rfc9201.original | rfc9201.txt | |||
---|---|---|---|---|
ACE Working Group L. Seitz | Internet Engineering Task Force (IETF) L. Seitz | |||
Internet-Draft Combitech | Request for Comments: 9201 Combitech | |||
Intended status: Standards Track May 5, 2021 | Category: Standards Track March 2022 | |||
Expires: November 6, 2021 | ISSN: 2070-1721 | |||
Additional OAuth Parameters for Authorization in Constrained | Additional OAuth Parameters for Authentication and Authorization for | |||
Environments (ACE) | Constrained Environments (ACE) | |||
draft-ietf-ace-oauth-params-15 | ||||
Abstract | Abstract | |||
This specification defines new parameters and encodings for the OAuth | This specification defines new parameters and encodings for the OAuth | |||
2.0 token and introspection endpoints when used with the framework | 2.0 token and introspection endpoints when used with the framework | |||
for authentication and authorization for constrained environments | for Authentication and Authorization for Constrained Environments | |||
(ACE). These are used to express the proof-of-possession key the | (ACE). These are used to express the proof-of-possession key the | |||
client wishes to use, the proof-of-possession key that the | client wishes to use, the proof-of-possession key that the | |||
Authorization Server has selected, and the key the Resource Server | authorization server has selected, and the proof-of-possession key | |||
uses to authenticate to the client. | the resource server uses to authenticate to the client. | |||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on November 6, 2021. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9201. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
include Simplified BSD License text as described in Section 4.e of | include Revised BSD License text as described in Section 4.e of the | |||
the Trust Legal Provisions and are provided without warranty as | Trust Legal Provisions and are provided without warranty as described | |||
described in the Simplified BSD License. | in the Revised BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology | |||
3. Parameters for the Token Endpoint . . . . . . . . . . . . . . 3 | 3. Parameters for the Token Endpoint | |||
3.1. Client-to-AS Request . . . . . . . . . . . . . . . . . . 3 | 3.1. Client-to-AS Request | |||
3.2. AS-to-Client Response . . . . . . . . . . . . . . . . . . 4 | 3.2. AS-to-Client Response | |||
4. Parameters for the Introspection Endpoint . . . . . . . . . . 6 | 4. Parameters for the Introspection Endpoint | |||
5. Confirmation Method Parameters . . . . . . . . . . . . . . . 7 | 5. Confirmation Method Parameters | |||
6. CBOR Mappings . . . . . . . . . . . . . . . . . . . . . . . . 8 | 6. CBOR Mappings | |||
7. Requirements when using asymmetric keys . . . . . . . . . . . 8 | 7. Requirements When Using Asymmetric Keys | |||
8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 8. Security Considerations | |||
9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 | 9. Privacy Considerations | |||
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 10. IANA Considerations | |||
10.1. OAuth Parameter Registration . . . . . . . . . . . . . . 9 | 10.1. OAuth Parameter Registration | |||
10.2. OAuth Parameters CBOR Mappings Registration . . . . . . 9 | 10.2. OAuth Parameters CBOR Mappings Registration | |||
10.3. OAuth Token Introspection Response CBOR Mappings | 10.3. OAuth Token Introspection Response CBOR Mappings | |||
Registration . . . . . . . . . . . . . . . . . . . . . . 10 | Registration | |||
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 | 11. References | |||
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 11.1. Normative References | |||
12.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 11.2. Informative References | |||
12.2. Informative References . . . . . . . . . . . . . . . . . 11 | Acknowledgments | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 | Author's Address | |||
1. Introduction | 1. Introduction | |||
The Authentication and Authorization for Constrained Environments | The Authentication and Authorization for Constrained Environments | |||
(ACE) specification [I-D.ietf-ace-oauth-authz] requires some new | (ACE) specification [RFC9200] requires some new parameters for | |||
parameters for interactions with the OAuth 2.0 [RFC6749] token and | interactions with the OAuth 2.0 [RFC6749] token and introspection | |||
introspection endpoints, as well as some new claims to be used in | endpoints, as well as some new claims to be used in access tokens. | |||
access tokens. These parameters and claims can also be used in other | These parameters and claims can also be used in other contexts and | |||
contexts and have therefore been put into a dedicated document, to | have therefore been put into a dedicated document to facilitate their | |||
facilitate their use in a manner independent of | use in a manner independent of [RFC9200]. | |||
[I-D.ietf-ace-oauth-authz]. | ||||
Note that although all examples are shown in Concise Binary Object | Note that although all examples are shown in Concise Binary Object | |||
Representation (CBOR) [RFC8949], JSON [RFC8259] MAY be used as an | Representation (CBOR) [RFC8949], JSON [RFC8259] MAY be used as an | |||
alternative for HTTP-based communications, as specified in | alternative for HTTP-based communications, as specified in [RFC9200]. | |||
[I-D.ietf-ace-oauth-authz]. | ||||
2. Terminology | 2. Terminology | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
Readers are assumed to be familiar with the terminology from | Readers are assumed to be familiar with the terminology from | |||
[I-D.ietf-ace-oauth-authz], especially the terminology for entities | [RFC9200], especially the terminology for entities in the | |||
in the architecture such as client (C), resource server (RS) and | architecture such as client (C), resource server (RS), and | |||
authorization server (AS). | authorization server (AS). | |||
Terminology from [RFC8152] is used in the examples, especially | Terminology from [RFC8152] is used in the examples, especially | |||
COSE_Key defined in section 7 of [RFC8152]. | COSE_Key, which is defined in Section 7 of [RFC8152]. | |||
Note that the term "endpoint" is used here following its OAuth 2.0 | Note that the term "endpoint" is used here following its OAuth 2.0 | |||
[RFC6749] definition, which is to denote resources such as token and | [RFC6749] definition, which is to denote resources such as token and | |||
introspection at the AS and authz-info at the RS. The Constrained | introspection at the AS and authz-info at the RS. The Constrained | |||
Application Protocol (CoAP) [RFC7252] definition, which is "An entity | Application Protocol (CoAP) [RFC7252] definition, which is "[a]n | |||
participating in the CoAP protocol" is not used in this | entity participating in the CoAP protocol", is not used in this | |||
specification. | specification. | |||
3. Parameters for the Token Endpoint | 3. Parameters for the Token Endpoint | |||
This section defines additional parameters for the interactions with | This section defines additional parameters for the interactions with | |||
the token endpoint in the ACE framework [I-D.ietf-ace-oauth-authz]. | the token endpoint in the ACE framework [RFC9200]. | |||
3.1. Client-to-AS Request | 3.1. Client-to-AS Request | |||
This section defines the "req_cnf" parameter allowing clients to | This section defines the "req_cnf" parameter allowing clients to | |||
request a specific proof-of-possession key in an access token from a | request a specific proof-of-possession key in an access token from a | |||
token endpoint in the ACE framework [I-D.ietf-ace-oauth-authz]: | token endpoint in the ACE framework [RFC9200]: | |||
req_cnf | req_cnf | |||
OPTIONAL. This field contains information about the key the | OPTIONAL. This field contains information about the key the | |||
client would like to bind to the access token for proof-of- | client would like to bind to the access token for proof of | |||
possession. It is RECOMMENDED that an AS rejects a request | possession. It is RECOMMENDED that an AS rejects a request | |||
containing a symmetric key value in the 'req_cnf' field | containing a symmetric key value in the "req_cnf" field | |||
(kty=Symmetric), since the AS is expected to be able to generate | (kty=Symmetric), since the AS is expected to be able to generate | |||
better symmetric keys than a constrained client (Note: this does | better symmetric keys than a constrained client. (Note: this does | |||
not apply to key identifiers referencing a symmetric key). The AS | not apply to key identifiers referencing a symmetric key.) The AS | |||
MUST verify that the client really is in possession of the | MUST verify that the client really is in possession of the | |||
corresponding key. Profiles of [I-D.ietf-ace-oauth-authz] using | corresponding key. Profiles of [RFC9200] using this specification | |||
this specification MUST define the proof-of-possession method used | MUST define the proof-of-possession method used by the AS if they | |||
by the AS, if they allow clients to use this request parameter. | allow clients to use this request parameter. Values of this | |||
Values of this parameter follow the syntax and semantics of the | parameter follow the syntax and semantics of the "cnf" claim | |||
"cnf" claim either from section 3.1 of [RFC8747] for CBOR-based | either from Section 3.1 of [RFC8747] for CBOR-based interactions | |||
interactions or from section 3.1 of [RFC7800] for JSON-based | or from Section 3.1 of [RFC7800] for JSON-based interactions. | |||
interactions. | ||||
Figure 1 shows a request for an access token using the "req_cnf" | Figure 1 shows a request for an access token using the "req_cnf" | |||
parameter to request a specific public key as proof-of-possession | parameter to request a specific public key as a proof-of-possession | |||
key. The content is displayed in CBOR diagnostic notation, without | key. The content is displayed in CBOR diagnostic notation without | |||
abbreviations and with line-breaks for better readability. | abbreviations and with line breaks for better readability. | |||
Header: POST (Code=0.02) | Header: POST (Code=0.02) | |||
Uri-Host: "as.example.com" | Uri-Host: "as.example.com" | |||
Uri-Path: "token" | Uri-Path: "token" | |||
Content-Format: "application/ace+cbor" | Content-Format: "application/ace+cbor" | |||
Payload: | Payload: | |||
{ | { | |||
"req_cnf" : { | "req_cnf" : { | |||
"COSE_Key" : { | "COSE_Key" : { | |||
"kty" : "EC2", | "kty" : "EC2", | |||
"kid" : h'11', | "kid" : h'11', | |||
"crv" : "P-256", | "crv" : "P-256", | |||
"x" : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24 | "x" : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24 | |||
4DC189F745228255A219A86D6A09EFF', | 4DC189F745228255A219A86D6A09EFF', | |||
"y" : h'20138BF82DC1B6D562BE0FA54AB7804A3 | "y" : h'20138BF82DC1B6D562BE0FA54AB7804A3 | |||
A64B6D72CCFED6B6FB6ED28BBFC117E' | A64B6D72CCFED6B6FB6ED28BBFC117E' | |||
} | } | |||
} | } | |||
} | } | |||
Figure 1: Example request for an access token bound to an asymmetric | Figure 1: Example Request for an Access Token Bound to an | |||
key. | Asymmetric Key | |||
3.2. AS-to-Client Response | 3.2. AS-to-Client Response | |||
This section defines the following additional parameters for an AS | This section defines the following additional parameters for an AS | |||
response to a request to the token endpoint: | response to a request to the token endpoint: | |||
cnf | cnf | |||
REQUIRED if the token type is "pop" and a symmetric key is used. | REQUIRED if the token type is "pop" and a symmetric key is used. | |||
MAY be present for asymmetric proof-of-possession keys. This | MAY be present for asymmetric proof-of-possession keys. This | |||
field contains the proof-of-possession key that the AS selected | field contains the proof-of-possession key that the AS selected | |||
for the token. Values of this parameter follow the syntax and | for the token. Values of this parameter follow the syntax and | |||
semantics of the "cnf" claim either from section 3.1 of [RFC8747] | semantics of the "cnf" claim either from Section 3.1 of [RFC8747] | |||
for CBOR-based interactions or from section 3.1 of [RFC7800] for | for CBOR-based interactions or from Section 3.1 of [RFC7800] for | |||
JSON-based interactions. See Section 5 for additional discussion | JSON-based interactions. See Section 5 for additional discussion | |||
of the usage of this parameter. | of the usage of this parameter. | |||
rs_cnf | rs_cnf | |||
OPTIONAL if the token type is "pop" and asymmetric keys are used. | OPTIONAL if the token type is "pop" and asymmetric keys are used. | |||
MUST NOT be present otherwise. This field contains information | MUST NOT be present otherwise. This field contains information | |||
about the public key used by the RS to authenticate. If this | about the public key used by the RS to authenticate. If this | |||
parameter is absent, either the RS does not use a public key or | parameter is absent, either the RS does not use a public key or | |||
the AS knows that the RS can authenticate itself to the client | the AS knows that the RS can authenticate itself to the client | |||
without additional information. Values of this parameter follow | without additional information. Values of this parameter follow | |||
the syntax and semantics of the "cnf" claim either from section | the syntax and semantics of the "cnf" claim either from | |||
3.1 of [RFC8747] for CBOR-based interactions or from section 3.1 | Section 3.1 of [RFC8747] for CBOR-based interactions or from | |||
of [RFC7800] for JSON-based interactions. See Section 5 for | Section 3.1 of [RFC7800] for JSON-based interactions. See | |||
additional discussion of the usage of this parameter. | Section 5 for additional discussion of the usage of this | |||
parameter. | ||||
Figure 2 shows an AS response containing a token and a "cnf" | Figure 2 shows an AS response containing a token and a "cnf" | |||
parameter with a symmetric proof-of-possession key. | parameter with a symmetric proof-of-possession key. | |||
Header: Created (Code=2.01) | Header: Created (Code=2.01) | |||
Content-Format: "application/ace+cbor" | Content-Format: "application/ace+cbor" | |||
Payload: | Payload: | |||
{ | { | |||
"access_token" : h'4A5015DF686428 ... | "access_token" : h'4A5015DF686428 ... | |||
(remainder of CWT omitted for brevity; | (remainder of CWT omitted for brevity; | |||
CWT contains COSE_Key in the "cnf" claim)', | CWT contains COSE_Key in the "cnf" claim)', | |||
"cnf" : { | "cnf" : { | |||
"COSE_Key" : { | "COSE_Key" : { | |||
"kty" : "Symmetric", | "kty" : "Symmetric", | |||
"kid" : h'DFD1AA97', | "kid" : h'DFD1AA97', | |||
"k" : h'849B5786457C1491BE3A76DCEA6C427108' | "k" : h'849B5786457C1491BE3A76DCEA6C427108' | |||
} | } | |||
} | } | |||
} | } | |||
Figure 2: Example AS response with an access token bound to a | Figure 2: Example AS Response with an Access Token Bound to a | |||
symmetric key. | Symmetric Key | |||
Figure 3 shows an AS response containing a token bound to a | Figure 3 shows an AS response containing a token bound to a | |||
previously requested asymmetric proof-of-possession key (not shown) | previously requested asymmetric proof-of-possession key (not shown) | |||
and a "rs_cnf" parameter containing the public key of the RS. | and an "rs_cnf" parameter containing the public key of the RS. | |||
Header: Created (Code=2.01) | Header: Created (Code=2.01) | |||
Content-Format: "application/ace+cbor" | Content-Format: "application/ace+cbor" | |||
Payload: | Payload: | |||
{ | { | |||
"access_token" : h'D08343A1010AA1054D2A45DF6FBC5A5A ... | "access_token" : h'D08343A1010AA1054D2A45DF6FBC5A5A ... | |||
(remainder of CWT omitted for brevity)', | (remainder of CWT omitted for brevity)', | |||
"rs_cnf" : { | "rs_cnf" : { | |||
"COSE_Key" : { | "COSE_Key" : { | |||
"kty" : "EC2", | "kty" : "EC2", | |||
"kid" : h'12', | "kid" : h'12', | |||
"crv" : "P-256", | "crv" : "P-256", | |||
"x" : h'BCEE7EAAC162F91E6F330F5771211E220 | "x" : h'BCEE7EAAC162F91E6F330F5771211E220 | |||
B8B546C96589B0AC4AD0FD24C77E1F1', | B8B546C96589B0AC4AD0FD24C77E1F1', | |||
"y" : h'C647B38C55EFBBC4E62E651720F002D5D | "y" : h'C647B38C55EFBBC4E62E651720F002D5D | |||
75B2E0C02CD1326E662BCA222B90416' | 75B2E0C02CD1326E662BCA222B90416' | |||
} | } | |||
} | } | |||
} | } | |||
Figure 3: Example AS response, including the RS's public key. | Figure 3: Example AS Response Including the RS's Public Key | |||
4. Parameters for the Introspection Endpoint | 4. Parameters for the Introspection Endpoint | |||
This section defines the use of CBOR instead of JSON for the "cnf" | This section defines the use of CBOR instead of JSON for the "cnf" | |||
introspection response parameter specified in section 9.4 of | introspection response parameter specified in Section 9.4 of | |||
[RFC8705]. | [RFC8705]. | |||
If CBOR is used instead of JSON in an interaction with the | If CBOR is used instead of JSON in an interaction with the | |||
introspection endpoint, the AS MUST use the parameter mapping | introspection endpoint, the AS MUST use the parameter mapping | |||
specified in Figure 5 and the value must follow the syntax of "cnf" | specified in Table 1 and the value must follow the syntax of "cnf" | |||
claim values from section 3.1 of [RFC8747]. | claim values from Section 3.1 of [RFC8747]. | |||
Figure 4 shows an AS response to an introspection request including | Figure 4 shows an AS response to an introspection request including | |||
the "cnf" parameter to indicate the proof-of-possession key bound to | the "cnf" parameter to indicate the proof-of-possession key bound to | |||
the token. | the token. | |||
Header: Created (Code=2.01) | Header: Created (Code=2.01) | |||
Content-Format: "application/ace+cbor" | Content-Format: "application/ace+cbor" | |||
Payload: | Payload: | |||
{ | { | |||
"active" : true, | "active" : true, | |||
skipping to change at page 7, line 25 ¶ | skipping to change at line 274 ¶ | |||
"kid" : h'11', | "kid" : h'11', | |||
"crv" : "P-256", | "crv" : "P-256", | |||
"x" : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24 | "x" : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24 | |||
4DC189F745228255A219A86D6A09EFF', | 4DC189F745228255A219A86D6A09EFF', | |||
"y" : h'20138BF82DC1B6D562BE0FA54AB7804A3 | "y" : h'20138BF82DC1B6D562BE0FA54AB7804A3 | |||
A64B6D72CCFED6B6FB6ED28BBFC117E' | A64B6D72CCFED6B6FB6ED28BBFC117E' | |||
} | } | |||
} | } | |||
} | } | |||
Figure 4: Example introspection response. | Figure 4: Example Introspection Response | |||
5. Confirmation Method Parameters | 5. Confirmation Method Parameters | |||
The confirmation method parameters are used in | The confirmation method parameters are used in [RFC9200] as follows: | |||
[I-D.ietf-ace-oauth-authz] as follows: | ||||
o "req_cnf" in the access token request C -> AS, OPTIONAL to | * "req_cnf" in the access token request C -> AS, OPTIONAL to | |||
indicate the client's raw public key, or the key-identifier of a | indicate the client's raw public key or the key identifier of a | |||
previously established key between C and RS that the client wishes | previously established key between the C and RS that the client | |||
to use for proof-of-possession of the access token. | wishes to use for proof of possession of the access token. | |||
o "cnf" in the token response AS -> C, OPTIONAL if using an | * "cnf" in the token response AS -> C, OPTIONAL if using an | |||
asymmetric key or a key that the client requested via a key | asymmetric key or a key that the client requested via a key | |||
identifier in the request. REQUIRED if the client didn't specify | identifier in the request. REQUIRED if the client didn't specify | |||
a "req_cnf" and symmetric keys are used. Used to indicate the | a "req_cnf" and symmetric keys are used. Used to indicate the | |||
symmetric key generated by the AS for proof-of-possession of the | symmetric key generated by the AS for proof of possession of the | |||
access token. | access token. | |||
o "cnf" in the introspection response AS -> RS, REQUIRED if the | * "cnf" in the introspection response AS -> RS, REQUIRED if the | |||
access token that was subject to introspection is a proof-of- | access token that was subject to introspection is a proof-of- | |||
possession token, absent otherwise. Indicates the proof-of- | possession token, absent otherwise. Indicates the proof-of- | |||
possession key bound to the access token. | possession key bound to the access token. | |||
o "rs_cnf" in the token response AS -> C, OPTIONAL to indicate the | * "rs_cnf" in the token response AS -> C, OPTIONAL to indicate the | |||
public key of the RS, if it uses one to authenticate itself to the | public key of the RS if it uses one to authenticate itself to the | |||
client and the binding between key and RS identity is not | client and the binding between the key and RS identity is not | |||
established through other means. | established through other means. | |||
Note that the COSE_Key structure in a confirmation claim or parameter | Note that the COSE_Key structure in a confirmation claim or parameter | |||
may contain an "alg" or "key_ops" parameter. If such parameters are | may contain an "alg" or "key_ops" parameter. If such parameters are | |||
present, a client MUST NOT use a key that is incompatible with the | present, a client MUST NOT use a key that is incompatible with the | |||
profile or proof-of-possession algorithm according to those | profile or proof-of-possession algorithm according to those | |||
parameters. An RS MUST reject a proof-of-possession using such a key | parameters. An RS MUST reject a proof of possession using such a key | |||
with a response code equivalent to the CoAP code 4.00 (Bad Request). | with a response code equivalent to the CoAP code 4.00 (Bad Request). | |||
If an access token is issued for an audience that includes several | If an access token is issued for an audience that includes several | |||
RS, the "rs_cnf" parameter MUST NOT be used, since the client cannot | RSs, the "rs_cnf" parameter MUST NOT be used, since the client cannot | |||
determine for which RS the key applies. This document recommends to | determine for which RS the key applies. This document recommends to | |||
specify a different endpoint that the client can use to acquire RS | specify a different endpoint that the client can use to acquire RS | |||
authentication keys in such cases. The specification of such an | authentication keys in such cases. The specification of such an | |||
endpoint is out of scope for this document. | endpoint is out of scope for this document. | |||
6. CBOR Mappings | 6. CBOR Mappings | |||
If CBOR is used, the new parameters and claims defined in this | If CBOR is used, the new parameters and claims defined in this | |||
document MUST be mapped to CBOR types as specified in Figure 5, using | document MUST be mapped to CBOR types, as specified in Table 1, using | |||
the given integer abbreviation for the map key. | the given integer abbreviation for the map key. | |||
/----------+----------+-------------------------------------\ | +=========+==========+============+========================+ | |||
| Name | CBOR Key | Value Type | Usage | | | Name | CBOR Key | Value Type | Usage | | |||
|----------+----------+-------------------------------------| | +=========+==========+============+========================+ | |||
| req_cnf | TBD (4) | map | token request | | | req_cnf | 4 | map | token request | | |||
| cnf | TBD (8) | map | token response | | +---------+----------+------------+------------------------+ | |||
| cnf | TBD (8) | map | introspection response | | | cnf | 8 | map | token response | | |||
| rs_cnf | TBD (41) | map | token response | | +---------+----------+------------+------------------------+ | |||
\----------+----------+------------+------------------------/ | | cnf | 8 | map | introspection response | | |||
+---------+----------+------------+------------------------+ | ||||
| rs_cnf | 41 | map | token response | | ||||
+---------+----------+------------+------------------------+ | ||||
Figure 5: CBOR mappings for new parameters and claims. | Table 1: CBOR Mappings for New Parameters and Claims | |||
7. Requirements when using asymmetric keys | 7. Requirements When Using Asymmetric Keys | |||
An RS using asymmetric keys to authenticate to the client MUST NOT | An RS using asymmetric keys to authenticate to the client MUST NOT | |||
hold several different asymmetric key pairs, applicable to the same | hold several different asymmetric key pairs applicable to the same | |||
authentication algorithm. For example when using DTLS, the RS MUST | authentication algorithm. For example, when using DTLS, the RS MUST | |||
NOT hold several asymmetric key pairs applicable to the same cipher | NOT hold several asymmetric key pairs applicable to the same cipher | |||
suite. The reason for this restriction is that the RS has no way of | suite. The reason for this restriction is that the RS has no way of | |||
determining which key to use before the client's identity is | determining which key to use before the client's identity is | |||
established. Therefore authentication attempts by the RS could | established. Therefore, authentication attempts by the RS could | |||
randomly fail based on which key the RS selects, unless the algorithm | randomly fail based on which key the RS selects, unless the algorithm | |||
negotiation produces a unique choice of key pair for the RS. | negotiation produces a unique choice of key pair for the RS. | |||
8. Security Considerations | 8. Security Considerations | |||
This document is an extension to [I-D.ietf-ace-oauth-authz]. All | This document is an extension to [RFC9200]. All security | |||
security considerations from that document apply here as well. | considerations from that document apply here as well. | |||
9. Privacy Considerations | 9. Privacy Considerations | |||
This document is an extension to [I-D.ietf-ace-oauth-authz]. All | This document is an extension to [RFC9200]. All privacy | |||
privacy considerations from that document apply here as well. | considerations from that document apply here as well. | |||
10. IANA Considerations | 10. IANA Considerations | |||
10.1. OAuth Parameter Registration | 10.1. OAuth Parameter Registration | |||
This section registers the following parameters in the "OAuth | This section registers the following parameters in the "OAuth | |||
Parameters" registry [IANA.OAuthParameters]: | Parameters" registry [IANA.OAuthParameters]: | |||
o Name: "req_cnf" | Name: req_cnf | |||
o Parameter Usage Location: token request | Parameter Usage Location: token request | |||
o Change Controller: IESG | Change Controller: IETF | |||
o Reference: Section 5 of [this document] | Reference: Section 5 of RFC 9201 | |||
o Name: "rs_cnf" | Name: rs_cnf | |||
o Parameter Usage Location: token response | Parameter Usage Location: token response | |||
o Change Controller: IESG | Change Controller: IETF | |||
o Reference: Section 5 of [this document] | Reference: Section 5 of RFC 9201 | |||
o Name: "cnf" | Name: cnf | |||
o Parameter Usage Location: token response | Parameter Usage Location: token response | |||
o Change Controller: IESG | Change Controller: IETF | |||
o Reference: Section 5 of [this document] | Reference: Section 5 of RFC 9201 | |||
10.2. OAuth Parameters CBOR Mappings Registration | 10.2. OAuth Parameters CBOR Mappings Registration | |||
This section registers the following parameter mappings in the "OAuth | This section registers the following parameter mappings in the "OAuth | |||
Parameters CBOR Mappings" registry established in section 8.9. of | Parameters CBOR Mappings" registry established in Section 8.10 of | |||
[I-D.ietf-ace-oauth-authz]. | [RFC9200]. | |||
o Name: "req_cnf" | Name: req_cnf | |||
o CBOR key: TBD (suggested: 4) | CBOR Key: 4 | |||
o Change Controller: IESG | Value Type: map | |||
o Reference: Section 3.1 of [this document] | Reference: Section 3.1 of RFC 9201 | |||
Original specification: RFC 9201 | ||||
o Name: "cnf" | Name: cnf | |||
o CBOR key: TBD (suggested: 8) | CBOR Key: 8 | |||
o Change Controller: IESG | Value Type: map | |||
o Reference: Section 3.2 of [this document] | Reference: Section 3.2 of RFC 9201 | |||
Original specification: RFC 9201 | ||||
o Name: "rs_cnf" | Name: rs_cnf | |||
o CBOR key: TBD (suggested: 41) | CBOR Key: 41 | |||
o Change Controller: IESG | Value Type: map | |||
o Reference: Section 3.2 of [this document] | Reference: Section 3.2 of RFC 9201 | |||
Original specification: RFC 9201 | ||||
10.3. OAuth Token Introspection Response CBOR Mappings Registration | 10.3. OAuth Token Introspection Response CBOR Mappings Registration | |||
This section registers the following parameter mapping in the "OAuth | This section registers the following parameter mapping in the "OAuth | |||
Token Introspection Response CBOR Mappings" registry established in | Token Introspection Response CBOR Mappings" registry established in | |||
section 8.11. of [I-D.ietf-ace-oauth-authz]. | Section 8.12 of [RFC9200]. | |||
o Name: "cnf" | ||||
o CBOR key: TBD (suggested: 8) | ||||
o Change Controller: IESG | ||||
o Reference: Section 4 of [this document] | ||||
11. Acknowledgments | ||||
This document is a product of the ACE working group of the IETF. | ||||
Special thanks to Brian Campbell for his thorough review of this | ||||
document. | ||||
Ludwig Seitz worked on this document as part of the CelticNext | ||||
projects CyberWI, and CRITISEC with funding from Vinnova. | ||||
12. References | Name: cnf | |||
CBOR Key: 8 | ||||
Value Type: map | ||||
Reference: Section 4 of RFC 9201 | ||||
Original specification: [RFC8705] | ||||
12.1. Normative References | 11. References | |||
[I-D.ietf-ace-oauth-authz] | 11.1. Normative References | |||
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | ||||
H. Tschofenig, "Authentication and Authorization for | ||||
Constrained Environments (ACE) using the OAuth 2.0 | ||||
Framework (ACE-OAuth)", draft-ietf-ace-oauth-authz-40 | ||||
(work in progress), April 2021. | ||||
[IANA.OAuthParameters] | [IANA.OAuthParameters] | |||
IANA, "OAuth Parameters", | IANA, "OAuth Parameters", | |||
<https://www.iana.org/assignments/oauth-parameters/oauth- | <https://www.iana.org/assignments/oauth-parameters>. | |||
parameters.xhtml#parameters>. | ||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | |||
RFC 6749, DOI 10.17487/RFC6749, October 2012, | RFC 6749, DOI 10.17487/RFC6749, October 2012, | |||
<https://www.rfc-editor.org/info/rfc6749>. | <https://www.rfc-editor.org/info/rfc6749>. | |||
skipping to change at page 11, line 39 ¶ | skipping to change at line 467 ¶ | |||
[RFC8747] Jones, M., Seitz, L., Selander, G., Erdtman, S., and H. | [RFC8747] Jones, M., Seitz, L., Selander, G., Erdtman, S., and H. | |||
Tschofenig, "Proof-of-Possession Key Semantics for CBOR | Tschofenig, "Proof-of-Possession Key Semantics for CBOR | |||
Web Tokens (CWTs)", RFC 8747, DOI 10.17487/RFC8747, March | Web Tokens (CWTs)", RFC 8747, DOI 10.17487/RFC8747, March | |||
2020, <https://www.rfc-editor.org/info/rfc8747>. | 2020, <https://www.rfc-editor.org/info/rfc8747>. | |||
[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object | [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object | |||
Representation (CBOR)", STD 94, RFC 8949, | Representation (CBOR)", STD 94, RFC 8949, | |||
DOI 10.17487/RFC8949, December 2020, | DOI 10.17487/RFC8949, December 2020, | |||
<https://www.rfc-editor.org/info/rfc8949>. | <https://www.rfc-editor.org/info/rfc8949>. | |||
12.2. Informative References | [RFC9200] Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | |||
H. Tschofenig, "Authentication and Authorization for | ||||
Constrained Environments (ACE) Using the OAuth 2.0 | ||||
Framework (ACE-OAuth)", RFC 9200, DOI 10.17487/RFC9200, | ||||
March 2022, <https://www.rfc-editor.org/info/rfc9200>. | ||||
11.2. Informative References | ||||
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained | [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained | |||
Application Protocol (CoAP)", RFC 7252, | Application Protocol (CoAP)", RFC 7252, | |||
DOI 10.17487/RFC7252, June 2014, | DOI 10.17487/RFC7252, June 2014, | |||
<https://www.rfc-editor.org/info/rfc7252>. | <https://www.rfc-editor.org/info/rfc7252>. | |||
Acknowledgments | ||||
This document is a product of the ACE Working Group of the IETF. | ||||
Special thanks to Brian Campbell for his thorough review of this | ||||
document. | ||||
Ludwig Seitz worked on this document as part of the CelticNext | ||||
projects CyberWI and CRITISEC with funding from Vinnova. | ||||
Author's Address | Author's Address | |||
Ludwig Seitz | Ludwig Seitz | |||
Combitech | Combitech | |||
Djaeknegatan 31 | Djäknegatan 31 | |||
Malmoe 211 35 | SE-211 35 Malmö | |||
Sweden | Sweden | |||
Email: ludwig.seitz@combitech.com | Email: ludwig.seitz@combitech.com | |||
End of changes. 65 change blocks. | ||||
179 lines changed or deleted | 177 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |