| Internet-Draft | Notification of Revoked Tokens in ACE | March 2022 |
| Tiloca, et al. | Expires 8 September 2022 | [Page] |
This document specifies a method of the Authentication and Authorization for Constrained Environments (ACE) framework, which allows an Authorization Server to notify Clients and Resource Servers (i.e., registered devices) about revoked Access Tokens. The method allows Clients and Resource Servers to access a Token Revocation List on the Authorization Server, with the possible additional use of resource observation for the Constrained Application Protocol (CoAP). Resulting (unsolicited) notifications of revoked Access Tokens complement alternative approaches such as token introspection, while not requiring additional endpoints on Clients and Resource Servers.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Authentication and Authorization for Constrained Environments Working Group mailing list (ace@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/ace/.¶
Source for this draft and an issue tracker can be found at https://github.com/ace-wg/ace-revoked-token-notification.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 September 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Authentication and Authorization for Constrained Environments (ACE) [I-D.ietf-ace-oauth-authz] is a framework that enforces access control on IoT devices acting as Resource Servers. In order to use ACE, both Clients and Resource Servers have to register with an Authorization Server and become a registered device. Once registered, a Client can send a request to the Authorization Server, to obtain an Access Token for a Resource Server. For a Client to access the Resource Server, the Client must present the issued Access Token at the Resource Server, which then validates it before storing it (see Section 5.10.1.1 of [I-D.ietf-ace-oauth-authz]).¶
Even though Access Tokens have expiration times, there are circumstances by which an Access Token may need to be revoked before its expiration time, such as: (1) a registered device has been compromised, or is suspected of being compromised; (2) a registered device is decommissioned; (3) there has been a change in the ACE profile for a registered device; (4) there has been a change in access policies for a registered device; and (5) there has been a change in the outcome of policy evaluation for a registered device (e.g., if policy assessment depends on dynamic conditions in the execution environment, the user context, or the resource utilization).¶
As discussed in Section 6.1 of [I-D.ietf-ace-oauth-authz], only client-initiated revocation is currently specified [RFC7009] for OAuth 2.0 [RFC6749], based on the assumption that Access Tokens in OAuth are issued with a relatively short lifetime. However, this is not expected to be the case for constrained, intermittently connected devices, that need Access Tokens with relatively long lifetimes.¶
This document specifies a method for allowing registered devices to access and possibly subscribe to a Token Revocation List (TRL) resource on the Authorization Server, in order to obtain an updated list of revoked, but yet not expired, pertaining Access Tokens. In particular, registered devices can subscribe to the TRL at the Authorization Server by using resource observation [RFC7641] for the Constrained Application Protocol (CoAP) [RFC7252].¶
Unlike in the case of token introspection (see Section 5.9 of [I-D.ietf-ace-oauth-authz]), a registered device does not provide an owned Access Token to the Authorization Server for inquiring about its current state. Instead, registered devices simply obtain an updated list of revoked, but yet not expired, pertaining Access Tokens, as efficiently identified by corresponding hash values.¶
The benefits of this method are that it complements token introspection, and it does not require any additional endpoints on the registered devices. The only additional requirements for registered devices are a request/response interaction with the Authorization Server to access and possibly subscribe to the TRL (see Section 2), and the lightweight computation of hash values to use as Token identifiers (see Section 3).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Readers are expected to be familiar with the terms and concepts described in the ACE framework for Authentication and Authorization [I-D.ietf-ace-oauth-authz], as well as with terms and concepts related to CBOR Web Tokens (CWTs) [RFC8392], and JSON Web Tokens (JWTs) [RFC7519]. The terminology for entities in the considered architecture is defined in OAuth 2.0 [RFC6749]. In particular, this includes Client, Resource Server, and Authorization Server.¶
Readers are also expected to be familiar with the terms and concepts related to CBOR [RFC8949], JSON [RFC8259], the CoAP protocol [RFC7252], CoAP Observe [RFC7641], and the use of hash functions to name objects as defined in [RFC6920].¶
Note that, unless otherwise indicated, the term "endpoint" is used here following its OAuth definition, aimed at denoting resources such as /token and /introspect at the Authorization Server, and /authz-info at the Resource Server. This document does not use the CoAP definition of "endpoint", which is "An entity participating in the CoAP protocol."¶
This specification also refers to the following terminology.¶
Pertaining Access Token:¶
This protocol defines how a CoAP-based Authorization Server informs Clients and Resource Servers, i.e., registered devices, about pertaining revoked Access Tokens. How the relationship between a registered device and the Authorization Server is established is out of the scope of this specification.¶
At a high level, the steps of this protocol are as follows.¶
When a device registers at the Authorization Server, it also receives the url-path to the TRL resource.¶
After the registration procedure is finished, the registered device can send an Observation Request to the TRL resource as described in [RFC7641], i.e., a GET request with an Observe option set to 0 (register). By doing so, the registered device effectively subscribes to the TRL resource, as interested to receive notifications about its update. Upon receiving the request, the Authorization Server adds the registered device to the list of observers of the TRL resource.¶
At any time, the registered device can send a GET request to the TRL endpoint. When doing so, it can request for: the current list of pertaining revoked Access Tokens (see Section 6); or the most recent TRL updates occurred over the list of pertaining revoked Access Tokens (see Section 7). In either case, the registered device may especially rely on an Observation Request for subscribing to the TRL resource as discussed above.¶
When an Access Token is revoked, the Authorization Server adds the corresponding token hash to the TRL. Also, when a revoked Access Token eventually expires, the Authorization Server removes the corresponding token hash from the TRL.¶
In either case, after updating the TRL, the Authorization Server sends Observe Notifications as per [RFC7641]. That is, an Observe Notification is sent to each registered device subscribed to the TRL resource and to which the Access Token pertains.¶
Depending on the specific subscription established through the observation request, the notification provides the current updated list of revoked Access Tokens in the portion of the TRL pertaining to that device (see Section 6), or rather the most recent TRL updates occurred over that list of pertaining revoked Access Tokens (see Section 7).¶
Further Observe Notifications may be sent, consistently with ongoing additional observations of the TRL resource.¶
Figure 1 shows a high-level overview of the service provided by this protocol. In particular, it shows the Observe Notifications sent by the Authorization Server to one administrator and four registered devices, upon revocation of the issued Access Tokens t1, t2 and t3, with token hash th1, th2 and th3, respectively. Each dotted line associated with a pair of registered devices indicates the Access Token that they both own.¶
+----------------------+
| Authorization Server |
+-----------o----------+
revoke/trl | TRL: {th1,th2,th3}
|
+-----------------+------------+------------+------------+
| | | | |
| th1,th2,th3 | th1,th2 | th1 | th3 | th2,th3
v v v v v
+---------------+ +----------+ +----------+ +----------+ +----------+
| Administrator | | Client 1 | | Resource | | Client 2 | | Resource |
| | | | | Server 1 | | | | Server 2 |
+---------------+ +----------+ +----------+ +----------+ +----------+
: : : : : :
: : t1 : : t3 : :
: :........: :............: :
: t2 :
:...........................................:
Section 10 provides examples of the protocol flow and message exchange between the Authorization Server and a registered device.¶
The token hash of an Access Token is computed as follows.¶
The Authorization Server defines ENCODED_TOKEN, as the content of the 'access_token' parameter in the Authorization Server response (see Section 5.8.2 of [I-D.ietf-ace-oauth-authz]), where the Access Token was included and provided to the requesting Client.¶
Note that the content of the 'access_token' parameter is either:¶
The Authorization Server defines HASH_INPUT as follows.¶
If JSON was used to transport the Access Token (as a CWT or JWT), HASH_INPUT takes the serialization of ENCODED_TOKEN.¶
In either case, HASH_INPUT results in the binary representation of the content of the 'access_token' parameter from the Authorization Server response.¶
The Authorization Server generates a hash value of HASH_INPUT as per Section 6 of [RFC6920]. The resulting output in binary format is used as the token hash. Note that the used binary format embeds the identifier of the used hash function, in the first byte of the computed token hash.¶
The specifically used hash function MUST be collision-resistant on byte-strings, and MUST be selected from the "Named Information Hash Algorithm" Registry [Named.Information.Hash.Algorithm].¶
The Authorization Server specifies the used hash function to registered devices during their registration procedure (see Section 8).¶
2.01 Created
Content-Format: application/ace+cbor
Max-Age: 85800
Payload:
{
access_token : h'd08344a1...'
(remainder of the Access Token omitted for brevity)
token_type : pop,
expires_in : 86400,
profile : coap_dtls,
(remainder of the response omitted for brevity)
}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
Payload:
{
"access_token" : "2YotnFZFEjr1zCsicMWpAA"
(remainder of the Access Token omitted for brevity)
"token_type" : "pop",
"expires_in" : 86400,
"profile" : "coap_dtls",
(remainder of the response omitted for brevity)
}
Upon startup, the Authorization Server creates a single TRL resource, encoded as a CBOR array.¶
Each element of the array is a CBOR byte string, with value the token hash of an Access Token. The order of the token hashes in the CBOR array is irrelevant, and the CBOR array MUST be treated as a set in which the order has no significant meaning.¶
The TRL is initialized as empty, i.e., the initial content of the TRL resource representation MUST be an empty CBOR array.¶
The Authorization Server updates the TRL in the following two cases.¶
Consistent with Section 6.5 of [I-D.ietf-ace-oauth-authz], all communications between a caller of the TRL endpoint and the Authorization Server MUST be encrypted, as well as integrity and replay protected. Furthermore, responses from the Authorization Server to the caller MUST be bound to the caller's request.¶
The Authorization Server MUST implement measures to prevent access to the TRL endpoint by entities other than registered devices and authorized administrators.¶
The TRL endpoint supports only the GET method, and allows two types of query of the TRL.¶
Diff query: the Authorization Server returns a list of diff entries. Each diff entry is related to one of the most recent updates, in the portion of the TRL pertaining to the requester. The Authorization Server MAY support this type of query.¶
The entry associated with one of such updates contains a list of token hashes, such that: i) the corresponding revoked Access Tokens pertain to the requester; and ii) they were added to or removed from the TRL at that update. The processing of a diff query and the related response format are defined in Section 7.¶
The TRL endpoint allows the following query parameters in a GET request. The Authorization Server MUST silently ignore unknown query parameters.¶
'pmax': if included, it follows the semantics defined in Section 3.2.2 of [I-D.ietf-core-conditional-attributes]. This query parameter is relevant only in case the GET request is specifically an Observation Request, i.e., if it includes the CoAP Observe option set to 0 (register). In such a case, this parameter indicates the maximum time, in seconds, between two consecutive notifications for the observation in question, regardless whether the TRL resource has changed or not.¶
If the Observation Request does not include the 'pmax' parameter, the maximum time to consider is up to the Authorization Server. If the Observation Request includes the 'pmax' parameter, its value MUST be greater than zero, otherwise the Authorization Server MUST return a 4.00 (Bad Request) response.¶
If the GET request is not an Observation Request, the Authorization Server MUST ignore the 'pmax' parameter, in case this is included.¶
'diff': if included, it indicates to perform a diff query of the TRL (see Section 7). Its value MUST be either:¶
If the Authorization Server does not support diff queries, it ignores the query parameter 'diff' when present in the GET request and proceeds like when processing a full query of the TRL (see Section 6).¶
In order to produce a (notification) response to a GET request asking for a full query of the TRL, the Authorization Server performs the following actions.¶
From the current TRL resource representation, the Authorization Server builds a set HASHES, such that:¶
The Authorization Server sends a 2.05 (Content) Response to the requester, with a CBOR array 'full-set' as payload. Each element of the array specifies one of the token hashes from the set HASHES, encoded as a CBOR byte string.¶
The order of the token hashes in the CBOR array is irrelevant, i.e., the CBOR array MUST be treated as a set in which the order has no significant meaning.¶
The CDDL definition [RFC8610] of the CBOR array 'full-set' specified as payload in the response from the Authorization Server is provided below.¶
token-hash = bytes full-set = [* token-hash]
In order to produce a (notification) response to a GET request asking for a diff query of the TRL, the Authorization Server performs the following actions.¶
The Authorization Server prepares U = min(NUM, SIZE) diff entries, where SIZE <= N_MAX is the number of TRL updates pertaining to the requester and currently stored at the Authorization Server. That is, the diff entries are related to the U most recent TRL updates pertaining to the requester. In particular, the first entry refers to the most recent of such updates, the second entry refers to the second from last of such updates, and so on.¶
Each diff entry is a CBOR array 'diff-entry', which includes the following two elements.¶
The order of the token hashes in the CBOR arrays 'removed' and 'added' is irrelevant. That is, the CBOR arrays 'removed' and 'added' MUST be treated as a set in which the order of elements has no significant meaning.¶
The Authorization Server prepares a 2.05 (Content) Response for the requester, with a CBOR array 'diff-set' of U elements as payload. Each element of the CBOR array 'diff-set' specifies one of the CBOR arrays 'diff-entry' prepared at step 2 as diff entries.¶
Within the CBOR array 'diff-set', the CBOR arrays 'diff-entry' MUST be sorted to reflect the corresponding updates to the TRL in reverse chronological order. That is, the first 'diff-entry' element of 'diff-set' relates to the most recent update to the portion of the TRL pertaining to the requester. The second 'diff-entry' element of 'diff-set' relates to the second from last most recent update to that portion, and so on.¶
The CDDL definition [RFC8610] of the CBOR array 'diff-set' specified as payload in the response from the Authorization Server is provided below.¶
token-hash = bytes trl-patch = [* token-hash] diff-entry = [removed: trl-patch, added: trl-patch] diff-set = [* diff-entry]
If the Authorization Server supports diff queries:¶
The Authorization Server MUST return a 4.00 (Bad Request) response in case the query parameter 'diff' of the GET request specifies a value other than 0 or than a positive integer.¶
The response MUST have Content-Format "application/ace-trl+cbor". The payload of the response is a CBOR map, which MUST include the 'error' field with value 0 ("Invalid parameter value") and MAY include the 'error_description' field to provide additional context.¶
Appendix A discusses how performing a diff query of the TRL is in fact a usage example of the Series Transfer Pattern defined in [I-D.bormann-t2trg-stp].¶
Appendix B discusses how the execution of a diff query of the TRL can be further improved by using the "Cursor" pattern defined in Section 3.3 of [I-D.bormann-t2trg-stp].¶
During the registration process at the Authorization Server, an administrator or a registered device receives the following information as part of the registration response.¶
After the registration procedure is finished, the administrator or registered device can send a GET request to the TRL resource, including the CoAP Observe option set to 0 (register), in order to start an observation of the TRL resource at the Authorization Server as per Section 3.1 of [RFC7641]. The GET request can express the wish for a full query (see Section 6) or a diff query (see Section 7) of the TRL.¶
In case the request is successfully processed, the Authorization Server replies with a response specifying the CoAP response code 2.05 (Content) and including the CoAP Observe option. The payload of the response is formatted as defined in Section 6 or in Section 7, in case the GET yielded the execution of a full query or a diff query of the TRL, respectively.¶
Further details about the registration process at the Authorization Server are out of scope for this specification. Note that the registration process is also out of the scope of the ACE framework for Authentication and Authorization (see Section 5.5 of [I-D.ietf-ace-oauth-authz]).¶
When the TRL is updated (see Section 4.1), the Authorization Server sends Observe Notifications to the observers of the TRL resource. Observe Notifications are sent as per Section 4.2 of [RFC7641].¶
If the 'pmax' query parameter was specified in the Observation Request starting an observation (see Section 5), the Authorization Server might accordingly send additional Observe Notifications to the associated observer. That is, the Authorization Server ensures that no more than pmax seconds elapse between two consecutive notifications sent to that observer, regardless whether the TRL resource has changed or not. If the 'pmax' query parameter was not specified in the Observation Request, a possible maximum time to consider is up to the Authorization Server.¶
The payload of each Observe Notification is formatted as defined in Section 6 or in Section 7, in case the original Observation Request yielded the execution of a full query or a diff query of the TRL, respectively.¶
Furthermore, an administrator or a registered device can send additional GET requests to the TRL endpoint at any time, in order to retrieve the token hashes of the pertaining revoked Access Tokens. When doing so, the caller of the TRL endpoint can perform a full query (see Section 6) or a diff query (see Section 7).¶
When receiving a response from the TRL endpoint, a registered device MUST expunge every stored Access Token associated with a token hash specified in the response.¶
When a Resource Server RS receives a response from the TRL endpoint specifying the token hash H associated with a certain revoked Access Token, the RS might not have received and stored that Access Token yet. This occurs if the Access Token is revoked before it is successfully posted to the Authorization Information Endpoint at the RS (see Section 5.10.1 of [I-D.ietf-ace-oauth-authz]). Such a delay can be due, for example, to messages that get lost in transmission, or rather to the Client experiencing failures in sending or deliberately holding the Access Token back.¶
In such a case, the RS performs the following actions.¶
The RS MUST store the token hash H, until gaining knowledge that the associated revoked Access Token is also expired.¶
This can happen when receiving a subsequent response from the TRL endpoint (i.e., indicating that the token hash is not in the TRL portion pertaining to the RS anymore), or when the Access Token is posted to the Authorization Information Endpoint and is found to be expired based on its 'exp' claim [RFC7519], if included.¶
This section provides examples of interactions between a Resource Server RS as a registered device and an Authorization Server AS. The Authorization Server supports both full query and diff query of the TRL, as defined in Section 6 and Section 7, respectively.¶
The details of the registration process are omitted, but it is assumed that the Resource Server sends an unspecified payload to the Authorization Server, which replies with a 2.01 (Created) response.¶
The payload of the registration response is a CBOR map, which includes the following entries:¶
Furthermore, 'h(x)' refers to the hash function used to compute the token hashes, as defined in Section 3 of this specification and according to [RFC6920]. Assuming the usage of CWTs transported in CBOR, 'bstr.h(t1)' and 'bstr.h(t2)' denote the byte-string representations of the token hashes for the Access Tokens t1 and t2, respectively.¶
Figure 6 shows an interaction example considering a CoAP observation and a full query of the TRL.¶
RS AS
| |
| Registration: POST |
+-------------------------------------->|
| |
|<--------------------------------------+
| 2.01 CREATED |
| Payload: { |
| ... |
| "trl_path" = "revoke/trl", |
| "trl_hash" = "sha-256", |
| "n_max" = 10 |
| } |
| |
| GET Observe: 0 |
| coap://example.as.com/revoke/trl/ |
+-------------------------------------->|
| |
|<--------------------------------------+
| 2.05 CONTENT Observe: 42 |
| Payload: [] |
| . |
| . |
| . |
| |
| (Access Tokens t1 and t2 issued |
| and successfully submitted to RS) |
| . |
| . |
| . |
| |
| |
| (Access Token t1 is revoked) |
| |
|<--------------------------------------+
| 2.05 CONTENT Observe: 53 |
| Payload: [bstr.h(t1)] |
| . |
| . |
| . |
| |
| (Access Token t2 is revoked) |
| |
|<--------------------------------------+
| 2.05 CONTENT Observe: 64 |
| Payload: [bstr.h(t1), |
| bstr.h(t2)] |
| . |
| . |
| . |
| |
| (Access Token t1 expires) |
| |
|<--------------------------------------+
| 2.05 CONTENT Observe: 75 |
| Payload: [bstr.h(t2)] |
| . |
| . |
| . |
| |
| (Access Token t2 expires) |
| |
|<--------------------------------------+
| 2.05 CONTENT Observe: 86 |
| Payload: [] |
| |
Figure 7 shows an interaction example considering a CoAP observation and a diff query of the TRL.¶
The Resource Server indicates N=3 as value of the query parameter "diff", i.e., as the maximum number of diff entries to be specified in a response from the Authorization Server.¶
RS AS
| |
| Registration: POST |
+--------------------------------------------->|
| |
|<---------------------------------------------+
| 2.01 CREATED |
| Payload: { |
| ... |
| "trl_path" = "revoke/trl", |
| "trl_hash" = "sha-256", |
| "n_max" = 10 |
| } |
| |
| GET Observe: 0 |
| coap://example.as.com/revoke/trl?diff=3 |
+--------------------------------------------->|
| |
|<---------------------------------------------+
| 2.05 CONTENT Observe: 42 |
| Payload: [] |
| . |
| . |
| . |
| |
| (Access Tokens t1 and t2 issued |
| and successfully submitted to RS) |
| . |
| . |
| . |
| |
| (Access Token t1 is revoked) |
| |
|<---------------------------------------------+
| 2.05 CONTENT Observe: 53 |
| Payload: [ |
| [ [], [bstr.h(t1)] ] |
| ] |
| |
| |
| . |
| . |
| . |
| |
| (Access Token t2 is revoked) |
| |
|<---------------------------------------------+
| 2.05 CONTENT Observe: 64 |
| Payload: [ |
| [ [], [bstr.h(t2)] ], |
| [ [], [bstr.h(t1)] ] |
| ] |
| . |
| . |
| . |
| |
| (Access Token t1 expires) |
| |
|<---------------------------------------------+
| 2.05 CONTENT Observe: 75 |
| Payload: [ |
| [ [bstr.h(t1)], [] ], |
| [ [], [bstr.h(t2)] ], |
| [ [], [bstr.h(t1)] ] |
| ] |
| . |
| . |
| . |
| |
| (Access Token t2 expires) |
| |
|<---------------------------------------------+
| 2.05 CONTENT Observe: 86 |
| Payload: [ |
| [ [bstr.h(t2)], [] ], |
| [ [bstr.h(t1)], [] ], |
| [ [], [bstr.h(t2)] ] |
| ] |
| |
Figure 8 shows an interaction example considering a CoAP observation and a full query of the TRL.¶
The example also considers one of the notifications from the Authorization Server to get lost in transmission, and thus not reaching the Resource Server.¶
When this happens, and after a waiting time defined by the application has elapsed, the Resource Server sends a GET request with no Observe Option to the Authorization Server, to perform a diff query of the TRL. The Resource Server indicates N=8 as value of the query parameter "diff", i.e., as the maximum number of diff entries to be specified in a response from the Authorization Server.¶
RS AS
| |
| Registration: POST |
+--------------------------------------------->|
| |
|<---------------------------------------------+
| 2.01 CREATED |
| Payload: { |
| ... |
| "trl_path" = "revoke/trl", |
| "trl_hash" = "sha-256", |
| "n_max" = 10 |
| } |
| |
| GET Observe: 0 |
| coap://example.as.com/revoke/trl/ |
+--------------------------------------------->|
| |
|<---------------------------------------------+
| 2.05 CONTENT Observe: 42 |
| Payload: [] |
| . |
| . |
| . |
| |
| (Access Tokens t1 and t2 issued |
| and successfully submitted to RS) |
| . |
| . |
| . |
| |
| (Access Token t1 is revoked) |
| |
|<---------------------------------------------+
| 2.05 CONTENT Observe: 53 |
| Payload: [bstr.h(t1)] |
| |
| . |
| . |
| . |
| |
| (Access Token t2 is revoked) |
| |
|<---------------------------------------------+
| 2.05 CONTENT Observe: 64 |
| Payload: [bstr.h(t1), |
| bstr.h(t2)] |
| . |
| . |
| . |
| |
| (Access Token t1 expires) |
| |
|<---------------------------------------------+
| 2.05 CONTENT Observe: 75 |
| Payload: [bstr.h(t2)] |
| . |
| . |
| . |
| |
| (Access Token t2 expires) |
| |
| X<-------------------------------------+
| 2.05 CONTENT Observe: 86 |
| Payload: [] |
| . |
| . |
| . |
| |
| (Enough time has passed since |
| the latest received notification) |
| |
| GET |
| coap://example.as.com/revoke/trl?diff=8 |
+--------------------------------------------->|
| |
|<---------------------------------------------+
| 2.05 CONTENT |
| Payload: [ |
| [ [bstr.h(t2)], [] ], |
| [ [bstr.h(t1)], [] ], |
| [ [], [bstr.h(t2)] ], |
| [ [], [bstr.h(t1)] ] |
| ] |
| |
This specification defines a number of parameters that can be transported in the response from the TRL endpoint, when the response payload is encoded as a CBOR map. Note that such a response MUST use the Content-Format "application/ace-trl+cbor" defined in Section 14.2 of this specification.¶
The table below summarizes them, and specifies the CBOR value to use as abbreviation instead of the full descriptive name.¶
+-------------------+------------+-----------------------+ | Name | CBOR Value | CBOR Type | +-------------------+------------+-----------------------+ | full-set | TBD | array | | | | | +-------------------+------------+-----------------------+ | cursor | TBD | simple value "null" / | | | | unsigned integer | +-------------------+------------+-----------------------+ | diff-set | TBD | array | | | | | +-------------------+------------+-----------------------+ | more | TBD | simple value "true" | | | | or "false" | +-------------------+------------+-----------------------+ | error | TBD | int | | | | | +-------------------+------------+-----------------------+ | error_description | TBD | tstr | | | | | +-------------------+------------+-----------------------+
This specification defines a number of values that the Authorization Server can include as error identifiers, in the 'error' field of an error response from the TRL endpoint. This applies to error responses whose payload is encoded as a CBOR map and whose Content-Format is "application/ace-trl+cbor".¶
+-------+---------------------------+ | Value | Description | +-------+---------------------------+ | 0 | Invalid parameter value | +-------+---------------------------+ | 1 | Invalid set of parameters | +-------+---------------------------+ | 2 | Out of bound cursor value | +-------+---------------------------+
Security considerations are inherited from the ACE framework for Authentication and Authorization [I-D.ietf-ace-oauth-authz], from [RFC8392] as to the usage of CWTs, from [RFC7519] as to the usage of JWTs, from [RFC7641] as to the usage of CoAP Observe, and from [RFC6920] with regard to resource naming through hashes. The following considerations also apply.¶
The Authorization Server MUST ensure that each registered device can access and retrieve only its pertaining portion of the TRL. To this end, the Authorization Server can perform the required filtering based on the authenticated identity of the registered device, i.e., a (non-public) identifier that the Authorization Server can securely relate to the registered device and the secure association they use to communicate.¶
Disclosing any information about revoked Access Tokens to entities other than the intended registered devices may result in privacy concerns. Therefore, the Authorization Server MUST ensure that, other than registered devices accessing their own pertaining portion of the TRL, only authorized and authenticated administrators can retrieve the full TRL. To this end, the Authorization Server may rely on an access control list or similar.¶
If a registered device has many non-expired Access Tokens associated with itself that are revoked, the pertaining portion of the TRL could grow to a size bigger than what the registered device is prepared to handle upon reception, especially if relying on a full query of the TRL resource (see Section 6). This could be exploited by attackers to negatively affect the behavior of a registered device. Issuing Access Tokens with not too long expiration time could help reduce the size of a TRL, but an Authorization Server SHOULD take measures to limit this size.¶
Most of the communication about revoked Access Tokens presented in this specification relies on CoAP Observe Notifications sent from the Authorization Server to a registered device. The suppression of those notifications by an external attacker that has access to the network would prevent registered devices from ever knowing that their pertaining Access Tokens have been revoked. To avoid this, a registered device SHOULD NOT rely solely on the CoAP Observe notifications. In particular, a registered device SHOULD also regularly poll the Authorization Server for the most current information about revoked Access Tokens, by sending GET requests to the TRL endpoint according to a related application policy.¶
RFC EDITOR: Throughout this section, please replace [this document] with the RFC number of this specification and remove this note.¶
This document has the following actions for IANA.¶
IANA is asked to register the media type "application/ace-trl+cbor" for messages of the protocols defined in this document encoded in CBOR. This registration follows the procedures specified in [RFC6838].¶
Type name: application¶
Subtype name: ace-trl+cbor¶
Required parameters: N/A¶
Optional parameters: N/A¶
Encoding considerations: Must be encoded as CBOR map containing the protocol parameters defined in [this document].¶
Security considerations: See Section 13 of this document.¶
Interoperability considerations: N/A¶
Published specification: [this document]¶
Applications that use this media type: The type is used by Authorization Servers, Clients and Resource Servers that support the notification of revoked Access Tokens, according to a Token Revocation List maintained by the Authorization Server as specified in [this document].¶
Fragment identifier considerations: N/A¶
Additional information: N/A¶
Person & email address to contact for further information: <iesg@ietf.org>¶
Intended usage: COMMON¶
Restrictions on usage: None¶
Author: Marco Tiloca <marco.tiloca@ri.se>¶
Change controller: IESG¶
IANA is asked to add the following entry to the "CoAP Content-Formats" registry within the "CoRE Parameters" registry group.¶
Media Type: application/ace-trl+cbor¶
Encoding: -¶
ID: TBD¶
Reference: [this document]¶
This specification establishes the "ACE Token Revocation List Parameters" IANA registry. The registry has been created to use the "Expert Review" registration procedure [RFC8126]. Expert review guidelines are provided in Section 14.5. It should be noted that, in addition to the expert review, some portions of the registry require a specification, potentially a Standards Track RFC, to be supplied as well.¶
The columns of this registry are:¶
This registry has been initially populated by the values in Section 11. The Reference column for all of these entries refers to this document.¶
This specification establishes the "ACE Token Revocation List Errors" IANA registry. The registry has been created to use the "Expert Review" registration procedure [RFC8126]. Expert review guidelines are provided in Section 14.5. It should be noted that, in addition to the expert review, some portions of the registry require a specification, potentially a Standards Track RFC, to be supplied as well.¶
The columns of this registry are:¶
This registry has been initially populated by the values in Section 12. The Reference column for all of these entries refers to this document.¶
The IANA registries established in this document is defined as expert review. This section gives some general guidelines for what the experts should be looking for, but they are being designated as experts for a reason so they should be given substantial latitude.¶
Expert reviewers should take into consideration the following points:¶
Performing a diff query of the TRL as specified in Section 7 is a usage example of the Series Transfer Pattern defined in [I-D.bormann-t2trg-stp].¶
That is, a diff query enables the transfer of a series of TRL updates, with the Authorization Server specifying U <= N_MAX diff entries as the U most recent updates to the portion of the TRL pertaining to a registered device.¶
For each registered device, the Authorization Server maintains an update collection of maximum N_MAX items. Each time the TRL changes, the Authorization Server performs the following operations for each registered device.¶
When responding to a diff query request from a registered device (see Section 7), 'diff-set' is a subset of the collection associated with the requester, where each 'diff_entry' record is a series item from that collection. Note that 'diff-set' specifies the whole current collection when the value of U is equal to SIZE, i.e., the current number of series items in the collection.¶
The value N of the query parameter 'diff' in the GET request allows the requester and the Authorization Server to trade the amount of provided information with the latency of the information transfer.¶
Since the collection associated with each registered device includes up to N_MAX series item, the Authorization Server deletes the oldest series item when a new one is generated and added to the end of the collection, due to a new TRL update pertaining to that registered device. This addresses the question "When can the server decide to no longer retain older items?" in Section 3.2 of [I-D.bormann-t2trg-stp].¶
This section defines how the execution of a diff query of the TRL specified in Section 7 can be extended, by using the "Cursor" pattern of the Series Transfer Pattern (see Section 3.3 of [I-D.bormann-t2trg-stp]).¶
[ TODO¶
Merge what is defined below into the document body.¶
]¶
This has two benefits. First, the Authorization Server can avoid excessively big latencies when several diff entries have to be transferred, by delivering one adjacent subset at the time, in different diff query responses. Second, a requester can retrieve diff entries associated with TRL updates that, even if not the most recent ones, occurred after a TRL update indicated as reference point.¶
To this end, each series item X in an update collection is also associated with an unsigned integer 'index', with value the absolute counter of series items added to that collection until and including X, minus 1. That is, the first series item added to a collection has 'index' with value 0. Then, the values of 'index' are used as cursor information.¶
Within an update collection, the unsigned integer LAST_INDEX denotes the value of 'index' associated with the latest added series item, i.e., the total number of series items added to the collection minus 1.¶
Furthermore, the Authorization Server defines an unsigned integer MAX_DIFF_BATCH <= N_MAX, specifying the maximum number of diff entries to be included in a single diff query response. If supporting diff queries, the Authorization Server SHOULD provide registered devices and administrators with the value of MAX_DIFF_BATCH, upon their registration (see Section 8).¶
Finally, the full query and diff query exchanges defined in Section 6 and Section 7 are extended as follows.¶
In particular, successful responses from the TRL endpoint MUST use the Content-Format "application/ace-trl+cbor" defined in Section 14.2 of this specification.¶
When sending a 2.05 (Content) response to a full query request (see Appendix B.1), the response payload includes a CBOR map with the following fields, whose CBOR labels are defined in Section 11.¶
'cursor': this field MUST include either the CBOR simple value "null" (0xf6) or a CBOR unsigned integer.¶
The CBOR simple value "null" MUST be used to indicate that there are currently no TRL updates pertinent to the requester, i.e., the update collection for that requester is empty. This is the case from when the requester registers at the Authorization Server until a first update pertaining that requester occurs to the TRL.¶
Otherwise, the field MUST include a CBOR unsigned integer, encoding the 'index' value of the last series item in the collection, as corresponding to the most recent update pertaining to the requester occurred to the TRL.¶
In addition to the query parameter 'diff' (see Section 7), the requester can specify a query parameter 'cursor', with value an unsigned integer.¶
The Authorization Server MUST return a 4.00 (Bad Request) response in case the query parameter 'cursor' is present but the query parameter 'diff' is not present. The response MUST have Content-Format "application/ace-trl+cbor". The payload of the response is a CBOR map, which MUST include the 'error' field with value 1 ("Invalid set of parameters") and MAY include the 'error_description' field to provide additional context.¶
The Authorization Server composes a response to a diff query request (see Appendix B.3) as follows, depending on the parameters specified in the request and on the current status of the update collection for the requester.¶
If the collection associated with the requester has no elements, the Authorization Server returns a 2.05 (Content) diff query response.¶
The response payload includes a CBOR map with the following fields, whose CBOR labels are defined in Section 11.¶
If the update collection associated with the requester is not empty and the diff query request does not include the query parameter 'cursor', the Authorization Server returns a 2.05 (Content) diff query response.¶
The response payload includes a CBOR map with the following fields, whose CBOR labels are defined in Section 11.¶
'diff-set': this field MUST include a CBOR array, containing L = min(U, MAX_DIFF_BATCH) diff entries. In particular, the CBOR array is populated as follows.¶
The 'diff-set' CBOR array as well as the individual diff entries have the same format specified in Figure 5 and used for the response payload defined in Section 7.¶
'cursor': this field MUST include a CBOR unsigned integer. This takes the 'index' value of the series element of the collection included as first diff entry in the 'diff-set' CBOR array. That is, it takes the 'index' value of the series item in the collection corresponding to the most recent update pertaining to the requester and returned in this diff query response.¶
Note that 'cursor' takes the same 'index' value of the last series item in the collection when U <= MAX_DIFF_BATCH.¶
'more': this field MUST include the CBOR simple value "false" (0xf4) if U <= MAX_DIFF_BATCH, or the CBOR simple value "true" (0xf5) otherwise.¶
If 'more' has value "true", the requester can send a follow-up diff query request including the query parameter 'cursor', with the same value of the 'cursor' field included in this diff query response. As defined in Appendix B.4.3, this would result in the Authorization Server transferring the following subset of series items as diff entries, i.e., resuming from where interrupted in the previous transfer.¶
If the update collection associated with the requester is not empty and the diff query request includes the query parameter 'cursor' with value P, the Authorization Server proceeds as follows.¶
The Authorization Server MUST return a 4.00 (Bad Request) response in case the query parameter 'cursor' specifies a value other than 0 or than a positive integer.¶
The response MUST have Content-Format "application/ace-trl+cbor". The payload of the response is a CBOR map, which MUST include the 'error' field with value 0 ("Invalid parameter value") and MAY include the 'error_description' field to provide additional context.¶
The Authorization Server MUST return a 4.00 (Bad Request) response in case the 'cursor' parameter specifies a value strictly greater than the current LAST_INDEX for the update collection associated with the requester.¶
The response MUST have Content-Format "application/ace-trl+cbor". The payload of the response is a CBOR map, which MUST include the 'error' field with value 2 ("Out of bound cursor value") and the 'cursor' field with value the current LAST_INDEX for the update collection associated with the requester. The CBOR map MAY also include the 'error_description' field to provide additional context.¶
The Authorization Server returns a 2.05 (Content) diff query response formatted as follows, in case the series item X with 'index' having value P and the series item Y with 'index' having value P+1 are both not found in the collection associated with the requester. This occurs when the item Y (and possibly further ones after it) has been previously removed from the history of updates for that requester (see Appendix A).¶
The response payload includes a CBOR map with the following fields, whose CBOR labels are defined in Section 11.¶
With the combination ('cursor', 'more') = ("null", "true"), the Authorization Server is signaling that the update collection is in fact not empty, but that one or more series items have been lost due to their removal. These include the item with 'index' value P+1, that the requester wished to obtain as the first one following the specified reference point with 'index' value P.¶
When receiving this diff query response, the requester should send a new full query request to the Authorization Server, in order to fully retrieve the current pertaining portion of the TRL.¶
The Authorization Server returns a 2.05 (Content) diff query response formatted as follows, in case i) the series item X with 'index' having value P is found in the collection associated with the requester; or ii) the series item X is not found and the series item Y with 'index' having value P+1 is found in the collection associated with the requester.¶
The response payload includes a CBOR map with the following fields, whose CBOR labels are defined in Section 11.¶
'diff-set': this field MUST include a CBOR array, containing L = min(SUB_U, MAX_DIFF_BATCH) diff entries, where SUB_U = min(NUM, SUB_SIZE), and SUB_SIZE is the number of series items in the collection following the series item X.¶
That is, these are the L updates pertaining to the requester that immediately follow the series item X indicated as reference point. In particular, the CBOR array is populated as follows.¶
The 'diff-set' CBOR array as well as the individual diff entries have the same format specified in Figure 5 and used for the response payload defined in Section 7.¶
'cursor': this field MUST include a CBOR unsigned integer. In particular:¶
Note that 'cursor' takes the same 'index' value of the last series item in the collection when SUB_U <= MAX_DIFF_BATCH.¶
'more': this field MUST include the CBOR simple value "false" (0xf4) if SUB_U <= MAX_DIFF_BATCH, or the CBOR simple value "true" (0xf5) otherwise.¶
If 'more' has value "true", the requester can send a follow-up diff query request including the query parameter 'cursor', with the same value of the 'cursor' field specified in this diff query response. This would result in the Authorization Server transferring the following subset of series items as diff entries, i.e., resuming from where interrupted in the previous transfer.¶
RFC EDITOR: Please remove this section.¶
The authors sincerely thank Carsten Bormann, Benjamin Kaduk, Marco Rasori, Michael Richardson, Jim Schaad, Goeran Selander and Travis Spencer for their comments and feedback.¶
The work on this document has been partly supported by VINNOVA and the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home (Grant agreement 952652).¶