Presentation is loading. Please wait.

Presentation is loading. Please wait.

Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1,

Published byAlexandrina Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1,"— Presentation transcript:

1 Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1, 26-Nov-2015 Agenda Item: Dynamic Authorization

2 Background There are currently five (5) high level dynamic authorization architectures, all with advantages and disadvantages – 4x access token-based proposals Delegation of existing authority – not issuing new authority – 1x Dynamic ACP Update New conditions for authorizing &/or updating ACPs – Authors’ opinion Access Tokens & Dyn ACP Update are complementary: suit different scenarios Strict deadline for stage 2 details NOTE: when we talk about dynamic authorization, we really mean delegating authority to an CSE/AE? 2

3 Suggestion Multiple Aspects to Dynamic Authorization 1.How is a delegation authorized? Architecture: Entities, Messages, parameters Protocol level details: Defining Policies 2.What parameters are exchanged over oneM2M msgs? 3.How is an delegation used in an access control decision? Why don’t we A.Leave (1) completely out of scope. Assume that an external Dynamic Authorization System (e.e.g Oauth, UMA) provides this functionality. Can always define a oneM2M-based Dyn Auth System in more detail in the future. B.Focus on (2) and (3). 3

4 Suggestion (2) Integrated with existing ACPs – Enhance ACPs to include rules which are compared against Authorized Delegations. – NOT alternative to ACPs. Align Token-based dyn auth and ACP-Update dyn auth – Token-Based  Client-Based Flow. – ACP Update  Server-Based Flow These two suggestions will have minimal impact on Architecture, and minimal work for us 4

5 Two new Data Objects Authorized Delegation (AuthzDlgn) – Outcome of the interaction with the Ext Dyn Authz System – Describes the authorization (in form of subject-managed roles) issued by an Authorization Server to one or more Originators on behalf of a Subject. Permitted Delegation Rule – (Optional) New parameters inside an access control rule. – A set of Regex matched against parameters of Authorized Delegation(s) and the request – When evaluating the access control rule, IF an Authorized Delegation matches a Permitted Delegation Rule, THEN behave as if Originator’s identifier was in accessControlOriginators. Further details in a few slides 5

6 Server-based Flow (ACP Update) 6

7 Client-based Flow (Token) 7

8 Implementation and Deployment Options The Originator and Client Agent could be i.Integrated to a single component and indistinguishable. ii.Distinct components on a single device. iii.Implemented on distinct Nodes. We should try to support options i + ii. – Option iii requires defining messages exchanged between devices. Won’t get this in Rel 2, maybe in future releases? We should support scenarios where a single Client Agent acts on behalf of multiple Originators. For example: i.App presents itself as multiple AEs, and App contain a Client Agent which acts on behalf of all these AEs. ii.A single Client Agent on a Node could act on behalf of multiple Originators on the same Node. iii.A Client Agent on a MN could act on behalf of multiple Originators on the MNs, ASNs and ADNs registered to that MN. 8

9 Summary of parameters 9 Parameter (JWT elements) Authorized Delegation Permitted Delegation Rule Matching rule Issuer (iss) AS FQDN [1]FQDN regex [1..n]Match one regex Subject (sub) AS-assigned Subject-ID [1] Subject-ID regex [0..n]Regex match. “anonymous” allowed Audience (aud) CSE-ID regex [0..n]Not presentHosting CSE-ID matches AuthzDlgn.aud Authorized Originators (azo) AE/CSE-ID regex [0..n] Orig.’s AE/CSE-ID matches both regexs Dyn Auth Roles (rol) Dyn Auth Role-ID [0..n] Dyn Auth Role-ID regex [0..n] At least one match between AuthzDlgn.rol matches PermDlgnRule.rol Access Token Usage (atu) Client-based only: “auto”, “required” Not present.See next slide azo, rol and atu would be new elements of JWT.

10 Access Token Usage parameter Message size is important. If can avoid resending access token, while still knowing that the Hosting CSE will still consider the Authorized Delegation, then that would be great! – Some scenarios require including access token in every request. Access Token Usage: – Assigned by Authz Server on behalf of Subject. – “required” The AuthzDlgn will be considered in subsequent requests only if they contain the access token. – “auto” The AuthzDlgn will be considered in all subsequent requests. 10

11 Other details JWT elements include – nbf: Not Before – exp: Expiry – iat: Issued At These elements can be provided in Authorized Delegations Permitted Delegation Rules can include similar elements to limit the time window in which it applies 11

Download ppt "Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1,"

Similar presentations

Access Control Mechanism Discussion

Access Control Mechanism Discussion
SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: 2014-05-07 Discussion  Source: OBERTHUR Technologies Information  Contact:

SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Summary on the M2M CMDH Policies Management Object (MCMDHMO)

Summary on the M2M CMDH Policies Management Object (MCMDHMO)
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2014-12-18.

Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,

On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-19 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2015-07-08.

Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
End-to-End security definition Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting Date: 2015-05-18.

End-to-End security definition Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting Date:
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-26 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: 2014-04-07 Agenda Item: Management.

Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: Agenda Item: Management.
TS0001 Identifiers way forward Group Name: WG2 Source: Elloumi, Foti, Scarrone, Lu (tbc), Jeong (tbc) Meeting Date: 2014-06-07 Agenda Item: ARC11/PRO11.

TS0001 Identifiers way forward Group Name: WG2 Source: Elloumi, Foti, Scarrone, Lu (tbc), Jeong (tbc) Meeting Date: Agenda Item: ARC11/PRO11.
Usage Scenarios for CSE Group Name: WG2(ARC-WG) Source: Shingo Meeting Date: 2013-09-19 Agenda Item: Message.

Usage Scenarios for CSE Group Name: WG2(ARC-WG) Source: Shingo Meeting Date: Agenda Item: Message.
WG 2 Progress Report at TP #8 Group Name: oneM2M TP #8 Source: WG2 leadership Meeting Date: 2013-12-09/13 Agenda Item: WG Reports.

WG 2 Progress Report at TP #8 Group Name: oneM2M TP #8 Source: WG2 leadership Meeting Date: /13 Agenda Item: WG Reports.
Work Group / Work Item Proposal Slide 1 © 2012 oneM2M Partners oneM2M-TP-2012-0007-oneM2M_Work_Group_Work_Item_Proposal Group name: Technical Plenary Source:

Work Group / Work Item Proposal Slide 1 © 2012 oneM2M Partners oneM2M-TP oneM2M_Work_Group_Work_Item_Proposal Group name: Technical Plenary Source:
AllJoyn-Interworking Discussion Group Name: TP WG2 ARC Source: Josef Blanz, Phil Hawkes, Qualcomm Inc., Meeting Date: 2015-05-18.

AllJoyn-Interworking Discussion Group Name: TP WG2 ARC Source: Josef Blanz, Phil Hawkes, Qualcomm Inc., Meeting Date:
Certificate Enrolment STEs Group Name: SEC#17.3 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2015-07-15.

Certificate Enrolment STEs Group Name: SEC#17.3 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:

Similar presentations

Ads by Google