draft-ietf-sipcore-sip-token-authnz-07.txt   draft-ietf-sipcore-sip-token-authnz-08.txt 
SIP Core R. Shekh-Yusef SIP Core R. Shekh-Yusef
Internet-Draft Avaya Internet-Draft Avaya
Updates: 3261 (if approved) C. Holmberg Updates: 3261 (if approved) C. Holmberg
Intended status: Standards Track Ericsson Intended status: Standards Track Ericsson
Expires: July 18, 2020 V. Pascual Expires: 21 August 2020 V. Pascual
webrtchacks webrtchacks
January 15, 2020 18 February 2020
Third-Party Token-based Authentication and Authorization for Session Third-Party Token-based Authentication and Authorization for Session
Initiation Protocol (SIP) Initiation Protocol (SIP)
draft-ietf-sipcore-sip-token-authnz-07 draft-ietf-sipcore-sip-token-authnz-08
Abstract Abstract
This document defines a SIP mechanism that relies on the OAuth 2.0 This document defines a SIP mechanism that relies on the OAuth 2.0
and OpenID Connect Core 1.0 to enable delegation of the user and OpenID Connect Core 1.0 to enable delegation of the user
authentication and SIP registration authorization to a third-party. authentication and SIP registration authorization to a third-party.
The document updates RFC 3261. The document updates RFC 3261.
Status of This Memo Status of This Memo
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 18, 2020. This Internet-Draft will expire on 21 August 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents (https://trustee.ietf.org/
(https://trustee.ietf.org/license-info) in effect on the date of license-info) in effect on the date of publication of this document.
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document. Code Components
to this document. Code Components extracted from this document must extracted from this document must include Simplified BSD License text
include Simplified BSD License text as described in Section 4.e of as described in Section 4.e of the Trust Legal Provisions and are
the Trust Legal Provisions and are provided without warranty as provided without warranty as described in the Simplified BSD License.
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this 10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
skipping to change at page 2, line 30 skipping to change at page 2, line 29
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. SIP User Agent Types . . . . . . . . . . . . . . . . . . 3 1.2. SIP User Agent Types . . . . . . . . . . . . . . . . . . 3
2. SIP Procedures . . . . . . . . . . . . . . . . . . . . . . . 4 2. SIP Procedures . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. UAC Behavior . . . . . . . . . . . . . . . . . . . . . . 4 2.1. UAC Behavior . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1. Obtaining Tokens . . . . . . . . . . . . . . . . . . 4 2.1.1. Obtaining Tokens . . . . . . . . . . . . . . . . . . 4
2.1.2. Protecting the Access Token . . . . . . . . . . . . . 5 2.1.2. Protecting the Access Token . . . . . . . . . . . . . 5
2.1.3. REGISTER Request . . . . . . . . . . . . . . . . . . 5 2.1.3. REGISTER Request . . . . . . . . . . . . . . . . . . 5
2.1.4. Non-REGISTER Request . . . . . . . . . . . . . . . . 6 2.1.4. Non-REGISTER Request . . . . . . . . . . . . . . . . 5
2.2. UAS and Registrar Behavior . . . . . . . . . . . . . . . 6 2.2. UAS and Registrar Behavior . . . . . . . . . . . . . . . 6
2.3. Proxy Behavior . . . . . . . . . . . . . . . . . . . . . 6 2.3. Proxy Behavior . . . . . . . . . . . . . . . . . . . . . 6
3. Access Token Claims . . . . . . . . . . . . . . . . . . . . . 7 3. Access Token Claims . . . . . . . . . . . . . . . . . . . . . 7
4. WWW-Authenticate Response Header Field . . . . . . . . . . . 7 4. WWW-Authenticate Response Header Field . . . . . . . . . . . 7
5. Example Flows . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Example Flows . . . . . . . . . . . . . . . . . . . . . . . . 8
5.1. Registration . . . . . . . . . . . . . . . . . . . . . . 8 5.1. Registration . . . . . . . . . . . . . . . . . . . . . . 8
5.2. Registration with Pre-Configured AS . . . . . . . . . . . 10 5.2. Registration with Pre-Configured AS . . . . . . . . . . . 10
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
9. Normative References . . . . . . . . . . . . . . . . . . . . 12 9. Normative References . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
The Session Initiation Protocol (SIP) [RFC3261] uses the framework The Session Initiation Protocol (SIP) [RFC3261] uses the framework
used by HTTP [RFC7230] for authenticating users, which is a simple used by HTTP [RFC7230] for authenticating users, which is a simple
challenge-response authentication mechanism that allows a server to challenge-response authentication mechanism that allows a server to
challenge a client request and allows a client to provide challenge a client request and allows a client to provide
authentication information in response to that challenge. authentication information in response to that challenge.
skipping to change at page 3, line 36 skipping to change at page 3, line 36
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
1.2. SIP User Agent Types 1.2. SIP User Agent Types
[RFC6749] defines two types of clients, confidential and public, that [RFC6749] defines two types of clients, confidential and public, that
apply to the SIP User Agents. apply to the SIP User Agents.
o Confidential User Agent: is a SIP UA that is capable of * Confidential User Agent: is a SIP UA that is capable of
maintaining the confidentiality of the user credentials and any maintaining the confidentiality of the user credentials and any
tokens obtained using these user credentials. tokens obtained using these user credentials.
o Public User Agent: is a SIP UA that is incapable of maintaining * Public User Agent: is a SIP UA that is incapable of maintaining
the confidentiality of the user credentials and any obtained the confidentiality of the user credentials and any obtained
tokens. tokens.
The mechanism defined in this document MUST only be used with The mechanism defined in this document MUST only be used with
Confidential User Agents, as the UA is expected to obtain and Confidential User Agents, as the UA is expected to obtain and
maintain tokens to be able to access the SIP network. maintain tokens to be able to access the SIP network.
2. SIP Procedures 2. SIP Procedures
Section 22 of [RFC3261] defines the SIP procedures for the Digest Section 22 of [RFC3261] defines the SIP procedures for the Digest
skipping to change at page 7, line 47 skipping to change at page 7, line 42
bearer-cln = realm / scope / authz-server / error / bearer-cln = realm / scope / authz-server / error /
auth-param auth-param
authz-server = "authz_server" EQUAL authz-server-value authz-server = "authz_server" EQUAL authz-server-value
authz-server-value = https-URI authz-server-value = https-URI
realm = <defined in RFC3261> realm = <defined in RFC3261>
auth-param = <defined in RFC3261> auth-param = <defined in RFC3261>
scope = <defined in RFC6749> scope = <defined in RFC6749>
error = <defined in RFC6749> error = <defined in RFC6749>
https-URI = <defined in RFC7230> https-URI = <defined in RFC7230>
Figure 1: Bearer Scheme Syntax
The authz-server parameters contains the HTTPS URI, as defined in The authz-server parameters contains the HTTPS URI, as defined in
[RFC7230], of the authorization server. The UA can discover metadata [RFC7230], of the authorization server. The UA can discover metadata
about the AS using a mechanism like the one defined in [RFC8414]. about the AS using a mechanism like the one defined in [RFC8414].
The realm and auth-param parameters are defined in [RFC3261]. The realm and auth-param parameters are defined in [RFC3261].
As per [RFC3261], the realm string alone defines the protection As per [RFC3261], the realm string alone defines the protection
domain. [RFC3261] states that the realm string must be globally domain. [RFC3261] states that the realm string must be globally
unique and recommends that the realm string contains a hostname or unique and recommends that the realm string contains a hostname or
domain name. It also states that the realm string should be human- domain name. It also states that the realm string should be human-
skipping to change at page 9, line 33 skipping to change at page 9, line 33
| | {access_token} | | | {access_token} |
| |------------------------------>| | |------------------------------>|
| | | | | |
| | [6] 200 OK {metadata} | | | [6] 200 OK {metadata} |
| |<------------------------------| | |<------------------------------|
| | | | | |
| [7] 200 OK | | | [7] 200 OK | |
|<------------------------------| | |<------------------------------| |
| | | | | |
Figure 2: Example Registration Flow
In step [1], the UA starts the registration process by sending a SIP In step [1], the UA starts the registration process by sending a SIP
REGISTER request to the registrar without any credentials. REGISTER request to the registrar without any credentials.
In step [2], the registrar challenges the UA, by sending a SIP 401 In step [2], the registrar challenges the UA, by sending a SIP 401
(Unauthorized) response to the REGISTER request. In the response the (Unauthorized) response to the REGISTER request. In the response the
registrar includes information about the AS to contact in order to registrar includes information about the AS to contact in order to
obtain a token. obtain a token.
In step [3], the UA interacts with the AS, potentially using the In step [3], the UA interacts with the AS, potentially using the
OAuth Native App mechanism defined in [RFC8252], authenticates the OAuth Native App mechanism defined in [RFC8252], authenticates the
skipping to change at page 10, line 39 skipping to change at page 10, line 40
| | {access_token} | | | {access_token} |
| |------------------------------>| | |------------------------------>|
| | | | | |
| | [4] 200 OK {metadata} | | | [4] 200 OK {metadata} |
| |<------------------------------| | |<------------------------------|
| | | | | |
| [5] 200 OK | | | [5] 200 OK | |
|<------------------------------| | |<------------------------------| |
| | | | | |
Figure 3: Example Registration Flow - Authorization Server
Information Preconfigured
In step [1], the UA interacts with the AS, potentially using the In step [1], the UA interacts with the AS, potentially using the
OAuth Native App mechanism defined in [RFC8252], authenticates the OAuth Native App mechanism defined in [RFC8252], authenticates the
user and obtains the tokens needed to access the SIP service. user and obtains the tokens needed to access the SIP service.
In step [2], the UA retries the registration process by sending a new In step [2], the UA retries the registration process by sending a new
SIP REGISTER request that includes the access token that the UA SIP REGISTER request that includes the access token that the UA
obtrained previously. obtrained previously.
The registrar validates the access token. If the access token is a The registrar validates the access token. If the access token is a
reference token, the registrar MAY perform an introspection, as in reference token, the registrar MAY perform an introspection, as in
skipping to change at page 12, line 26 skipping to change at page 12, line 9
Olle Johansson, Roman Shpount, Dale Worley, and Jorgen Axell. Olle Johansson, Roman Shpount, Dale Worley, and Jorgen Axell.
The authors would also like to thank the following for their review The authors would also like to thank the following for their review
and feedback of the original document that was replaced with this and feedback of the original document that was replaced with this
document: document:
Andrew Allen, Martin Dolly, Keith Drage, Paul Kyzivat, Jon Peterson, Andrew Allen, Martin Dolly, Keith Drage, Paul Kyzivat, Jon Peterson,
Michael Procter, Roy Radhika, Matt Ryan, Ivo Sedlacek, Roman Shpount, Michael Procter, Roy Radhika, Matt Ryan, Ivo Sedlacek, Roman Shpount,
Robert Sparks, Asveren Tolga, and Dale Worley. Robert Sparks, Asveren Tolga, and Dale Worley.
The authors would also like to thank Jean Mahoney for her review,
editorial help, and the coversion of the XML source file from v2 to
v3.
9. Normative References 9. Normative References
[OPENID] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and [OPENID] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
C. Mortimore, "OpenID Connect Core 1.0", February 2014. C. Mortimore, "OpenID Connect Core 1.0", February 2014.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>. <https://www.rfc-editor.org/info/rfc3261>.
[RFC3840] Rosenberg, J., Schulzrinne, H., and P. Kyzivat,
"Indicating User Agent Capabilities in the Session
Initiation Protocol (SIP)", RFC 3840,
DOI 10.17487/RFC3840, August 2004,
<https://www.rfc-editor.org/info/rfc3840>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012, RFC 6749, DOI 10.17487/RFC6749, October 2012,
<https://www.rfc-editor.org/info/rfc6749>. <https://www.rfc-editor.org/info/rfc6749>.
[RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
Framework: Bearer Token Usage", RFC 6750, Framework: Bearer Token Usage", RFC 6750,
DOI 10.17487/RFC6750, October 2012, DOI 10.17487/RFC6750, October 2012,
<https://www.rfc-editor.org/info/rfc6750>. <https://www.rfc-editor.org/info/rfc6750>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
skipping to change at page 13, line 37 skipping to change at page 13, line 19
[RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 [RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0
Authorization Server Metadata", RFC 8414, Authorization Server Metadata", RFC 8414,
DOI 10.17487/RFC8414, June 2018, DOI 10.17487/RFC8414, June 2018,
<https://www.rfc-editor.org/info/rfc8414>. <https://www.rfc-editor.org/info/rfc8414>.
Authors' Addresses Authors' Addresses
Rifaat Shekh-Yusef Rifaat Shekh-Yusef
Avaya Avaya
425 Legget Drive 425 Legget Drive
Ottawa, Ontario Ottawa Ontario
Canada Canada
Phone: +1-613-595-9106 Phone: +1-613-595-9106
EMail: rifaat.ietf@gmail.com Email: rifaat.ietf@gmail.com
Christer Holmberg Christer Holmberg
Ericsson Ericsson
Hirsalantie 11 Hirsalantie 11
Jorvas 02420 FI- Jorvas 02420
Finland Finland
EMail: christer.holmberg@ericsson.com Email: christer.holmberg@ericsson.com
Victor Pascual Victor Pascual
webrtchacks webrtchacks
Spain Spain
EMail: victor.pascual.avila@gmail.com Email: victor.pascual.avila@gmail.com
 End of changes. 19 change blocks. 
27 lines changed or deleted 32 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/