Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

Slides:

Advertisements

Similar presentations

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

Advertisements

Open Extensible Proxy Services BOF Session 49th IETF, San Diego Chairs: Michael Condry, Hilarie Orman.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

IETF OAuth Proof-of-Possession

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

WSO2 Identity Server Road Map

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00 draft-ietf-kitten-sasl-oauth-00 William Mills Tim Showalter Hannes Tschofenig.

Proposed Documents for JOSE: JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) Mike Jones Standards Architect – Microsoft IETF 82 –

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

Internet Research Task Force Crypto Forum Research Group IETF 89 March 3, 2014 London List: Chairs:

Remotely authenticating against the Service Framework.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

MANET Where are we? Where are we going? Adrian Farrel Routing AD Honolulu – November 2015 – IETF-91.

2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.

Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.

(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.

IETF Trade WG Adelaide, South Australia 29 March 2000 Donald E. Eastlake, 3rd

RUCUS BOF IETF-71 IETF Exploratory Groups Bernard Aboba Microsoft Corporation Laksminath Dondeti Qualcomm, Inc. March 10, 2008 Philadelphia, PA.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.

RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.

Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication.

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

HIP research group 1 HIP-RG meeting IETF 79 November 9, 2010 Andrei Gurtov and Tom Henderson

AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.

OAuth Use Cases Zachary Zeltsan 31 March Outline Why use cases? Present set in the draft draft-zeltsan-oauth-use-cases-01.txt by George Fletcher.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Web Authorization Protocol (oauth) IETF 90, Toronto Chairs: Hannes Tschofenig, Derek Atkins Responsible AD: Kathleen Moriarty Mailing List:

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

March 19, 2003AAA WG, IETF 561 AAA WG Meeting IETF 56 San Francisco, CA March 19, 2003.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.

Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.

Today’s Applications Web API Browser Native app Web API Web API

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

IETF Provisioning of Symmetric Keys (keyprov) WG Update WG Chairs: Phillip Hallam-Baker Hannes Tschofenig Presentation by Mingliang Pei 05/05/2008.

Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.

Public Key Infrastructure Using X.509 (PKIX) Working Group

Dr. Michael B. Jones Identity Standards Architect at Microsoft

Consuming OAuth Services in Alfresco Share

Hannes Tschofenig, Derek Atkins

Phil Hunt, Hannes Tschofenig

WMarket For Developers API && Authorization.

56th IETF syslog WG Chair: Chris Lonvick

Data Virtualization Tutorial… OAuth Example using Google Sheets

Chairs: Derek Atkins and Hannes Tschofenig

Agenda OAuth WG IETF 87 July, 2013.

FHIR BULK DATA API April 2018

OpenID Enhanced Authentication Profile (EAP) Working Group

A few recent days in the news…

Web Authorization Protocol (oauth)

OAuth Design Team Call 11th February 2013.

Token-based Authentication

Authorization Made Simple….Sort of

OpenID Enhanced Authentication Profile (EAP) Working Group

OpenID Enhanced Authentication Profile (EAP) Working Group

IETF Liaison Report January 2004 Dorothy Stanley – Agere Systems

Web Authorization Protocol (OAuth)

OpenID Enhanced Authentication Profile (EAP) Working Group

Presentation transcript:

Hannes Tschofenig, Blaine Cook

6/4/2016 IETF #77, SAAG 2 The Problem

6/4/2016 IETF #77, SAAG 3

6/4/2016 IETF #77, SAAG 4 The OAuth Approach

6/4/2016 IETF #77, SAAG 5

6/4/2016 IETF #77, SAAG 6 User Authenticated by Service Provider

6/4/2016 IETF #77, SAAG 7 User Authorizes Consumer to access Service

6/4/2016 IETF #77, SAAG 8 Consumer calls the Service Provider API

6/4/2016 IETF #77, SAAG 9 History

6/4/2016 IETF #77, SAAG 10 History November 2006: Blaine Cook was looking into the possibility of using OpenID to accomplish the functionality for delegated authentication. He got in touch with some other folks that had a similar need. December 2006: Blaine wrote a "reference implementation" for Twitter based on all the existing OAuth-patterned APIs, which Blaine and Kellan Elliott-McCrea turned into a rough functional draft April 2007: Google group was created with a small group of implementers to write a proposal for an open protocol.Google group July 2007: OAuth 1.0 (with code for major programming languages) September 2007: Re-write of specification to focus on a single flow (instead of "web", "mobile", and "desktop" flows) Deployment of OAuth well on it’s way:

6/4/2016 IETF #77, SAAG 11 History, cont. 1 st OAuth BOF (Minneapolis, November 2008, IETF#73) – BOF Chairs: Sam Hartman, Mark Nottingham – BOF went OK but a couple of charter questions couldn’t be resolved. 2 nd OAuth BOF (San Francisco, March 2009, IETF#74) – BOF Chairs: Hannes Tschofenig, Blaine Cook – Charter discussed on the mailing list and also during the meeting. Finalized shortly after the meeting IETF wide review of the OAuth charter text (28 th April 2009) – Announcement: announce/current/msg06009.htmlhttp:// announce/current/msg06009.html OAuth working group was created (May 2009) – Chairs: Blaine Cook, Peter Saint Andre Feb 2010: 'The OAuth 1.0 Protocol ‘ approved as Informational RFC: –

6/4/2016 IETF #77, SAAG 12 The Protocol * requesting a token * presenting the token

6/4/2016 IETF #77, SAAG 13 Presenting a Token A  B: HTTP || Token [|| {Header, …, timestamp} key ] A  B: HTTP (200 OK) Questions: – What is signed and how? – Where does the token come from? – Where does the key come from?

6/4/2016 IETF #77, SAAG 14 Signatures Used to show ownership of token. 'The OAuth 1.0 Protocol‘ – Signatures based on symmetric & asymmetric key supported: – HMAC-SHA1 – RSA-SHA1 No signature = “bearer token”/ PLAINTEXT Extensions exist that sign other parts of the message: – OAuth Request Body Hash: – Going beyond HTTP  OAuth over XMPP

6/4/2016 IETF #77, SAAG 15 The Protocol * requesting a token * presenting the token

6/4/2016 IETF #77, SAAG 16 Requesting a Token Different ways to get a token exist. Example: WRAP – A  KDC: HTTP (get request access token) || credentials – A  KDC: Access Token [, Expires in] (also offers the approach of using a refresh token exchange) Example: OAuth 1.0 – A  B: HTTP (get request token) || credentials – A  B: request token > – A  B: HTTP (get access token) || request token – A  B: access token Other “flows” have been specified in WRAP Various authentication mechanisms specified.

6/4/2016 IETF #77, SAAG 17 Token

6/4/2016 IETF #77, SAAG 18 Token The token format is not standardized. Out-of-scope: *which* permissions were granted, and *how* those permissions are enforced Token may be created with constraints, for example regarding lifetime – OAuth 1.0 does not specify anything with this regard – WRAP provides a expires_in parameter.

6/4/2016 IETF #77, SAAG 19 Summary Work on delegated authentication in the APPs area in the OAuth group. OAuth 1.0: Community version published OAuth 2.0: Fusing WRAP, initial OAuth 2.0 OAuth WG met Monday afternoon. Interim meeting will be scheduled. Participation and early feedback desired, especially from security community