draft-ietf-sipcore-sip-token-authnz-10.txt   draft-ietf-sipcore-sip-token-authnz-11.txt 
SIP Core R. Shekh-Yusef SIP Core R. Shekh-Yusef
Internet-Draft Avaya Internet-Draft Avaya
Updates: 3261 (if approved) C. Holmberg Updates: 3261 (if approved) C. Holmberg
Intended status: Standards Track Ericsson Intended status: Standards Track Ericsson
Expires: 8 September 2020 V. Pascual Expires: 24 September 2020 V. Pascual
webrtchacks webrtchacks
7 March 2020 23 March 2020
Third-Party Token-based Authentication and Authorization for Session Third-Party Token-based Authentication and Authorization for Session
Initiation Protocol (SIP) Initiation Protocol (SIP)
draft-ietf-sipcore-sip-token-authnz-10 draft-ietf-sipcore-sip-token-authnz-11
Abstract Abstract
This document defines the "Bearer" authentication scheme for the This document defines the "Bearer" authentication scheme for the
Session Initiation Protocol (SIP), and a mechanism by which user Session Initiation Protocol (SIP), and a mechanism by which user
authentication and SIP registration authorization is delegated to a authentication and SIP registration authorization is delegated to a
third party, using the OAuth 2.0 framework and OpenID Connect Core third party, using the OAuth 2.0 framework and OpenID Connect Core
1.0. This document updates RFC 3261 to provide guidance on how a SIP 1.0. This document updates RFC 3261 to provide guidance on how a SIP
User Agent Client (UAC) responds to a SIP 401/407 response that User Agent Client (UAC) responds to a SIP 401/407 response that
contains multiple WWW-Authenticate/Proxy-Authenticate header fields. contains multiple WWW-Authenticate/Proxy-Authenticate header fields.
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 8 September 2020. This Internet-Draft will expire on 24 September 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
skipping to change at page 2, line 16 skipping to change at page 2, line 16
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. SIP User Agent Types . . . . . . . . . . . . . . . . . . 3 1.2. SIP User Agent Types . . . . . . . . . . . . . . . . . . 3
1.3. Token Formats . . . . . . . . . . . . . . . . . . . . . . 3 1.3. Token Types and Formats . . . . . . . . . . . . . . . . . 3
1.4. Example Flows . . . . . . . . . . . . . . . . . . . . . . 4 1.4. Example Flows . . . . . . . . . . . . . . . . . . . . . . 4
1.4.1. Registration . . . . . . . . . . . . . . . . . . . . 4 1.4.1. Registration . . . . . . . . . . . . . . . . . . . . 4
1.4.2. Registration with Preconfigured AS . . . . . . . . . 5 1.4.2. Registration with Preconfigured AS . . . . . . . . . 6
2. SIP Procedures . . . . . . . . . . . . . . . . . . . . . . . 7 2. SIP Procedures . . . . . . . . . . . . . . . . . . . . . . . 7
2.1. UAC Behavior . . . . . . . . . . . . . . . . . . . . . . 7 2.1. UAC Behavior . . . . . . . . . . . . . . . . . . . . . . 7
2.1.1. Obtaining Tokens and Responding to Challenges . . . . 7 2.1.1. Obtaining Tokens and Responding to Challenges . . . . 7
2.1.2. Protecting the Access Token . . . . . . . . . . . . . 8 2.1.2. Protecting the Access Token . . . . . . . . . . . . . 8
2.1.3. REGISTER Request . . . . . . . . . . . . . . . . . . 8 2.1.3. REGISTER Request . . . . . . . . . . . . . . . . . . 8
2.1.4. Non-REGISTER Request . . . . . . . . . . . . . . . . 8 2.1.4. Non-REGISTER Request . . . . . . . . . . . . . . . . 9
2.2. UAS and Registrar Behavior . . . . . . . . . . . . . . . 9 2.2. UAS and Registrar Behavior . . . . . . . . . . . . . . . 9
2.3. Proxy Behavior . . . . . . . . . . . . . . . . . . . . . 9 2.3. Proxy Behavior . . . . . . . . . . . . . . . . . . . . . 10
3. Access Token Claims . . . . . . . . . . . . . . . . . . . . . 10 3. Access Token Claims . . . . . . . . . . . . . . . . . . . . . 10
4. WWW-Authenticate Response Header Field . . . . . . . . . . . 10 4. WWW-Authenticate Response Header Field . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
8. Normative References . . . . . . . . . . . . . . . . . . . . 12 8. Normative References . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
The Session Initiation Protocol (SIP) [RFC3261] uses the same The Session Initiation Protocol (SIP) [RFC3261] uses the same
framework as HTTP [RFC7230] to authenticate users: a simple framework as HTTP [RFC7230] to authenticate users: a simple
challenge-response authentication mechanism that allows a SIP server challenge-response authentication mechanism that allows a SIP server
to challenge a SIP client request and allows a SIP client to provide to challenge a SIP client request and allows a SIP client to provide
authentication information in response to that challenge. authentication information in response to that challenge.
OAuth 2.0 [RFC6749] defines a token-based authorization framework to OAuth 2.0 [RFC6749] defines a token-based authorization framework to
skipping to change at page 3, line 42 skipping to change at page 3, line 42
the confidentiality of the user credentials and any tokens the confidentiality of the user credentials and any tokens
obtained using these user credentials. obtained using these user credentials.
* Public User Agent: a SIP UAC that is incapable of maintaining the * Public User Agent: a SIP UAC that is incapable of maintaining the
confidentiality of the user credentials and any obtained tokens. confidentiality of the user credentials and any obtained tokens.
The mechanism defined in this document MUST only be used with The mechanism defined in this document MUST only be used with
Confidential User Agents, as the UAC is expected to obtain and Confidential User Agents, as the UAC is expected to obtain and
maintain tokens to be able to access the SIP network. maintain tokens to be able to access the SIP network.
1.3. Token Formats 1.3. Token Types and Formats
The tokens used in third-party authorization depend on the type of
authorization server (AS).
An OAuth authorization server provides the following tokens to a
successfully authorized UAC:
* Access token: the UAC will use this token to gain access to
services by providing the token to a SIP server.
* Refresh token: the UAC will present this token to the AS to
refresh a stale access token.
An OpenID Connect server returns an additional token:
* ID Token: this token contains the SIP URI and other user-specific
details that will be consumed by the UAC.
Tokens can be represented in two different formats: Tokens can be represented in two different formats:
* Structured Token: a token that consists of a structured object * Structured Token: a token that consists of a structured object
that contains the claims associated with the token, e.g. JWT as that contains the claims associated with the token, e.g. JWT as
defined in [RFC7519]. defined in [RFC7519].
* Reference Token: a token that consists of a random string that is * Reference Token: a token that consists of a random string that is
used to obtain the details of the token and its associated claims, used to obtain the details of the token and its associated claims,
as defined in [RFC6749]. as defined in [RFC6749].
 End of changes. 10 change blocks. 
14 lines changed or deleted 31 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/