forked from hannestschofenig/tschofenig-ids
-
Notifications
You must be signed in to change notification settings - Fork 0
/
draft-tschofenig-ace-oauth-iot-00.txt
560 lines (346 loc) · 20 KB
/
draft-tschofenig-ace-oauth-iot-00.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
ACE H. Tschofenig
Internet-Draft ARM Limited
Intended status: Informational July 4, 2014
Expires: January 5, 2015
The OAuth 2.0 Internet of Things (IoT) Client Credentials Grant
draft-tschofenig-ace-oauth-iot-00.txt
Abstract
As Internet of Things (IoT) deployments increase steadily the need
for a better user experience for handling the authentication and
authorization tasks in constrained environments increases.
While several technologies have been developed already that allow
federated access to protected resource the nature of IoT deployments
requires care with the limited resources available on many of these
devices.
This document defines a new OAuth 2.0 authorization grant for the
interaction between constrained clients and resource servers to
obtain access tokens for access to protected resources. It does so
by leveraging prior work on OAuth 2.0, CoAP, and DTLS.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 5, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
Tschofenig Expires January 5, 2015 [Page 1]
Internet-Draft OAuth 2.0 IoT July 2014
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Applicability Statement . . . . . . . . . . . . . . . . . . . 5
4. IoT Client Credentials Grant . . . . . . . . . . . . . . . . 5
4.1. Authorization Request and Response . . . . . . . . . . . 6
4.2. Access Token Request . . . . . . . . . . . . . . . . . . 6
4.3. Access Token Response . . . . . . . . . . . . . . . . . . 6
5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7.1. Sub-Namespace Registration of urn:ietf:params:oauth
:grant-type:iot . . . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1. Normative References . . . . . . . . . . . . . . . . . . 8
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
Early Internet of Things deployments used Internet connectivity to
push data to a cloud service or to an application on a smart phone.
While these IoT deployments offer great benefits for their users they
also suffer from a usability problem that can best be demonstrated
with a door lock example.
Consider an enterprise environment where access to different parts of
the campus is granted to employees dynamically and on a need-by-need
basis. New employees receive access rights and those who decide to
leave the company get their access rights revoked.
When an employee approaches a door the door lock is supposed to check
the authorization rights of that employee in a fraction of a second
and to grant (or deny) access appropriately. The building managers
expect a centralized management of employees and their access rights
and no prior interaction of employees with any object, such as a
Tschofenig Expires January 5, 2015 [Page 2]
Internet-Draft OAuth 2.0 IoT July 2014
door, upfront (such as it would be needed with pairing mechanisms
utilized by some IoT technologies).
To accomplish such a seamless user experience and offering security
at the same time it is necessary to make use of an authentication and
authorization server that manages policies for access to protected
resources (such as door locks in the previous example). As outlined
in [I-D.seitz-ace-usecases], it is assumed that resource servers do
not necessarily need to contact the authorization server every time
they receive an access request.
OAuth 2.0 [RFC6749] is a technology that offers such a design pattern
via the use of access tokens, which are requested by clients, and
subsequently presented to resource servers when demanding access to
protected resources managed by those resource servers.
OAuth 2.0 was, however, design primarily for use with the HTTP-based
web infrastructure and has only recently been extended for use with
SASL [I-D.ietf-kitten-sasl-oauth]. This document extends the OAuth
2.0 idea one step further and defines a Constrained Application
Protocol (CoAP)- based transport profile for OAuth 2.0. CoAP is
specified in RFC 7252 [RFC7252].
The benefits are as follows:
o The use of the Constrained Application Protocol (CoAP) [RFC6749]
(instead of HTTP) for encoding of requests and responses leads to
smaller and fewer message exchanges since CoAP uses a binary
format and relies on UDP rather than TCP.
o The of Datagram Transport Layer Security (DTLS) [RFC6347] (instead
of Transport Layer Security (TLS) for authentication) of the
authorization server to the client and for establishment of an
integrity protected and confidential communication channel follows
the spirit of TLS but is tailored to the unreliable transport
protocol used by CoAP.
o The use of DTLS allows to re-use well-analyzed security
functionality and does not require re-designing the same features
at the application layer. Note that the use of DTLS also allows
different credential-types to be re-used, as explained in
[I-D.ietf-dice-profile].
o The use of DTLS client-side authentication instead of the
previously defined application layer client authentication
mechanisms (as, for example defined in Section 2.3 of RFC 6749)
offers security properties that have not been exploited in the TLS
usage in the Web.
Tschofenig Expires January 5, 2015 [Page 3]
Internet-Draft OAuth 2.0 IoT July 2014
o Allows to re-use the standardized access token format, namely JSON
Web Token (JWT) [I-D.ietf-oauth-json-web-token], as well as proof-
of-possession tokens [I-D.hunt-oauth-pop-architecture].
Intentionally left outside the scope of this document are the
following items:
o Registration of the client with the authorization server. This
includes the provisioning of security credentials at the client
for subsequent use in case of client authentication.
o The interaction between the client and the resource server when
presenting the access token since a variety of different
deployment models may be envisioned. In some deployment scenarios
the use of bearer tokens may be appropriate whereas in others
proof-of-possession techniques may provide the desired level of
security. Also the desire to use application layer security (in
comparison to re-using DTLS) leads to different security designs.
o The interaction between the resource server and the authorization
server for provisioning of access control policies as well as the
ability to ask the authorization in real-time for access control
decisions (using the token introspection endpoint
[I-D.richer-oauth-introspection]). This is an optional part of
the OAuth 2.0 architecture that may be used in deployments where a
tied coupling between the authorization server and the resource
servers exists and the real-time interaction is desired.
o Cross realm use where authorization servers from different
administrative domains are involved. The use of this protocol
needs to be beneficial in a single domain concept to subsequently
see demand in a cross realm situation. Experience from other
federated authentication and authorization protocols shows that
adding the cross realm support is technically but complex from a
business point of view.
o The authorization server may place authorization information
inside the access token so that the resource server can enforce
these access control decisions autonomously. This information may
come in various flavors, such as basic JWT claims (such
'audience', 'expiration time', 'not before') or more sophisticated
access control information like [I-D.bormann-core-ace-aif]. These
policy languages are largely independent of the OAuth 2.0
framework.
Tschofenig Expires January 5, 2015 [Page 4]
Internet-Draft OAuth 2.0 IoT July 2014
2. Terminology
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',
'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this
specification are to be interpreted as described in [RFC2119].
All terms are as defined in The OAuth 2.0 Authorization Framework
[RFC6749].
3. Applicability Statement
The OAuth 2.0 IoT grant defined in this document is only applicable
for OAuth 2.0 clients that are resource constrained. For all other
clients regular OAuth 2.0 can be re-used since those clients will be
able to execute the RFC 6749-defined client credential grant, which
uses HTTPS as a transport.
The communication between the client and a resource constrained
resource server is not described in this document and orthogonal to
this document.
4. IoT Client Credentials Grant
This IoT credential grant is a variation of the client credential
grant defined in RFC 6749.
The client can request an access token using only its client
credentials when the client is requesting access to the protected
resources under its control, or those of another resource owner that
have been previously arranged with the authorization server (the
method of which is beyond the scope of this specification).
The IoT client credentials grant type MUST only be used by
confidential clients.
+---------+ +---------------+
| | | |
| |>--(A)- Access Token Request --->| Authorization |
| Client | (protected by DTLS) | Server |
| |<--(B)- Access Token Response ---<| |
| | (protected by DTLS) | |
+---------+ +---------------+
Figure 1: IoT Client Credentials Flow.
The exchange illustrated in Figure 1 includes the following steps:
Tschofenig Expires January 5, 2015 [Page 5]
Internet-Draft OAuth 2.0 IoT July 2014
(A) The client authenticates with the authorization server and
requests an access token from the token endpoint. Mutual
authentication between the client and then authorization server
authentication takes place as part of the DTLS exchange.
(B) The authorization server authenticates the client, and if the
request is valid and authorized, issues an access token.
4.1. Authorization Request and Response
Since the client authentication is used as the authorization grant,
no additional authorization request is needed.
4.2. Access Token Request
The client makes a request to the token endpoint by adding the
following parameters using the "application/x-www-form-urlencoded"
format with a character encoding of UTF-8 in the CoAP request entity-
body:
grant_type: OPTIONAL. Value MUST be set to
"urn:ietf:params:oauth:grant-type:iot" for this grant type. The
value is optional since the client may have been pre-provisioned
by the authorization server with information about the grant type.
scope: OPTIONAL. The scope of the access request as described by
Section 3.3 of RFC 6749.
audience: OPTIONAL. Value is used by the client to indicate what
resource server, as the intended recipient, it wants to access.
This field is defined in [I-D.tschofenig-oauth-audience]
(QUESTION: Would it be useful to also use a JSON encoding here?)
In order to prevent man-in-the-middle attacks, the client MUST
require the use of DTLS with server authentication for any request
sent to the authorization and token endpoints. If certificate-based
server authentication is used then the client MUST validate the TLS
certificate of the authorization server, as defined by [RFC6125].
4.3. Access Token Response
If the access token request is valid and authorized, the
authorization server issues an access token as described in
Section 5.1 of RFC 6749 but encoded in a CoAP message using the
Content response code with the response encoded as a JSON structure
in the payload of the message. A refresh token MUST NOT be included.
If the request failed client authentication or is invalid, the
Tschofenig Expires January 5, 2015 [Page 6]
Internet-Draft OAuth 2.0 IoT July 2014
authorization server returns an error response using the CoAP 4.00
'Bad Request' response code with the error messages defined in
Section 5.2 of RFC 6749.
Note that the HTTP "Cache-Control" parameters are not used in the
CoAP response message.
QUESTION: Would it be useful to use the CBOR encoding for the
response? This could reduce the response size by a few %.
5. Example
For example, the client makes a CoAP carrying the Access Token
Request protected with DTLS to the authorization server. It then
receives a successful Access Token Response containing the access
token.
In the example below content-type 51 corresponds to the 'application/
x-www-form-urlencoded'.
Authorization
Client Server
| |
|<=======>| DTLS Connection Establishment
| |
+-------->| Header: POST (T=CON, Code=0.02, MID=0x7d34,
| POST | ct=51, Uri-Path:"token"
| | Payload: grant_type=client_credentials
| |
|<--------+ Header: 2.05 Content (T=ACK, Code=2.05, MID=0x7d34,
| 2.05 | ct=50)
| | Payload: <JSON-Payload>
| |
<JSON-Payload>:=
{
"access_token":"2YotnFZFE...jr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":28800
}
Figure 2: Example CoAP POST Message Exchange.
Tschofenig Expires January 5, 2015 [Page 7]
Internet-Draft OAuth 2.0 IoT July 2014
6. Security Considerations
This document re-uses a sub-set of the OAuth 2.0 functionality
specified in RFC 6749 and intentionally inherits the security
properties of OAuth 2.0, and DTLS. The discussion in Section 10 of
RFC 6749 and Section 4 of RFC 6819 are relevant for this document.
7. IANA Considerations
7.1. Sub-Namespace Registration of urn:ietf:params:oauth:grant-type:iot
This specification registers the value "grant-type:iot" in the IANA
urn:ietf:params:oauth registry established in An IETF URN Sub-
Namespace for OAuth [RFC6755].
o URN: urn:ietf:params:oauth:grant-type:iot
o Common Name: Internet of Things (IoT) Client Credentails Grant
Type Profile for OAuth 2.0
o Change controller: IETF
o Specification Document: [[this document]]
8. References
8.1. Normative References
[I-D.ietf-dice-profile]
Hartke, K. and H. Tschofenig, "A DTLS 1.2 Profile for the
Internet of Things", draft-ietf-dice-profile-01 (work in
progress), May 2014.
[I-D.tschofenig-oauth-audience]
Tschofenig, H., "OAuth 2.0: Audience Information", draft-
tschofenig-oauth-audience-00 (work in progress), February
2013.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011.
Tschofenig Expires January 5, 2015 [Page 8]
Internet-Draft OAuth 2.0 IoT July 2014
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC
6749, October 2012.
[RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace
for OAuth", RFC 6755, October 2012.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, June 2014.
8.2. Informative References
[I-D.bormann-core-ace-aif]
Bormann, C., "An Authorization Information Format (AIF)
for ACE", draft-bormann-core-ace-aif-00 (work in
progress), January 2014.
[I-D.hunt-oauth-pop-architecture]
Hunt, P., Richer, J., Mills, W., Mishra, P., and H.
Tschofenig, "OAuth 2.0 Proof-of-Possession (PoP) Security
Architecture", draft-hunt-oauth-pop-architecture-02 (work
in progress), June 2014.
[I-D.ietf-kitten-sasl-oauth]
Mills, W., Showalter, T., and H. Tschofenig, "A set of
SASL Mechanisms for OAuth", draft-ietf-kitten-sasl-
oauth-14 (work in progress), March 2014.
[I-D.ietf-oauth-json-web-token]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", draft-ietf-oauth-json-web-token-24 (work in
progress), July 2014.
[I-D.richer-oauth-introspection]
Richer, J., "OAuth Token Introspection", draft-richer-
oauth-introspection-04 (work in progress), May 2013.
[I-D.seitz-ace-usecases]
Seitz, L., Gerdes, S., and G. Selander, "ACE use cases",
draft-seitz-ace-usecases-00 (work in progress), February
2014.
Tschofenig Expires January 5, 2015 [Page 9]
Internet-Draft OAuth 2.0 IoT July 2014
Author's Address
Hannes Tschofenig
ARM Limited
Austria
Email: [email protected]
URI: http://www.tschofenig.priv.at
Tschofenig Expires January 5, 2015 [Page 10]