A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00 draft-ietf-kitten-sasl-oauth-00 William Mills Tim Showalter Hannes Tschofenig.

Slides:

Advertisements

Similar presentations

SAML CCOW Work Item: Task 2

Advertisements

Adding SASL to HTTP/1.1 draft-nystrom-http-sasl-07.txt Magnus Nyström, RSA Security Alexey Melnikov, Isode Limited

Contrail and Federated Identity Management

Prabath Siriwardena | Johann Nallathamby.

IETF OAuth Proof-of-Possession

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

WSO2 Identity Server Road Map

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.

OAuth Security Hannes Tschofenig Derek Atkins. State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements)

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

MINT Working Group Jan 9-10 at Harris FBC Melbourne, FL.

(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.

Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.

HTTP config.Routes.MapHttpRoute( name: “TodosForTodoList", routeTemplate: "api/todolists/{id}/todos", defaults: new { controller = “todolists”,

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

OAuth Use Cases Zachary Zeltsan 31 March Outline Why use cases? Present set in the draft draft-zeltsan-oauth-use-cases-01.txt by George Fletcher.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.

SAML Token Claims Based Identity SAML Token Claims Based Identity SPUser.

Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.

Secure Mobile Development with NetIQ Access Manager

SCVP-28 Tim Polk November 8, Current Status Draft -27 was submitted in June ‘06 –AD requested a revised ID 8/11 –No related discussion on list –Editors.

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.

Building Secure Microservices

Dr. Michael B. Jones Identity Standards Architect at Microsoft

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

OAuth WG Conference Call, 11th Jan. 2013

Phil Hunt, Hannes Tschofenig

OAuth2 WG User Authentication for Clients

Chairs: Derek Atkins and Hannes Tschofenig

TrueNTH OAuth Role Based Permission System Victor de Lima Soares

OAuth Assertion Documents

Considering issues regarding handling token

Agenda OAuth WG IETF 87 July, 2013.

Addressing the Beast: Single Sign-On II

OpenID Enhanced Authentication Profile (EAP) Working Group

Device Flow <draft-ietf-oauth-device-flow-03>

OpenID Enhanced Authentication Profile (EAP) Working Group

IOS SDK v1.0 with NAM 4.2.

draft-ipdvb-sec-01.txt ULE Security Requirements

Security Vulnerabilities in RPC (csci5931)

OAuth Design Team Call 11th February 2013.

Office 365 Development.

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

OpenID Enhanced Authentication Profile (EAP) Working Group

OpenID Enhanced Authentication Profile (EAP) Working Group

Authentication and Authorization for Constrained Environments (ACE)

OpenID Enhanced Authentication Profile (EAP) Working Group

Presentation transcript:

A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00 draft-ietf-kitten-sasl-oauth-00 William Mills Tim Showalter Hannes Tschofenig

Status JFMAMJJASONDJFMAMJJASOND Indiv-00 Indiv-01 draft-mills-kitten- sasl-oauth Indiv-02 WG item -00 IETF#82 draft-ietf-kitten- sasl-oauth Indiv-03 Indiv-04 IETF#81IETF#80 IETF#79 IETF#78

Status, cont. draft-ietf-kitten-sasl-oauth-00.txt submitted as WG item this Monday. – Content of draft-mills-kitten-sasl-oauth-04 and draft-ietf-kitten-sasl-oauth-00.txt identical! -04 version saw a number of changes: – Abstract and Introduction modified – Sections restructured. – References updated – Editorial bugfix

Reminder: Architecture | | |--(A)-- Authorization Request --->| Resource | | | | | Owner | |Plain | |<-(B) Access Grant | | |OAuth | | |2.0 | | | | | Client Credentials & | | |--(C) Access Grant >| Authorization | | | Client | | Server | | | |<-(D) Access Token | | | | | (w/ Optional Refresh Token) | | | | | | | | | (Optional discovery) | | |--(1) User Name >| | | | Client | | | | | |<-(2) Authentication | | | | | endpoint information | Resource | |OAuth | | | Server | |over | |--(E) Access Token >| | |SASL/ | | | | |GSS- | |<-(F)---- Protected Resource -----| | |API | ----+

Design Decisions (1) OAuth Integration into SASL a)HTTP-Style b)Native (2) Security Functionality Scope a)Bearer Token Support b)MAC security c)Public Key security (3) Discovery a)Part of OAuth SASL specification b)Independent mechanism

OAuth Integration into SASL (a) HTTP-based Style GET / HTTP/1.1 Host: server.example.com User: Authorization: MAC token="h480djs93hd8", timestamp=" ”, nonce="dj83hs9s", signature="YTVjyNSujYs1WsDurFnvFi4JK6o=" GET / HTTP/1.1 Host: server.example.com User: Authorization: MAC token="h480djs93hd8", timestamp=" ”, nonce="dj83hs9s", signature="YTVjyNSujYs1WsDurFnvFi4JK6o=" GET / HTTP/1.1 Host: imap.example.com Authorization: BEARER "vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==" GET / HTTP/1.1 Host: imap.example.com Authorization: BEARER "vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg=="

OAuth Integration into SASL (b) Native TOKEN= "vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==", SCOPE="foo"

OAuth Integration into SASL HTTP-Style – Re-uses HTTP parsing library, re-uses Oauth specifications as much as possible, similar to tunneling request/responses defined in draft-ietf-kitten-sasl- saml-05 and in draft-ietf-kitten-sasl-saml-ec-00.txt Native – Requires more specification work to decide about defining request and response (including error parameters). – May require less code.

Security Functionality Scope OAuth WG develops two HTTP-based security variants: – Bearer Token: v2-bearer/ v2-bearer/ – MAC Token: oauth-v2-http-machttp://tools.ietf.org/html/draft-ietf- oauth-v2-http-mac Other options: RFC 5849 (RSA signature method) or draft-balfanz-tls-obc-00 - TLS Origin-Bound Certificates What security mechanisms should be specified?

Discovery Certain OAuth profiles do not require OAuth support by the end host. Impacts design of discovery mechanism. – Proposals for discovery being discussed in the OAuth WG. E.g., draft-jones-simple-web- discovery. OAuth SASL is in a different position since end host changes are needed anyway. – A discovery mechanism could be incorporated into OAuth SASL.

Discovery, cont. Example from { "authorization_endpoint": " "issuer" : " "token_endpoint": " "user_info_endpoint": " "check_id_endpoint": " "refresh_session_endpoint": " "end_session_endpoint": " "jwk_document": " "registration_endpoint": " "scopes_supported": ["openid"], "flows_supported": ["code", "token"], "iso29115_supported": [" "identifiers_supported": ["public", "ppid"] } { "authorization_endpoint": " "issuer" : " "token_endpoint": " "user_info_endpoint": " "check_id_endpoint": " "refresh_session_endpoint": " "end_session_endpoint": " "jwk_document": " "registration_endpoint": " "scopes_supported": ["openid"], "flows_supported": ["code", "token"], "iso29115_supported": [" "identifiers_supported": ["public", "ppid"] }