| < draft-erdtman-ace-rpcc-01.txt | draft-erdtman-ace-rpcc-02.txt > | |||
|---|---|---|---|---|
| ACE Working Group L. Seitz | ACE Working Group L. Seitz | |||
| Internet-Draft RISE SICS | Internet-Draft RISE SICS | |||
| Intended status: Informational S. Erdtman | Intended status: Informational S. Erdtman | |||
| Expires: February 17, 2018 Spotify AB | Expires: May 3, 2018 Spotify AB | |||
| August 16, 2017 | October 30, 2017 | |||
| Raw-Public-Key and Pre-Shared-Key as OAuth client credentials | Raw-Public-Key and Pre-Shared-Key as OAuth client credentials | |||
| draft-erdtman-ace-rpcc-01 | draft-erdtman-ace-rpcc-02 | |||
| Abstract | Abstract | |||
| This document describes Transport Layer Security (TLS) authentication | This document describes Transport Layer Security (TLS) authentication | |||
| using Raw-Public-Key and Pre-Shared-Key as new mechanisms for OAuth | using Raw-Public-Key and Pre-Shared-Key as new mechanisms for OAuth | |||
| client authentication. Although defined for TLS the mechanisms are | client authentication. Although defined for TLS the mechanisms are | |||
| equally applicable for DTLS. | equally applicable for DTLS. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 17, 2018. | This Internet-Draft will expire on May 3, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Pre-Shared-Key for Client Authentication . . . . . . . . . . 2 | 2. Pre-Shared-Key for Client Authentication . . . . . . . . . . 3 | |||
| 3. Raw-Public-Key for Client Authentication . . . . . . . . . . 3 | 3. Raw-Public-Key for Client Authentication . . . . . . . . . . 3 | |||
| 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 | 4. Dynamic Registration . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5.1. Token Endpoint Authentication Method Registration . . . . 4 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 4 | 6.1. OAuth Dynamic Client Registration Metadata Registration . 4 | |||
| 5.1.2. Registry Contents . . . . . . . . . . . . . . . . . . 4 | 6.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 5 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 6.2. Token Endpoint Authentication Method Registration . . . . 5 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 6.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 5 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 4 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 5 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 6 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 1. Introduction | 1. Introduction | |||
| This document describes Transport Layer Security (TLS) authentication | This document describes Transport Layer Security (TLS) authentication | |||
| using Raw-Public-Key and Pre-Shared-Key as the mechanism for OAuth | using Raw-Public-Key and Pre-Shared-Key as the mechanism for OAuth | |||
| client authentication. Examples of endpoint requiering client | client authentication. Examples of endpoint requiring client | |||
| authentication are token and introspection. | authentication are token and introspection. | |||
| The OAuth 2.0 Authorization Framework [RFC6749] defines a shared | The OAuth 2.0 Authorization Framework [RFC6749] defines a shared | |||
| secret method of client authentication but also allows for the | secret method of client authentication but also allows for the | |||
| definition and use of additional client authentication mechanisms | definition and use of additional client authentication mechanisms | |||
| when interacting with the authorization server's token endpoint. | when interacting with the authorization server's token endpoint. | |||
| This document describes two additional mechanisms of client | This document describes two additional mechanisms of client | |||
| authentication utilizing Raw-Public-Key [RFC7250] and Pre-Shared-Key | authentication utilizing Raw-Public-Key [RFC7250] and Pre-Shared-Key | |||
| TLS [RFC4279], which provide better security characteristics than | TLS [RFC4279], which provide better security characteristics than | |||
| shared secrets. | shared secrets. | |||
| To get most bennefits and improved security with these new client | ||||
| credential types it is recomended to use the 'one credential per | ||||
| Client Software Instance' paradigm. This can be achived by letting | ||||
| the client dynamicly register as described in [RFC7591]. | ||||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 2. Pre-Shared-Key for Client Authentication | 2. Pre-Shared-Key for Client Authentication | |||
| The following section defines, as an extension of OAuth 2.0, | The following section defines, as an extension of OAuth 2.0, | |||
| Section 2.3 [RFC6749], using Pre-Shared-Key with TLS [RFC4279] to | Section 2.3 [RFC6749], using Pre-Shared-Key with TLS [RFC4279] to | |||
| authenticate the client. This method is registered as | authenticate the client. This method is registered as | |||
| 'tls_client_psk' in "OAuth Token Endpoint Authentication Methods" | 'tls_client_psk' in "OAuth Token Endpoint Authentication Methods" | |||
| registry. | registry. If this method is to be used, the client and the | |||
| Authorization Server MUST share a secret key, and they MUST agree on | ||||
| an identifier for this key. | ||||
| The (D)TLS handshake MUST be done according to [RFC4279], with the | The (D)TLS handshake MUST be done according to [RFC4279], with the | |||
| client indicating support for one or more Pre-Shared-Key cipher | client indicating support for one or more Pre-Shared-Key cipher | |||
| suites and authorization server selecting a Pre-Shared-Key cipher | suites and authorization server selecting a Pre-Shared-Key cipher | |||
| suite. In order to enable authorization server to select the correct | suite. In order to enable the authorization server to select the | |||
| pre-shared-key the client MUST send its client identifier in the psk- | correct pre-shared-key the client MUST send the key identifier in the | |||
| identity field of the ClientKeyExchange message. How the | psk-identity field of the ClientKeyExchange message. How the | |||
| authorization server maps a client identifier to the pre-shared-key | authorization server maps the identifier to a pre-shared-key, and to | |||
| is out of scope for this specification. | a specific client is out of scope for this specification. | |||
| Note that the client identity MUST be 2^16 bytes or shorter, in order | Note that the key identifier MUST be 2^16 bytes or shorter, in order | |||
| to fit into the psk-identity field. | to fit into the psk-identity field. | |||
| 3. Raw-Public-Key for Client Authentication | 3. Raw-Public-Key for Client Authentication | |||
| The following section defines, as an extension of OAuth 2.0, | The following section defines, as an extension of OAuth 2.0, | |||
| Section 2.3 [RFC6749], the use of Raw-Public-Key with (D)TLS | Section 2.3 [RFC6749], the use of Raw-Public-Key with (D)TLS | |||
| [RFC7250] to authenticate the client. This method is registered | [RFC7250] to authenticate the client. This method is registered as | |||
| as'tls_client_rpk' in "OAuth Token Endpoint Authentication Methods" | 'tls_client_rpk' in "OAuth Token Endpoint Authentication Methods" | |||
| registry. | registry. | |||
| The (D)TLS handshake MUST be done according to [RFC7250], with the | The (D)TLS handshake MUST be done according to [RFC7250], with the | |||
| client indicating support for Raw-Public-Key certificates and the | client indicating support for Raw-Public-Key certificates and the | |||
| authorization server asking client send its Raw Public Key | authorization server asking client send its Raw Public Key | |||
| certificate. Since the client cannot send an explicit client | certificate. Since the client cannot send an explicit client or key | |||
| identifier in the handshake, the authorization server MUST the derive | identifier in the handshake, the authorization server MUST derive a | |||
| a client identifier from RPK that the client uses. | client identifier from RPK that the client uses. | |||
| Authorization servers MAY use the following method to map a Raw | Note to implementers: Authorization servers can use the following | |||
| Public Key to a client identifier: The client identifier is generated | method to map a Raw Public Key to a client identifier: The client | |||
| from the Raw Public Key using the procedure specified in section 3 of | identifier is generated from the Raw Public Key using the procedure | |||
| [RFC6920]. The digest is calculated on the Raw Public Key only (not | specified in section 3 of [RFC6920]. The digest is calculated on the | |||
| on the SubjectPublicKeyInfo used in the handshake). An example is | Raw Public Key only (not on the SubjectPublicKeyInfo used in the | |||
| shown in Figure 1. | handshake). An example is shown in Figure 1. | |||
| Raw Public Key (Base64 encoded): | Raw Public Key (Base64 encoded): | |||
| MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEtboxNKPgxEKV9JTNzy | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEtboxNKPgxEKV9JTNzy | |||
| tUvAbxEfkCTVB9kOzheF5wRAoOz2NKP+ln+XLVAQSp1D6jfo09tppvN | tUvAbxEfkCTVB9kOzheF5wRAoOz2NKP+ln+XLVAQSp1D6jfo09tppvN | |||
| poQA1nnBNH6A=="; | poQA1nnBNH6A=="; | |||
| Encoding: | Encoding: | |||
| ni:///sha-256;xzLa24yOBeCkos3VFzD2gd83Urohr9TsXqY9nhdDN0 | ni:///sha-256;xzLa24yOBeCkos3VFzD2gd83Urohr9TsXqY9nhdDN0 | |||
| Figure 1: Example encoding of a raw public key in the Named | Figure 1: Example encoding of a raw public key in the Named | |||
| Information URI Format | Information URI Format | |||
| 4. Acknowledgements | 4. Dynamic Registration | |||
| For dynamic registration of a RPK this specification registers the | ||||
| new parameter 'rpk' to the Client Registration Metadata Registry. | ||||
| When used this parameter MUST contain a JSON Web Key representing the | ||||
| public key of the client. When 'rpk' is present in the registration | ||||
| request 'token_endpoint_auth_method' MUST include 'tls_client_rpk'. | ||||
| For dynamic registration of a PSK this specification registers the | ||||
| new parameter 'psk' to the Client Registration Metadata Registry. | ||||
| When used this parameter MUST contain a JSON Web Key representing the | ||||
| key of the client. When registering the client can include the key | ||||
| in the registrations request or the authorisation can generate the | ||||
| key and return it. If the 'psk' attribute is present in a request | ||||
| 'token_endpoint_auth_method' MUST include 'tls_client_psk'. To | ||||
| request the authorisation server to generate the key the client | ||||
| includes 'tls_client_psk' in 'token_endpoint_auth_method' but does | ||||
| not send 'psk' attribute. | ||||
| The 'jwks' and 'jwks_uri' is not used to avoid conflict and confusion | ||||
| with application layer keys. | ||||
| 5. Acknowledgements | ||||
| This document is highly inspired by [I-D.ietf-oauth-mtls] written by | This document is highly inspired by [I-D.ietf-oauth-mtls] written by | |||
| B. Campbell, J. Bradley, N. Sakimura and T. Lodderstedt. | B. Campbell, J. Bradley, N. Sakimura and T. Lodderstedt. | |||
| 5. IANA Considerations | 6. IANA Considerations | |||
| 5.1. Token Endpoint Authentication Method Registration | 6.1. OAuth Dynamic Client Registration Metadata Registration | |||
| This specification requests registration of the following value in | ||||
| the IANA "OAuth Dynamic Client Registration Metadata" registry | ||||
| [IANA.OAuth.Parameters] established by [RFC7591]. | ||||
| 6.1.1. Registry Contents | ||||
| o Client Metadata Name: "rpk" | ||||
| o Client Metadata Description: JWK for client Raw-Public-Key, can be | ||||
| included in request. | ||||
| o Change Controller: IESG | ||||
| o Specification Document(s): [[ this specification ]] | ||||
| o Client Metadata Name: "psk" | ||||
| o Client Metadata Description: JWK for client Pre-Shared-Key, can be | ||||
| included both in request and response. | ||||
| o Change Controller: IESG | ||||
| o Specification Document(s): [[ this specification ]] | ||||
| 6.2. Token Endpoint Authentication Method Registration | ||||
| This specification requests registration of the following value in | This specification requests registration of the following value in | |||
| the IANA "OAuth Token Endpoint Authentication Methods" registry | the IANA "OAuth Token Endpoint Authentication Methods" registry | |||
| [IANA.OAuth.Parameters] established by [RFC7591]. | [IANA.OAuth.Parameters] established by [RFC7591]. | |||
| 5.1.1. Registry Contents | 6.2.1. Registry Contents | |||
| o Token Endpoint Authentication Method Name: "tls_client_rpk" | o Token Endpoint Authentication Method Name: "tls_client_rpk" | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): [[ this specification ]] | o Specification Document(s): [[ this specification ]] | |||
| 5.1.2. Registry Contents | ||||
| o Token Endpoint Authentication Method Name: "tls_client_psk" | o Token Endpoint Authentication Method Name: "tls_client_psk" | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): [[ this specification ]] | o Specification Document(s): [[ this specification ]] | |||
| 6. Security Considerations | 7. Security Considerations | |||
| TBD | TBD | |||
| 7. References | 8. References | |||
| 7.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | |||
| Ciphersuites for Transport Layer Security (TLS)", | Ciphersuites for Transport Layer Security (TLS)", | |||
| RFC 4279, DOI 10.17487/RFC4279, December 2005, | RFC 4279, DOI 10.17487/RFC4279, December 2005, | |||
| <https://www.rfc-editor.org/info/rfc4279>. | <https://www.rfc-editor.org/info/rfc4279>. | |||
| [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | |||
| RFC 6749, DOI 10.17487/RFC6749, October 2012, | RFC 6749, DOI 10.17487/RFC6749, October 2012, | |||
| <http://www.rfc-editor.org/info/rfc6749>. | <https://www.rfc-editor.org/info/rfc6749>. | |||
| [RFC6920] Farrell, S., Kutscher, D., Dannewitz, C., Ohlman, B., | [RFC6920] Farrell, S., Kutscher, D., Dannewitz, C., Ohlman, B., | |||
| Keranen, A., and P. Hallam-Baker, "Naming Things with | Keranen, A., and P. Hallam-Baker, "Naming Things with | |||
| Hashes", RFC 6920, DOI 10.17487/RFC6920, April 2013, | Hashes", RFC 6920, DOI 10.17487/RFC6920, April 2013, | |||
| <http://www.rfc-editor.org/info/rfc6920>. | <https://www.rfc-editor.org/info/rfc6920>. | |||
| [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., | [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., | |||
| Weiler, S., and T. Kivinen, "Using Raw Public Keys in | Weiler, S., and T. Kivinen, "Using Raw Public Keys in | |||
| Transport Layer Security (TLS) and Datagram Transport | Transport Layer Security (TLS) and Datagram Transport | |||
| Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, | Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, | |||
| June 2014, <https://www.rfc-editor.org/info/rfc7250>. | June 2014, <https://www.rfc-editor.org/info/rfc7250>. | |||
| [RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and | [RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and | |||
| P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", | P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", | |||
| RFC 7591, DOI 10.17487/RFC7591, July 2015, | RFC 7591, DOI 10.17487/RFC7591, July 2015, | |||
| <https://www.rfc-editor.org/info/rfc7591>. | <https://www.rfc-editor.org/info/rfc7591>. | |||
| 7.2. Informative References | 8.2. Informative References | |||
| [I-D.ietf-oauth-mtls] | [I-D.ietf-oauth-mtls] | |||
| Campbell, B., Bradley, J., Sakimura, N., and T. | Campbell, B., Bradley, J., Sakimura, N., and T. | |||
| Lodderstedt, "Mutual TLS Profile for OAuth 2.0", draft- | Lodderstedt, "Mutual TLS Profile for OAuth 2.0", draft- | |||
| ietf-oauth-mtls-03 (work in progress), July 2017. | ietf-oauth-mtls-04 (work in progress), October 2017. | |||
| [IANA.OAuth.Parameters] | [IANA.OAuth.Parameters] | |||
| IANA, "OAuth Parameters", | IANA, "OAuth Parameters", | |||
| <http://www.iana.org/assignments/oauth-parameters>. | <http://www.iana.org/assignments/oauth-parameters>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Ludwig Seitz | Ludwig Seitz | |||
| RISE SICS | RISE SICS | |||
| Scheelevaegen 17 | Scheelevaegen 17 | |||
| End of changes. 28 change blocks. | ||||
| 50 lines changed or deleted | 99 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||