--- 1/draft-ietf-ace-oauth-authz-32.txt 2020-02-07 00:13:15.067307957 -0800 +++ 2/draft-ietf-ace-oauth-authz-33.txt 2020-02-07 00:13:15.231312248 -0800 @@ -1,26 +1,26 @@ ACE Working Group L. Seitz Internet-Draft Combitech Intended status: Standards Track G. Selander -Expires: August 4, 2020 Ericsson +Expires: August 10, 2020 Ericsson E. Wahlstroem S. Erdtman Spotify AB H. Tschofenig Arm Ltd. - February 1, 2020 + February 7, 2020 Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth) - draft-ietf-ace-oauth-authz-32 + draft-ietf-ace-oauth-authz-33 Abstract This specification defines a framework for authentication and authorization in Internet of Things (IoT) environments called ACE- OAuth. The framework is based on a set of building blocks including OAuth 2.0 and the Constrained Application Protocol (CoAP), thus transforming a well-known and widely used authorization solution into a form suitable for IoT devices. Existing specifications are used where possible, but extensions are added and profiles are defined to @@ -34,21 +34,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on August 4, 2020. + This Internet-Draft will expire on August 10, 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -117,34 +117,34 @@ 8.4. OAuth Grant Type CBOR Mappings . . . . . . . . . . . . . 51 8.5. OAuth Access Token Types . . . . . . . . . . . . . . . . 52 8.6. OAuth Access Token Type CBOR Mappings . . . . . . . . . . 52 8.6.1. Initial Registry Contents . . . . . . . . . . . . . . 52 8.7. ACE Profile Registry . . . . . . . . . . . . . . . . . . 53 8.8. OAuth Parameter Registration . . . . . . . . . . . . . . 53 8.9. OAuth Parameters CBOR Mappings Registry . . . . . . . . . 53 8.10. OAuth Introspection Response Parameter Registration . . . 54 8.11. OAuth Token Introspection Response CBOR Mappings Registry 54 8.12. JSON Web Token Claims . . . . . . . . . . . . . . . . . . 55 - 8.13. CBOR Web Token Claims . . . . . . . . . . . . . . . . . . 55 + 8.13. CBOR Web Token Claims . . . . . . . . . . . . . . . . . . 56 8.14. Media Type Registrations . . . . . . . . . . . . . . . . 56 8.15. CoAP Content-Format Registry . . . . . . . . . . . . . . 57 - 8.16. Expert Review Instructions . . . . . . . . . . . . . . . 57 + 8.16. Expert Review Instructions . . . . . . . . . . . . . . . 58 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 58 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 10.1. Normative References . . . . . . . . . . . . . . . . . . 59 - 10.2. Informative References . . . . . . . . . . . . . . . . . 61 + 10.2. Informative References . . . . . . . . . . . . . . . . . 62 Appendix A. Design Justification . . . . . . . . . . . . . . . . 64 - Appendix B. Roles and Responsibilities . . . . . . . . . . . . . 67 + Appendix B. Roles and Responsibilities . . . . . . . . . . . . . 68 Appendix C. Requirements on Profiles . . . . . . . . . . . . . . 70 Appendix D. Assumptions on AS knowledge about C and RS . . . . . 71 Appendix E. Deployment Examples . . . . . . . . . . . . . . . . 71 - E.1. Local Token Validation . . . . . . . . . . . . . . . . . 71 + E.1. Local Token Validation . . . . . . . . . . . . . . . . . 72 E.2. Introspection Aided Token Validation . . . . . . . . . . 76 Appendix F. Document Updates . . . . . . . . . . . . . . . . . . 80 F.1. Version -21 to 22 . . . . . . . . . . . . . . . . . . . . 81 F.2. Version -20 to 21 . . . . . . . . . . . . . . . . . . . . 81 F.3. Version -19 to 20 . . . . . . . . . . . . . . . . . . . . 81 F.4. Version -18 to -19 . . . . . . . . . . . . . . . . . . . 81 F.5. Version -17 to -18 . . . . . . . . . . . . . . . . . . . 81 F.6. Version -16 to -17 . . . . . . . . . . . . . . . . . . . 81 F.7. Version -15 to -16 . . . . . . . . . . . . . . . . . . . 82 @@ -2468,29 +2468,44 @@ Value Type The allowable CBOR data types for values of this parameter. Reference This contains a pointer to the public specification of the OAuth parameter abbreviation, if one exists. This registry will be initially populated by the values in Figure 12. The Reference column for all of these entries will be this document. 8.10. OAuth Introspection Response Parameter Registration - This specification registers the following parameter in the OAuth + This specification registers the following parameters in the OAuth Token Introspection Response registry [IANA.TokenIntrospectionResponse]. o Name: "ace_profile" o Description: The ACE profile used between client and RS. o Change Controller: IESG o Reference: Section 5.7.2 of [this document] + o Name: "cnonce" + o Description: "client-nonce". A nonce previously provided to the + AS by the RS via the client. Used to verify token freshness when + the RS cannot synchronize its clock with the AS. + o Change Controller: IESG + o Reference: Section 5.7.2 of [this document] + + o Name: "exi" + o Description: "Expires in". Lifetime of the token in seconds from + the time the RS first sees it. Used to implement a weaker from of + token expiration for devices that cannot synchronize their + internal clocks. + o Change Controller: IESG + o Reference: Section 5.7.2 of [this document] + 8.11. OAuth Token Introspection Response CBOR Mappings Registry This specification establishes the IANA "OAuth Token Introspection Response CBOR Mappings" registry. The registry has been created to use the "Expert Review" registration procedure [RFC8126], except for the value range designated for private use. The columns of this registry are: Name The OAuth Parameter name, refers to the name in the OAuth @@ -2515,76 +2530,75 @@ This specification registers the following new claims in the JSON Web Token (JWT) registry of JSON Web Token Claims [IANA.JsonWebTokenClaims]: o Claim Name: "ace_profile" o Claim Description: The ACE profile a token is supposed to be used with. o Change Controller: IESG o Reference: Section 5.8 of [this document] + o Claim Name: "cnonce" + o Claim Description: "client-nonce". A nonce previously provided to + the AS by the RS via the client. Used to verify token freshness + when the RS cannot synchronize its clock with the AS. + o Change Controller: IESG + o Reference: Section 5.8 of [this document] + o Claim Name: "exi" o Claim Description: "Expires in". Lifetime of the token in seconds from the time the RS first sees it. Used to implement a weaker from of token expiration for devices that cannot synchronize their internal clocks. o Change Controller: IESG o Reference: Section 5.8.3 of [this document] - o Claim Name: "cnonce" - o Claim Description: "client-nonce". A nonce previously provided to - the AS by the RS via the client. Used to verify token freshness - when the RS cannot synchronize its clock with the AS. - o Change Controller: IESG - o Reference: Section 5.8 of [this document] - 8.13. CBOR Web Token Claims This specification registers the following new claims in the "CBOR Web Token (CWT) Claims" registry [IANA.CborWebTokenClaims]. - o Claim Name: "scope" - o Claim Description: The scope of an access token as defined in - [RFC6749]. - o JWT Claim Name: scope - o Claim Key: TBD (suggested: 9) - o Claim Value Type(s): byte string or text string - o Change Controller: IESG - o Specification Document(s): Section 4.2 of [RFC8693] - o Claim Name: "ace_profile" o Claim Description: The ACE profile a token is supposed to be used with. - o JWT Claim Name: ace_profile o Claim Key: TBD (suggested: 38) o Claim Value Type(s): integer o Change Controller: IESG o Specification Document(s): Section 5.8 of [this document] + o Claim Name: "cnonce" + o Claim Description: The client-nonce sent to the AS by the RS via + the client. + o JWT Claim Name: cnonce + o Claim Key: TBD (suggested: 39) + o Claim Value Type(s): byte string + o Change Controller: IESG + o Specification Document(s): Section 5.8 of [this document] + o Claim Name: "exi" o Claim Description: The expiration time of a token measured from when it was received at the RS in seconds. o JWT Claim Name: exi o Claim Key: TBD (suggested: 40) o Claim Value Type(s): integer o Change Controller: IESG o Specification Document(s): Section 5.8.3 of [this document] - o Claim Name: "cnonce" - o Claim Description: The client-nonce sent to the AS by the RS via - the client. - o JWT Claim Name: cnonce - o Claim Key: TBD (suggested: 39) - o Claim Value Type(s): byte string + o Claim Name: "scope" + o Claim Description: The scope of an access token as defined in + [RFC6749]. + o JWT Claim Name: scope + o Claim Key: TBD (suggested: 9) + o Claim Value Type(s): byte string or text string o Change Controller: IESG - o Specification Document(s): Section 5.8 of [this document] + o Specification Document(s): Section 4.2 of [RFC8693] 8.14. Media Type Registrations This specification registers the 'application/ace+cbor' media type for messages of the protocols defined in this document carrying parameters encoded in CBOR. This registration follows the procedures specified in [RFC6838]. Type name: application