . . . . . . . . . . . . 81 | |||
| F.2. Version -20 to 21 . . . . . . . . . . . . . . . . . . . . 81 | F.2. Version -20 to 21 . . . . . . . . . . . . . . . . . . . . 81 | |||
| F.3. Version -19 to 20 . . . . . . . . . . . . . . . . . . . . 81 | F.3. Version -19 to 20 . . . . . . . . . . . . . . . . . . . . 81 | |||
| F.4. Version -18 to -19 . . . . . . . . . . . . . . . . . . . 81 | F.4. Version -18 to -19 . . . . . . . . . . . . . . . . . . . 81 | |||
| F.5. Version -17 to -18 . . . . . . . . . . . . . . . . . . . 81 | F.5. Version -17 to -18 . . . . . . . . . . . . . . . . . . . 81 | |||
| F.6. Version -16 to -17 . . . . . . . . . . . . . . . . . . . 81 | F.6. Version -16 to -17 . . . . . . . . . . . . . . . . . . . 81 | |||
| F.7. Version -15 to -16 . . . . . . . . . . . . . . . . . . . 82 | F.7. Version -15 to -16 . . . . . . . . . . . . . . . . . . . 82 | |||
| skipping to change at page 54, line 22 ¶ | skipping to change at page 54, line 22 ¶ | |||
| Value Type The allowable CBOR data types for values of this | Value Type The allowable CBOR data types for values of this | |||
| parameter. | parameter. | |||
| Reference This contains a pointer to the public specification of the | Reference This contains a pointer to the public specification of the | |||
| OAuth parameter abbreviation, if one exists. | OAuth parameter abbreviation, if one exists. | |||
| This registry will be initially populated by the values in Figure 12. | This registry will be initially populated by the values in Figure 12. | |||
| The Reference column for all of these entries will be this document. | The Reference column for all of these entries will be this document. | |||
| 8.10. OAuth Introspection Response Parameter Registration | 8.10. OAuth Introspection Response Parameter Registration | |||
| This specification registers the following parameter in the OAuth | This specification registers the following parameters in the OAuth | |||
| Token Introspection Response registry | Token Introspection Response registry | |||
| [IANA.TokenIntrospectionResponse]. | [IANA.TokenIntrospectionResponse]. | |||
| o Name: "ace_profile" | o Name: "ace_profile" | |||
| o Description: The ACE profile used between client and RS. | o Description: The ACE profile used between client and RS. | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Reference: Section 5.7.2 of [this document] | o Reference: Section 5.7.2 of [this document] | |||
| o Name: "cnonce" | ||||
| o Description: "client-nonce". A nonce previously provided to the | ||||
| AS by the RS via the client. Used to verify token freshness when | ||||
| the RS cannot synchronize its clock with the AS. | ||||
| o Change Controller: IESG | ||||
| o Reference: Section 5.7.2 of [this document] | ||||
| o Name: "exi" | ||||
| o Description: "Expires in". Lifetime of the token in seconds from | ||||
| the time the RS first sees it. Used to implement a weaker from of | ||||
| token expiration for devices that cannot synchronize their | ||||
| internal clocks. | ||||
| o Change Controller: IESG | ||||
| o Reference: Section 5.7.2 of [this document] | ||||
| 8.11. OAuth Token Introspection Response CBOR Mappings Registry | 8.11. OAuth Token Introspection Response CBOR Mappings Registry | |||
| This specification establishes the IANA "OAuth Token Introspection | This specification establishes the IANA "OAuth Token Introspection | |||
| Response CBOR Mappings" registry. The registry has been created to | Response CBOR Mappings" registry. The registry has been created to | |||
| use the "Expert Review" registration procedure [RFC8126], except for | use the "Expert Review" registration procedure [RFC8126], except for | |||
| the value range designated for private use. | the value range designated for private use. | |||
| The columns of this registry are: | The columns of this registry are: | |||
| Name The OAuth Parameter name, refers to the name in the OAuth | Name The OAuth Parameter name, refers to the name in the OAuth | |||
| skipping to change at page 55, line 21 ¶ | skipping to change at page 55, line 36 ¶ | |||
| This specification registers the following new claims in the JSON Web | This specification registers the following new claims in the JSON Web | |||
| Token (JWT) registry of JSON Web Token Claims | Token (JWT) registry of JSON Web Token Claims | |||
| [IANA.JsonWebTokenClaims]: | [IANA.JsonWebTokenClaims]: | |||
| o Claim Name: "ace_profile" | o Claim Name: "ace_profile" | |||
| o Claim Description: The ACE profile a token is supposed to be used | o Claim Description: The ACE profile a token is supposed to be used | |||
| with. | with. | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Reference: Section 5.8 of [this document] | o Reference: Section 5.8 of [this document] | |||
| o Claim Name: "cnonce" | ||||
| o Claim Description: "client-nonce". A nonce previously provided to | ||||
| the AS by the RS via the client. Used to verify token freshness | ||||
| when the RS cannot synchronize its clock with the AS. | ||||
| o Change Controller: IESG | ||||
| o Reference: Section 5.8 of [this document] | ||||
| o Claim Name: "exi" | o Claim Name: "exi" | |||
| o Claim Description: "Expires in". Lifetime of the token in seconds | o Claim Description: "Expires in". Lifetime of the token in seconds | |||
| from the time the RS first sees it. Used to implement a weaker | from the time the RS first sees it. Used to implement a weaker | |||
| from of token expiration for devices that cannot synchronize their | from of token expiration for devices that cannot synchronize their | |||
| internal clocks. | internal clocks. | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Reference: Section 5.8.3 of [this document] | o Reference: Section 5.8.3 of [this document] | |||
| o Claim Name: "cnonce" | ||||
| o Claim Description: "client-nonce". A nonce previously provided to | ||||
| the AS by the RS via the client. Used to verify token freshness | ||||
| when the RS cannot synchronize its clock with the AS. | ||||
| o Change Controller: IESG | ||||
| o Reference: Section 5.8 of [this document] | ||||
| 8.13. CBOR Web Token Claims | 8.13. CBOR Web Token Claims | |||
| This specification registers the following new claims in the "CBOR | This specification registers the following new claims in the "CBOR | |||
| Web Token (CWT) Claims" registry [IANA.CborWebTokenClaims]. | Web Token (CWT) Claims" registry [IANA.CborWebTokenClaims]. | |||
| o Claim Name: "scope" | ||||
| o Claim Description: The scope of an access token as defined in | ||||
| [RFC6749]. | ||||
| o JWT Claim Name: scope | ||||
| o Claim Key: TBD (suggested: 9) | ||||
| o Claim Value Type(s): byte string or text string | ||||
| o Change Controller: IESG | ||||
| o Specification Document(s): Section 4.2 of [RFC8693] | ||||
| o Claim Name: "ace_profile" | o Claim Name: "ace_profile" | |||
| o Claim Description: The ACE profile a token is supposed to be used | o Claim Description: The ACE profile a token is supposed to be used | |||
| with. | with. | |||
| o JWT Claim Name: ace_profile | o JWT Claim Name: ace_profile | |||
| o Claim Key: TBD (suggested: 38) | o Claim Key: TBD (suggested: 38) | |||
| o Claim Value Type(s): integer | o Claim Value Type(s): integer | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 5.8 of [this document] | o Specification Document(s): Section 5.8 of [this document] | |||
| o Claim Name: "cnonce" | ||||
| o Claim Description: The client-nonce sent to the AS by the RS via | ||||
| the client. | ||||
| o JWT Claim Name: cnonce | ||||
| o Claim Key: TBD (suggested: 39) | ||||
| o Claim Value Type(s): byte string | ||||
| o Change Controller: IESG | ||||
| o Specification Document(s): Section 5.8 of [this document] | ||||
| o Claim Name: "exi" | o Claim Name: "exi" | |||
| o Claim Description: The expiration time of a token measured from | o Claim Description: The expiration time of a token measured from | |||
| when it was received at the RS in seconds. | when it was received at the RS in seconds. | |||
| o JWT Claim Name: exi | o JWT Claim Name: exi | |||
| o Claim Key: TBD (suggested: 40) | o Claim Key: TBD (suggested: 40) | |||
| o Claim Value Type(s): integer | o Claim Value Type(s): integer | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 5.8.3 of [this document] | o Specification Document(s): Section 5.8.3 of [this document] | |||
| o Claim Name: "cnonce" | o Claim Name: "scope" | |||
| o Claim Description: The client-nonce sent to the AS by the RS via | o Claim Description: The scope of an access token as defined in | |||
| the client. | [RFC6749]. | |||
| o JWT Claim Name: cnonce | o JWT Claim Name: scope | |||
| o Claim Key: TBD (suggested: 39) | o Claim Key: TBD (suggested: 9) | |||
| o Claim Value Type(s): byte string | o Claim Value Type(s): byte string or text string | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 5.8 of [this document] | o Specification Document(s): Section 4.2 of [RFC8693] | |||
| 8.14. Media Type Registrations | 8.14. Media Type Registrations | |||
| This specification registers the 'application/ace+cbor' media type | This specification registers the 'application/ace+cbor' media type | |||
| for messages of the protocols defined in this document carrying | for messages of the protocols defined in this document carrying | |||
| parameters encoded in CBOR. This registration follows the procedures | parameters encoded in CBOR. This registration follows the procedures | |||
| specified in [RFC6838]. | specified in [RFC6838]. | |||
| Type name: application | Type name: application | |||
| End of changes. 18 change blocks. | ||||
| 34 lines changed or deleted | 48 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||