Presentation is loading. Please wait.

Presentation is loading. Please wait.

OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.

Published byRosalyn Booker Modified over 8 years ago

Similar presentations

Presentation on theme: "OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig."— Presentation transcript:

1 OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig

2 1.Motivation behind draft-maler-ace-oauth-uma-00.txt. 2.Mapping of existing IAM technologies to: – draft-ietf-ace-usecases-04.txt – draft-gerdes-ace-actors-05.txt 3.Door lock scenario. 4.Example flows using OAuth2/UMA. – Non-constrained – Constrained 5.Work needed to adopt IAM stack to constrained devices to fulfil the door lock scenario. Agenda

3 Approach of adapting already standardized and deployed technologies. Connect things, both big and small, to existing IAM infrastructures. – Use capabilities in AS today. Web and IoT is a continuum rather than an either or. Draft is an overview of OAuth2 and UMA for constrained devices. Motivation

4 "Existing authentication and authorization protocols will be evaluated and used where applicable to build the constrained-environment solution. This requires relevant specifications to be reviewed for suitability, selecting a subset of them and restricting the options within each of the specifications.” Extract from IETF ACE Charter

5 Problem statementExisting IAM technology Reason * U1.7 The container owner and the fruit vendor may not be present at the time of access and cannot manually intervene in the authorization process. OAuth2School book OAuth2 (with refresh tokens) * U4.1 The building owner and the companies want to be able to add new devices to their administrative domain (commissioning). UMAUMA provides resource set registration. * U4.9 The companies want to be able to interconnect their own subsystems with those from a different operational domain while keeping the control over the authorizations (e.g. granting and revoking permissions) for their endpoints and devices. OpenID ConnectWith the help of identity federation you can take authorization decisions based on authentication done in other domains. * U5.7 When authorization policies are updated it is impossible, or at least very inefficient to contact all affected endpoints directly. IntrospectionIntrospection endpoint makes it possible to always have up to date policies, even when tokens are long lived.. * U1.11 Messages between client and resource server might need to be forwarded over multiple hops. Object securityThat will need object security. Mapping of use cases to existing IAM technologies

6 Problem statementExisting IAM technology Reason U4.5 The building owner and the companies want to be able to define context-based authorization rules. Claims gatheringTo be able to verify if a person really is from the fire department they could ask for additional claims from third party systems. Actors draft: “One of the use cases of [I-D.ietf-ace-usecases] describes spontaneous change of access policies - e.g. giving a hitherto unknown client the right to temporarily unlock your house door. “ Dynamic client registration All clients that will communicate with the AS need client creds and registration to be able to authenticate. Actors draft: "In some use cases RS needs to authenticate some property of C, in order to bind it to the relevant authorization information. In other use cases, authentication and authorization of C may be implicit, e.g. by encrypting the resource representation the RS only providing access to those who possess the key to decrypt." POP tokensPOP tokens also makes it possible to authenticate a C using a private key. Actors draft: “We assume that the necessary keys/credentials for protecting the control information between the potentially constrained nodes and their associated less- constrained nodes are pre-established, for example as part of the commissioning procedure.” Key provisioning using SCEP, EST and others. Client credentials needs to be pre- provisioned to clients and the resource owners.

7 To see the feasibility of the existing IAM technologies we the door lock use case. Buy 100 new fancy connected door locks. Your users, authentication, authorization and reporting. – Use own AS instead of lock-vendors AS. Door lock use case

8 Authentication and authorization to the door lock Operator from office maintenance department mounts locks in doors. Operator now wants to initialize door lock in companies cloud door management system that includes an AS. Operator starts an app and authenticate to AS and is authorized retrieve a token that lets a lock add it self to the system. Phone sends token over BLE to lock and bundles info about system and AS. Door lock requests and receives keys and registers it self.

9 Door lock access All employees of an organization have phone app. Phone sends a token to door, token is verified and the door is opened. Different policies – Daytime access, direct access. – Nighttime access, extra PIN.

10 Use cases shows following abstract interactions.

11 Abstract bootstrap flows – Step 1 Out of scope for this talk but not from the use case. Resource servers and clients needs resource discovery, AS URI, and provisioning keys. Given to device by: Chip manufacturer OEM Operator

12 Abstract bootstrap flows – Step 2 Resource server registers to Authorization Server – using a predefined server – to any server Client registers to Authorization Server

13 Abstract access flows Several difference access scenarios – Resource Server (door) and Client (phone or open button) are both online. – Resource Server is offline, but Client is online. – Client is offline, but Resource Server is online. – Resource server and client are both offline. Different constraints – Neither the Resource Server and the Client is constrained. – One of them are constrained. – Resource Server and the Client are both constrained.

14 Existing IAM technology in AS Unconstrained resource server and client.

15 +--------------+ | resource | +--------------- bootstrap (A)--------- | owner | | +--------------+ | v +------------+ +----------+---------------------+ | | |protection| | | resource | | API | authorization | | server |--Registers -->| (needs | server | | | | PAT) | | +------------+ +----------+---------------------+ Bootstrapping resource registration

16 +--------+ +---------------+ | |-(A)- Authorization Request RFC6749 ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant RFC6749 --| | | | +---------------+ | | | | +---------------+ | |--(C)- Authorization Grant RFC6749 -->| Authorization | | Client | | Server | | |<-(D)---- Access Token RFC6749 -------| | | | +---------------+ | | ^ | | | draft-richer-oauth-introspection-06 (F)| |(G) | | | v | | +---------------+ | |--(E)----- Access Token RFC6750 ----->| Resource | | | | Server | | |<-(H)----- Protected Resource --------| | +--------+ +---------------+ Both online

17 +--------+ +---------------+ | |-(A)- Authorization Request RFC6749 --->| Resource | | | | Owner | | |<-(B)-- Authorization Grant RFC6749 ----| | | | +---------------+ | | | | +---------------+ | |-(C)-- Authorization Grant JWT/(POP) -->| Authorization | | Client | | Server | | |<-(D)----- Access Token JWT/(POP) ------| | | | +---------------+ | | | | +---------------+ | |---(E)--- AT - RFC6750/(Signed HTTP) -->| Resource | | | | Server | | |<-(F)----- Protected Resource ----------| | +--------+ +---------------+ Both offline

18 Adopted technologies for constrained devices Constrained client and resource server

19 +--------------+ | resource | +--------------- bootstrap (A)--------- | owner | | +--------------+ | v +------------+ +----------+---------------------+ | | |protection| | | resource | | API | authorization | | server |-- Registers over CoAP --->| (needs | server | | | | PAT) | | +------------+ +----------+---------------------+ Bootstrapping resource registration

20 +--------+ | | +---------------+ | |-(A) Authorization Req. draft-tschofenig-ace-oauth-iot ->| Authorization | | Client | | Server | | | | | | | +---------------+ | | ^ | | | draft-wahlstroem-ace-oauth-introspection (E)| |(F) | | | v | | +---------------+ | |--(C)------- draft-tschofenig-ace-oauth-bt-01 --------->| Resource | | | | Server | | |<-(D)-------------- Protected Resource ------------------| | +--------+ +---------------+ Resource Server and Client are both online

21 +--------+ | | +---------------+ | | -------(A) Authorization Req. draft-tschofenig-ace-oauth-iot ----> | Authorization | | Client | | Server | | |<-----(B) Authorization Res. POP -----------| | | | +---------------+ | | | | +---------------+ | | --(C)---------- draft-tschofenig-ace-oauth-bt-01 / OSCoAP ------> | Resource | | | | Server | | |<-(D)------- Protected Resource ------------| | +--------+ +---------------+ Both offline

22 FunctionSpec Initial device provisioning (keys, config) Discovery (/.well-known/ mapping) CoAP mapping of UMA resource-set registration CoAP dynamic client registration CoAP client credentials grant flowdraft-tschofenig-ace-oauth-iot-01 CoAP bearer tokendraft-tschofenig-ace-oauth-bt-01 CoAP introspection endpointdraft-wahlstroem-ace-oauth-introspection-01 Object securitydraft-selander-ace-object-security-02 CoAP mapping for claims gathering in UMA POP key distributionOAuth PoP Document Roadmap Out of scope, but needed access offline / proof of possession bootstrap

23 Seeking input from other IAM vendors on the integration with existing infrastructure. Work on missing specifications Gain more implementation experience Next steps

Download ppt "OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig."

Similar presentations

Secure RESTful Interface Profile Phase 1 Briefing

Secure RESTful Interface Profile Phase 1 Briefing
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.

OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.
CONNECT as an Interoperability Platform - Demo. Agenda Demonstrate CONNECT “As an Evolving Interoperability Platform” –Incremental addition of features.

CONNECT as an Interoperability Platform - Demo. Agenda Demonstrate CONNECT “As an Evolving Interoperability Platform” –Incremental addition of features.
OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.
1 Design Patterns for Connected Devices Hannes Tschofenig Michael Koster.

1 Design Patterns for Connected Devices Hannes Tschofenig Michael Koster.
ACE BOF, IETF-89 London Authentication and Authorization for Constrained Environments (ACE) BOF Wed 09:00-11:30, Balmoral BOF Chairs: Kepeng Li, Hannes.

ACE BOF, IETF-89 London Authentication and Authorization for Constrained Environments (ACE) BOF Wed 09:00-11:30, Balmoral BOF Chairs: Kepeng Li, Hannes.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Enforcement mechanisms for distributed authorization across domains in UMA – aka “UMA trust” Eve Maler | 22 Aug 2012 draft.

Enforcement mechanisms for distributed authorization across domains in UMA – aka “UMA trust” Eve Maler | 22 Aug 2012 draft.
A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.

A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.
IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.
UMA’s relationship to distributed authorization concepts 19 October 2013

UMA’s relationship to distributed authorization concepts 19 October 2013
Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

Similar presentations

Ads by Google