• Home

  • Documents

  • A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00
11
A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00 William Mills Tim Showalter Hannes Tschofenig

A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

  • Upload
    tirza

  • View
    44

  • Download
    0

Embed Size (px)

DESCRIPTION

A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00. William Mills Tim Showalter Hannes Tschofenig. J. F. M. A. M. J. J. A. S. O. N. D. 2010. J. F. M. A. M. J. J. A. S. O. N. D. 2011. Status. Indiv- 04. Indiv- 03. Indiv-02. Indiv-01. Indiv-00. - PowerPoint PPT Presentation

Citation preview

Page 1: A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

A SASL and GSS-API Mechanism for OAuthdraft-ietf-kitten-sasl-oauth-00

William MillsTim Showalter

Hannes Tschofenig

http://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-oauth/
Page 2: A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

Status

J F M A M J J A S O N D J F M A M J J A S O N D2010 2011

Indiv-00

Indiv-01

draft-mills-kitten-sasl-oauth

Indiv-02

WG item -00

IETF#82

draft-ietf-kitten-sasl-oauth

Indiv-03

Indiv-04

IETF#81IETF#80IETF#79IETF#78

Page 3: A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

Status, cont.

• draft-ietf-kitten-sasl-oauth-00.txt submitted as WG item this Monday.– Content of draft-mills-kitten-sasl-oauth-04 and

draft-ietf-kitten-sasl-oauth-00.txt identical! • -04 version saw a number of changes: – Abstract and Introduction modified– Sections restructured.– References updated– Editorial bugfix

Page 4: A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

Reminder: Architecture ----+ +--------+ +---------------+ | | |--(A)-- Authorization Request --->| Resource | | | | | Owner | |Plain | |<-(B)------ Access Grant ---------| | |OAuth | | +---------------+ |2.0 | | | | | Client Credentials & +---------------+ | | |--(C)------ Access Grant -------->| Authorization | | | Client | | Server | | | |<-(D)------ Access Token ---------| | | | | (w/ Optional Refresh Token) +---------------+ | | | ----+ | | | | ----+ | | (Optional discovery) +---------------+ | | |--(1)------- User Name --------->| | | | Client | | | | | |<-(2)------ Authentication -------| | | | | endpoint information | Resource | |OAuth | | | Server | |over | |--(E)------ Access Token -------->| | |SASL/ | | | | |GSS- | |<-(F)---- Protected Resource -----| | |API +--------+ +---------------+ | ----+

Page 5: A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

Design Decisions

• (1) OAuth Integration into SASLa) HTTP-Styleb) Native

• (2) Security Functionality Scopea) Bearer Token Supportb) MAC securityc) Public Key security

• (3) Discoverya) Part of OAuth SASL specificationb) Independent mechanism

Page 6: A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

OAuth Integration into SASL(a) HTTP-based Style

GET / HTTP/1.1Host: server.example.comUser: [email protected]: MAC token="h480djs93hd8",

timestamp="137131200”, nonce="dj83hs9s", signature="YTVjyNSujYs1WsDurFnvFi4JK6o="

GET / HTTP/1.1 Host: imap.example.com Authorization: BEARER

"vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg=="

Page 7: A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

OAuth Integration into SASL(b) Native

TOKEN= "vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==",SCOPE="foo"

Page 8: A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

OAuth Integration into SASL

• HTTP-Style– Re-uses HTTP parsing library, re-uses Oauth

specifications as much as possible, similar to tunneling request/responses defined in draft-ietf-kitten-sasl-saml-05 and in draft-ietf-kitten-sasl-saml-ec-00.txt

• Native– Requires more specification work to decide about

defining request and response (including error parameters).

– May require less code.

Page 9: A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

Security Functionality Scope• OAuth WG develops two HTTP-based security

variants: – Bearer Token:

http://datatracker.ietf.org/doc/draft-ietf-oauth-v2-bearer/

– MAC Token:http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac

• Other options: RFC 5849 (RSA signature method) or draft-balfanz-tls-obc-00 - TLS Origin-Bound Certificates

• What security mechanisms should be specified?

http://datatracker.ietf.org/doc/draft-ietf-oauth-v2-bearer/
http://datatracker.ietf.org/doc/draft-ietf-oauth-v2-bearer/
http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00
http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00
Page 10: A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

Discovery

• Certain OAuth profiles do not require OAuth support by the end host.

• Impacts design of discovery mechanism. – Proposals for discovery being discussed in the

OAuth WG. E.g., draft-jones-simple-web-discovery.• OAuth SASL is in a different position since end

host changes are needed anyway. – A discovery mechanism could be incorporated into

OAuth SASL.

Page 11: A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00

Discovery, cont.Example from http://openid.net/specs/openid-connect-discovery-1_0.html

{ "authorization_endpoint": "https://example.com/connect/authorize", "issuer" : "https://example.com", "token_endpoint": "https://example.com/connect/token" "user_info_endpoint": "https://example.com/connect/user", "check_id_endpoint": "https://example.com/connect/check_id", "refresh_session_endpoint": "https://example.com/connect/refresh_session", "end_session_endpoint": "https://example.com/connect/end_session", "jwk_document": "https://example.com/jwk.json", "registration_endpoint": "https://example.com/connect/register", "scopes_supported": ["openid"], "flows_supported": ["code", "token"], "iso29115_supported":

["http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf"], "identifiers_supported": ["public", "ppid"]}

http://openid.net/specs/openid-connect-discovery-1_0.html

Surviving Cyrus SASL - Ralf Hildebrandt

Surviving Cyrus SASL - Ralf Hildebrandt

Documents
SASL Sorrento 2012

SASL Sorrento 2012

Documents
WordPress + OAuth

WordPress + OAuth

Technology
oAuth test

oAuth test

Documents
Oauth Tutorial

Oauth Tutorial

Documents
System Application Support Librarieserlang.org/documentation/doc-5.8.3/lib/sasl-2.1.9.3/doc/pdf/sasl-2...• alarm handling • overload ... configuration parameters for sasl,

System Application Support Librarieserlang.org/documentation/doc-5.8.3/lib/sasl-2.1.9.3/doc/pdf/sasl-2...• alarm handling • overload ... configuration parameters for sasl,

Documents
Stunning kitten

Stunning kitten

Lifestyle
OAuth Tokens

OAuth Tokens

Education
Kitten & Super Kitten Refurbishment Programme

Kitten & Super Kitten Refurbishment Programme

Self Improvement
The Essential OAuth Primer: Understanding OAuth for Securing Cloud

The Essential OAuth Primer: Understanding OAuth for Securing Cloud

Documents
Oracle Access Management OAuth Service€¦ · OAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0

Oracle Access Management OAuth Service€¦ · OAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0

Documents
OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES … · OAUTH 2.0 101 RFC 6749: The OAuth 2.0 A uthorization Frame work RFC 6750: OAuth 2.0 Bearer Token Usage RFC 6819: OAuth 2.0

OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES … · OAUTH 2.0 101 RFC 6749: The OAuth 2.0 A uthorization Frame work RFC 6750: OAuth 2.0 Bearer Token Usage RFC 6819: OAuth 2.0

Documents
SASL brochure

SASL brochure

Documents
KITTEN CARE - Carriecatscarriecats.com/PDFs/KittenCareProductsEyeCareNew1.pdf · · Kitten Foods/Dry&Wet (Royal Canin Babycat, Kitten 34, Purina 1 & Pro Plan or Purina Kitten Chow)

KITTEN CARE - Carriecatscarriecats.com/PDFs/KittenCareProductsEyeCareNew1.pdf · · Kitten Foods/Dry&Wet (Royal Canin Babycat, Kitten 34, Purina 1 & Pro Plan or Purina Kitten Chow)

Documents
H. Tschofenig OAuth 2.0 Security: OAuth Open Redirector · OAuth 2.0 Security: OAuth Open Redirector draft-bradley-oauth-open-redirector-02.txt Abstract This document gives additional

H. Tschofenig OAuth 2.0 Security: OAuth Open Redirector · OAuth 2.0 Security: OAuth Open Redirector draft-bradley-oauth-open-redirector-02.txt Abstract This document gives additional

Documents
Surviving Cyrus SASL

Surviving Cyrus SASL

Documents
Kitten Guide

Kitten Guide

Documents
OAuth Passport

OAuth Passport

Documents
Neonatal Kitten Care - Animal Sheltering Online by …...Neonatal Kitten Care 3 Average Kitten Weight Colostrum The first milk that a kitten receives is colostrum. Colostrum is a protein

Neonatal Kitten Care - Animal Sheltering Online by …...Neonatal Kitten Care 3 Average Kitten Weight Colostrum The first milk that a kitten receives is colostrum. Colostrum is a protein

Documents
Entendiendo oAuth

Entendiendo oAuth

Documents
Kitten Health Care Information Kitten Health Care Information Your ...€¦ · Kitten Health Care Information Kitten Health Care Information Toilet Training Most kittens are very

Kitten Health Care Information Kitten Health Care Information Your ...€¦ · Kitten Health Care Information Kitten Health Care Information Toilet Training Most kittens are very

Documents
The Construction of an SASL-Compiler · SASL. In contrast to various other compiler construction courses, we did not invent SASL as a toy language specific to this course. SASL (St

The Construction of an SASL-Compiler · SASL. In contrast to various other compiler construction courses, we did not invent SASL as a toy language specific to this course. SASL (St

Documents
Painless OAuth

Painless OAuth

Technology
SASL Reference Manual - xp-soaring.github.io

SASL Reference Manual - xp-soaring.github.io

Documents
Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

Documents
PET HOTEL. It’s my pet It’s a kitten! It’s a black kitten Stroke the kitten! It’s a hungry kitten. Feed the kitten! It’s a little kitten

PET HOTEL. It’s my pet It’s a kitten! It’s a black kitten Stroke the kitten! It’s a hungry kitten. Feed the kitten! It’s a little kitten

Documents
Twitter oauth

Twitter oauth

Documents
Incorporating OAuth: How to integrate OAuth into your mobile app

Incorporating OAuth: How to integrate OAuth into your mobile app

Technology
The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud

The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud

Documents
OAuth 2 - Sesar Labsesar.di.unimi.it/corsi/SOASecurity/slide/OAuth2.0from...OAuth 2.0 From scratch What is OAuth 2 •OAuth 2 is an authorization framework that enables applications

OAuth 2 - Sesar Labsesar.di.unimi.it/corsi/SOASecurity/slide/OAuth2.0from...OAuth 2.0 From scratch What is OAuth 2 •OAuth 2 is an authorization framework that enables applications

Documents