Presentation is loading. Please wait.

Presentation is loading. Please wait.

A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00 draft-ietf-kitten-sasl-oauth-00 William Mills Tim Showalter Hannes Tschofenig.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00 draft-ietf-kitten-sasl-oauth-00 William Mills Tim Showalter Hannes Tschofenig."— Presentation transcript:

1 A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00 draft-ietf-kitten-sasl-oauth-00 William Mills Tim Showalter Hannes Tschofenig

2 Status JFMAMJJASONDJFMAMJJASOND 20102011 Indiv-00 Indiv-01 draft-mills-kitten- sasl-oauth Indiv-02 WG item -00 IETF#82 draft-ietf-kitten- sasl-oauth Indiv-03 Indiv-04 IETF#81IETF#80 IETF#79 IETF#78

3 Status, cont. draft-ietf-kitten-sasl-oauth-00.txt submitted as WG item this Monday. – Content of draft-mills-kitten-sasl-oauth-04 and draft-ietf-kitten-sasl-oauth-00.txt identical! -04 version saw a number of changes: – Abstract and Introduction modified – Sections restructured. – References updated – Editorial bugfix

4 Reminder: Architecture ----+ +--------+ +---------------+ | | |--(A)-- Authorization Request --->| Resource | | | | | Owner | |Plain | |<-(B)------ Access Grant ---------| | |OAuth | | +---------------+ |2.0 | | | | | Client Credentials & +---------------+ | | |--(C)------ Access Grant -------->| Authorization | | | Client | | Server | | | |<-(D)------ Access Token ---------| | | | | (w/ Optional Refresh Token) +---------------+ | | | ----+ | | | | ----+ | | (Optional discovery) +---------------+ | | |--(1)------- User Name --------->| | | | Client | | | | | |<-(2)------ Authentication -------| | | | | endpoint information | Resource | |OAuth | | | Server | |over | |--(E)------ Access Token -------->| | |SASL/ | | | | |GSS- | |<-(F)---- Protected Resource -----| | |API +--------+ +---------------+ | ----+

5 Design Decisions (1) OAuth Integration into SASL a)HTTP-Style b)Native (2) Security Functionality Scope a)Bearer Token Support b)MAC security c)Public Key security (3) Discovery a)Part of OAuth SASL specification b)Independent mechanism

6 OAuth Integration into SASL (a) HTTP-based Style GET / HTTP/1.1 Host: server.example.com User: user@example.com Authorization: MAC token="h480djs93hd8", timestamp="137131200”, nonce="dj83hs9s", signature="YTVjyNSujYs1WsDurFnvFi4JK6o=" GET / HTTP/1.1 Host: server.example.com User: user@example.com Authorization: MAC token="h480djs93hd8", timestamp="137131200”, nonce="dj83hs9s", signature="YTVjyNSujYs1WsDurFnvFi4JK6o=" GET / HTTP/1.1 Host: imap.example.com Authorization: BEARER "vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==" GET / HTTP/1.1 Host: imap.example.com Authorization: BEARER "vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg=="

7 OAuth Integration into SASL (b) Native TOKEN= "vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==", SCOPE="foo"

8 OAuth Integration into SASL HTTP-Style – Re-uses HTTP parsing library, re-uses Oauth specifications as much as possible, similar to tunneling request/responses defined in draft-ietf-kitten-sasl- saml-05 and in draft-ietf-kitten-sasl-saml-ec-00.txt Native – Requires more specification work to decide about defining request and response (including error parameters). – May require less code.

9 Security Functionality Scope OAuth WG develops two HTTP-based security variants: – Bearer Token: http://datatracker.ietf.org/doc/draft-ietf-oauth- v2-bearer/ http://datatracker.ietf.org/doc/draft-ietf-oauth- v2-bearer/ – MAC Token:http://tools.ietf.org/html/draft-ietf- oauth-v2-http-machttp://tools.ietf.org/html/draft-ietf- oauth-v2-http-mac Other options: RFC 5849 (RSA signature method) or draft-balfanz-tls-obc-00 - TLS Origin-Bound Certificates What security mechanisms should be specified?

10 Discovery Certain OAuth profiles do not require OAuth support by the end host. Impacts design of discovery mechanism. – Proposals for discovery being discussed in the OAuth WG. E.g., draft-jones-simple-web- discovery. OAuth SASL is in a different position since end host changes are needed anyway. – A discovery mechanism could be incorporated into OAuth SASL.

11 Discovery, cont. Example from http://openid.net/specs/openid-connect-discovery-1_0.htmlhttp://openid.net/specs/openid-connect-discovery-1_0.html { "authorization_endpoint": "https://example.com/connect/authorize", "issuer" : "https://example.com", "token_endpoint": "https://example.com/connect/token" "user_info_endpoint": "https://example.com/connect/user", "check_id_endpoint": "https://example.com/connect/check_id", "refresh_session_endpoint": "https://example.com/connect/refresh_session", "end_session_endpoint": "https://example.com/connect/end_session", "jwk_document": "https://example.com/jwk.json", "registration_endpoint": "https://example.com/connect/register", "scopes_supported": ["openid"], "flows_supported": ["code", "token"], "iso29115_supported": ["http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf"], "identifiers_supported": ["public", "ppid"] } { "authorization_endpoint": "https://example.com/connect/authorize", "issuer" : "https://example.com", "token_endpoint": "https://example.com/connect/token" "user_info_endpoint": "https://example.com/connect/user", "check_id_endpoint": "https://example.com/connect/check_id", "refresh_session_endpoint": "https://example.com/connect/refresh_session", "end_session_endpoint": "https://example.com/connect/end_session", "jwk_document": "https://example.com/jwk.json", "registration_endpoint": "https://example.com/connect/register", "scopes_supported": ["openid"], "flows_supported": ["code", "token"], "iso29115_supported": ["http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf"], "identifiers_supported": ["public", "ppid"] }

Download ppt "A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00 draft-ietf-kitten-sasl-oauth-00 William Mills Tim Showalter Hannes Tschofenig."

Similar presentations

SAML CCOW Work Item: Task 2

SAML CCOW Work Item: Task 2
Adding SASL to HTTP/1.1 draft-nystrom-http-sasl-07.txt Magnus Nyström, RSA Security Alexey Melnikov, Isode Limited

Adding SASL to HTTP/1.1 draft-nystrom-http-sasl-07.txt Magnus Nyström, RSA Security Alexey Melnikov, Isode Limited
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23, 2014 1.

ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.

OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.
OAuth Security Hannes Tschofenig Derek Atkins. State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements)

OAuth Security Hannes Tschofenig Derek Atkins. State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements)
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

Similar presentations

Ads by Google