< draft-ietf-ace-oauth-authz-05.txt   draft-ietf-ace-oauth-authz-06.txt >
ACE Working Group L. Seitz ACE Working Group L. Seitz
Internet-Draft SICS Internet-Draft RISE SICS
Intended status: Standards Track G. Selander Intended status: Standards Track G. Selander
Expires: August 7, 2017 Ericsson Expires: September 14, 2017 Ericsson
E. Wahlstroem E. Wahlstroem
(no affiliation)
S. Erdtman S. Erdtman
Spotify AB Spotify AB
H. Tschofenig H. Tschofenig
ARM Ltd. ARM Ltd.
February 3, 2017 March 13, 2017
Authentication and Authorization for Constrained Environments (ACE) Authentication and Authorization for Constrained Environments (ACE)
draft-ietf-ace-oauth-authz-05 draft-ietf-ace-oauth-authz-06
Abstract Abstract
This specification defines a framework for authentication and This specification defines a framework for authentication and
authorization in Internet of Things (IoT) environments. The authorization in Internet of Things (IoT) environments. The
framework is based on a set of building blocks including OAuth 2.0 framework is based on a set of building blocks including OAuth 2.0
and CoAP, thus making a well-known and widely used authorization and CoAP, thus making a well-known and widely used authorization
solution suitable for IoT devices. Existing specifications are used solution suitable for IoT devices. Existing specifications are used
where possible, but where the constraints of IoT devices require it, where possible, but where the constraints of IoT devices require it,
extensions are added and profiles are defined. extensions are added and profiles are defined.
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 7, 2017. This Internet-Draft will expire on September 14, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 24 skipping to change at page 2, line 24
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. OAuth 2.0 . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. OAuth 2.0 . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. CoAP . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2. CoAP . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4. Protocol Interactions . . . . . . . . . . . . . . . . . . . . 9 4. Protocol Interactions . . . . . . . . . . . . . . . . . . . . 9
5. Framework . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5. Framework . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6. The 'Token' Endpoint . . . . . . . . . . . . . . . . . . . . 14 5.1. Authorization Grants . . . . . . . . . . . . . . . . . . 14
6.1. Client Credentials and Grants . . . . . . . . . . . . . . 15 5.2. Client Credentials . . . . . . . . . . . . . . . . . . . 15
6.2. Client-to-AS Request . . . . . . . . . . . . . . . . . . 15 5.3. AS Authentication . . . . . . . . . . . . . . . . . . . . 15
6.3. AS-to-Client Response . . . . . . . . . . . . . . . . . . 18 5.4. The 'Authorize' Endpoint . . . . . . . . . . . . . . . . 15
6.4. Error Response . . . . . . . . . . . . . . . . . . . . . 20 5.5. The 'Token' Endpoint . . . . . . . . . . . . . . . . . . 16
6.5. Request and Response Parameters . . . . . . . . . . . . . 20 5.5.1. Client-to-AS Request . . . . . . . . . . . . . . . . 16
6.5.1. Audience . . . . . . . . . . . . . . . . . . . . . . 20 5.5.2. AS-to-Client Response . . . . . . . . . . . . . . . . 19
6.5.2. Grant Type . . . . . . . . . . . . . . . . . . . . . 21 5.5.3. Error Response . . . . . . . . . . . . . . . . . . . 21
6.5.3. Token Type . . . . . . . . . . . . . . . . . . . . . 21 5.5.4. Request and Response Parameters . . . . . . . . . . . 21
6.5.4. Profile . . . . . . . . . . . . . . . . . . . . . . . 21 5.5.4.1. Audience . . . . . . . . . . . . . . . . . . . . 21
6.5.5. Confirmation . . . . . . . . . . . . . . . . . . . . 22 5.5.4.2. Grant Type . . . . . . . . . . . . . . . . . . . 22
6.6. Mapping parameters to CBOR . . . . . . . . . . . . . . . 24 5.5.4.3. Token Type . . . . . . . . . . . . . . . . . . . 22
7. The 'Introspect' Endpoint . . . . . . . . . . . . . . . . . . 24 5.5.4.4. Profile . . . . . . . . . . . . . . . . . . . . . 22
7.1. RS-to-AS Request . . . . . . . . . . . . . . . . . . . . 25 5.5.4.5. Confirmation . . . . . . . . . . . . . . . . . . 23
7.2. AS-to-RS Response . . . . . . . . . . . . . . . . . . . . 25 5.5.5. Mapping parameters to CBOR . . . . . . . . . . . . . 25
7.3. Error Response . . . . . . . . . . . . . . . . . . . . . 27 5.6. The 'Introspect' Endpoint . . . . . . . . . . . . . . . . 25
7.4. Client Token . . . . . . . . . . . . . . . . . . . . . . 27 5.6.1. RS-to-AS Request . . . . . . . . . . . . . . . . . . 26
7.5. Mapping Introspection parameters to CBOR . . . . . . . . 29 5.6.2. AS-to-RS Response . . . . . . . . . . . . . . . . . . 26
8. The Access Token . . . . . . . . . . . . . . . . . . . . . . 29 5.6.3. Error Response . . . . . . . . . . . . . . . . . . . 28
8.1. The 'Authorization Information' Endpoint . . . . . . . . 30 5.6.4. Client Token . . . . . . . . . . . . . . . . . . . . 28
8.2. Token Expiration . . . . . . . . . . . . . . . . . . . . 30 5.6.5. Mapping Introspection parameters to CBOR . . . . . . 30
9. Security Considerations . . . . . . . . . . . . . . . . . . . 31 5.7. The Access Token . . . . . . . . . . . . . . . . . . . . 30
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 33 5.7.1. The 'Authorization Information' Endpoint . . . . . . 31
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 5.7.2. Token Expiration . . . . . . . . . . . . . . . . . . 31
11.1. OAuth Introspection Response Parameter Registration . . 33 6. Security Considerations . . . . . . . . . . . . . . . . . . . 32
11.2. OAuth Parameter Registration . . . . . . . . . . . . . . 34 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 34
11.3. OAuth Access Token Types . . . . . . . . . . . . . . . . 34 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
11.4. Token Type Mappings . . . . . . . . . . . . . . . . . . 35 8.1. OAuth Introspection Response Parameter Registration . . . 34
11.4.1. Registration Template . . . . . . . . . . . . . . . 35 8.2. OAuth Parameter Registration . . . . . . . . . . . . . . 35
11.4.2. Initial Registry Contents . . . . . . . . . . . . . 35 8.3. OAuth Access Token Types . . . . . . . . . . . . . . . . 35
11.5. CBOR Web Token Claims . . . . . . . . . . . . . . . . . 35 8.4. Token Type Mappings . . . . . . . . . . . . . . . . . . . 36
11.6. ACE Profile Registry . . . . . . . . . . . . . . . . . . 36 8.4.1. Registration Template . . . . . . . . . . . . . . . . 36
11.6.1. Registration Template . . . . . . . . . . . . . . . 36 8.4.2. Initial Registry Contents . . . . . . . . . . . . . . 36
11.7. OAuth Parameter Mappings Registry . . . . . . . . . . . 36 8.5. CBOR Web Token Claims . . . . . . . . . . . . . . . . . . 36
11.7.1. Registration Template . . . . . . . . . . . . . . . 36 8.6. ACE Profile Registry . . . . . . . . . . . . . . . . . . 37
11.7.2. Initial Registry Contents . . . . . . . . . . . . . 37 8.6.1. Registration Template . . . . . . . . . . . . . . . . 37
11.8. Introspection Endpoint CBOR Mappings Registry . . . . . 39 8.7. OAuth Parameter Mappings Registry . . . . . . . . . . . . 37
11.8.1. Registration Template . . . . . . . . . . . . . . . 39 8.7.1. Registration Template . . . . . . . . . . . . . . . . 37
11.8.2. Initial Registry Contents . . . . . . . . . . . . . 39 8.7.2. Initial Registry Contents . . . . . . . . . . . . . . 38
11.9. CoAP Option Number Registration . . . . . . . . . . . . 41 8.8. Introspection Endpoint CBOR Mappings Registry . . . . . . 40
11.10. CWT Confirmation Methods Registry . . . . . . . . . . . 42 8.8.1. Registration Template . . . . . . . . . . . . . . . . 40
11.10.1. Registration Template . . . . . . . . . . . . . . . 42 8.8.2. Initial Registry Contents . . . . . . . . . . . . . . 40
11.10.2. Initial Registry Contents . . . . . . . . . . . . . 43 8.9. CoAP Option Number Registration . . . . . . . . . . . . . 42
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 43 8.10. CWT Confirmation Methods Registry . . . . . . . . . . . . 43
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 8.10.1. Registration Template . . . . . . . . . . . . . . . 43
13.1. Normative References . . . . . . . . . . . . . . . . . . 44 8.10.2. Initial Registry Contents . . . . . . . . . . . . . 44
13.2. Informative References . . . . . . . . . . . . . . . . . 44 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 44
Appendix A. Design Justification . . . . . . . . . . . . . . . . 46 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
Appendix B. Roles and Responsibilities . . . . . . . . . . . . . 48 10.1. Normative References . . . . . . . . . . . . . . . . . . 45
Appendix C. Requirements on Profiles . . . . . . . . . . . . . . 50 10.2. Informative References . . . . . . . . . . . . . . . . . 45
Appendix D. Assumptions on AS knowledge about C and RS . . . . . 51 Appendix A. Design Justification . . . . . . . . . . . . . . . . 47
Appendix E. Deployment Examples . . . . . . . . . . . . . . . . 51 Appendix B. Roles and Responsibilities . . . . . . . . . . . . . 49
E.1. Local Token Validation . . . . . . . . . . . . . . . . . 52 Appendix C. Requirements on Profiles . . . . . . . . . . . . . . 51
E.2. Introspection Aided Token Validation . . . . . . . . . . 55 Appendix D. Assumptions on AS knowledge about C and RS . . . . . 52
Appendix F. Document Updates . . . . . . . . . . . . . . . . . . 59 Appendix E. Deployment Examples . . . . . . . . . . . . . . . . 52
F.1. Version -04 to -05 . . . . . . . . . . . . . . . . . . . 59 E.1. Local Token Validation . . . . . . . . . . . . . . . . . 53
F.2. Version -03 to -04 . . . . . . . . . . . . . . . . . . . 59 E.2. Introspection Aided Token Validation . . . . . . . . . . 56
F.3. Version -02 to -03 . . . . . . . . . . . . . . . . . . . 60 Appendix F. Document Updates . . . . . . . . . . . . . . . . . . 60
F.4. Version -01 to -02 . . . . . . . . . . . . . . . . . . . 60 F.1. Version -05 to -06 . . . . . . . . . . . . . . . . . . . 60
F.5. Version -00 to -01 . . . . . . . . . . . . . . . . . . . 60 F.2. Version -04 to -05 . . . . . . . . . . . . . . . . . . . 60
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 61 F.3. Version -03 to -04 . . . . . . . . . . . . . . . . . . . 61
F.4. Version -02 to -03 . . . . . . . . . . . . . . . . . . . 61
F.5. Version -01 to -02 . . . . . . . . . . . . . . . . . . . 61
F.6. Version -00 to -01 . . . . . . . . . . . . . . . . . . . 62
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 62
1. Introduction 1. Introduction
Authorization is the process for granting approval to an entity to Authorization is the process for granting approval to an entity to
access a resource [RFC4949]. The authorization task itself can best access a resource [RFC4949]. The authorization task itself can best
be described as granting access to a requesting client, for a be described as granting access to a requesting client, for a
resource hosted on a device, the resource server (RS). This exchange resource hosted on a device, the resource server (RS). This exchange
is mediated by one or multiple authorization servers (AS). Managing is mediated by one or multiple authorization servers (AS). Managing
authorization for a large number of devices and users is a complex authorization for a large number of devices and users is a complex
task. task.
skipping to change at page 5, line 48 skipping to change at page 6, line 5
designed for small code and message size, which may be used for designed for small code and message size, which may be used for
encoding of self contained tokens, and also for encoding CoAP POST encoding of self contained tokens, and also for encoding CoAP POST
parameters and CoAP responses. parameters and CoAP responses.
A fourth building block is the compact CBOR-based secure message A fourth building block is the compact CBOR-based secure message
format COSE [I-D.ietf-cose-msg], which enables application layer format COSE [I-D.ietf-cose-msg], which enables application layer
security as an alternative or complement to transport layer security security as an alternative or complement to transport layer security
(DTLS [RFC6347] or TLS [RFC5246]). COSE is used to secure self (DTLS [RFC6347] or TLS [RFC5246]). COSE is used to secure self
contained tokens such as proof-of-possession (PoP) tokens, which is contained tokens such as proof-of-possession (PoP) tokens, which is
an extension to the OAuth access tokens, and "client tokens" which an extension to the OAuth access tokens, and "client tokens" which
are defined in this framework (see Section 7.4). The default access are defined in this framework (see Section 5.6.4). The default
token format is defined in CBOR web token (CWT) access token format is defined in CBOR web token (CWT)
[I-D.ietf-ace-cbor-web-token]. Application layer security for CoAP [I-D.ietf-ace-cbor-web-token]. Application layer security for CoAP
using COSE can be provided with OSCOAP using COSE can be provided with OSCOAP
[I-D.ietf-core-object-security]. [I-D.ietf-core-object-security].
With the building blocks listed above, solutions satisfying various With the building blocks listed above, solutions satisfying various
IoT device and network constraints are possible. A list of IoT device and network constraints are possible. A list of
constraints is described in detail in RFC 7228 [RFC7228] and a constraints is described in detail in RFC 7228 [RFC7228] and a
description of how the building blocks mentioned above relate to the description of how the building blocks mentioned above relate to the
various constraints can be found in Appendix A. various constraints can be found in Appendix A.
skipping to change at page 12, line 13 skipping to change at page 12, line 15
specific credential). specific credential).
Access Token Response (B): Access Token Response (B):
If the AS successfully processes the request from the client, it If the AS successfully processes the request from the client, it
returns an access token. It also returns various parameters, returns an access token. It also returns various parameters,
referred as "RS Information". In addition to the response referred as "RS Information". In addition to the response
parameters defined by OAuth 2.0 and the PoP token extension, parameters defined by OAuth 2.0 and the PoP token extension,
further response parameters, such as information on which profile further response parameters, such as information on which profile
the client should use with the resource server(s). More the client should use with the resource server(s). More
information about these parameters can be found in Section 6.5. information about these parameters can be found in Section 5.5.4.
Resource Request (C): Resource Request (C):
The client interacts with the RS to request access to the The client interacts with the RS to request access to the
protected resource and provides the access token. The protocol to protected resource and provides the access token. The protocol to
use between the client and the RS is not restricted to CoAP. use between the client and the RS is not restricted to CoAP.
HTTP, HTTP/2, QUIC, MQTT, Bluetooth Low Energy, etc., are also HTTP, HTTP/2, QUIC, MQTT, Bluetooth Low Energy, etc., are also
viable candidates. viable candidates.
Depending on the device limitations and the selected protocol this Depending on the device limitations and the selected protocol this
skipping to change at page 12, line 47 skipping to change at page 12, line 49
the AS and compares the claims contained in the access token with the AS and compares the claims contained in the access token with
the resource request. If the RS is online, validation can be the resource request. If the RS is online, validation can be
handed over to the AS using token introspection (see messages D handed over to the AS using token introspection (see messages D
and E) over HTTP or CoAP, in which case the different parts of and E) over HTTP or CoAP, in which case the different parts of
step C may be interleaved with introspection. step C may be interleaved with introspection.
Token Introspection Request (D): Token Introspection Request (D):
A resource server may be configured to introspect the access token A resource server may be configured to introspect the access token
by including it in a request to the /introspect endpoint at that by including it in a request to the /introspect endpoint at that
AS. Token introspection over CoAP is defined in Section 7 and for AS. Token introspection over CoAP is defined in Section 5.6 and
HTTP in [RFC7662]. for HTTP in [RFC7662].
Note that token introspection is an optional step and can be Note that token introspection is an optional step and can be
omitted if the token is self-contained and the resource server is omitted if the token is self-contained and the resource server is
prepared to perform the token validation on its own. prepared to perform the token validation on its own.
Token Introspection Response (E): Token Introspection Response (E):
The AS validates the token and returns the most recent parameters, The AS validates the token and returns the most recent parameters,
such as scope, audience, validity etc. associated with it back to such as scope, audience, validity etc. associated with it back to
the RS. The RS then uses the received parameters to process the the RS. The RS then uses the received parameters to process the
request to either accept or to deny it. The AS can additionally request to either accept or to deny it. The AS can additionally
return information that the RS needs to pass on to the client in return information that the RS needs to pass on to the client in
the form of a client token. The latter is used to establish keys the form of a client token. The latter is used to establish keys
for mutual authentication between client and RS, when the client for mutual authentication between client and RS, when the client
has no direct connectivity to the AS, see Section 7.4 for details. has no direct connectivity to the AS, see Section 5.6.4 for
details.
Protected Resource (F): Protected Resource (F):
If the request from the client is authorized, the RS fulfills the If the request from the client is authorized, the RS fulfills the
request and returns a response with the appropriate response code. request and returns a response with the appropriate response code.
The RS uses the dynamically established keys to protect the The RS uses the dynamically established keys to protect the
response, according to used communication security protocol. response, according to used communication security protocol.
5. Framework 5. Framework
skipping to change at page 14, line 37 skipping to change at page 14, line 41
request. The Content-format depends on the security applied to the request. The Content-format depends on the security applied to the
content and MUST be specified by the profile that is used. content and MUST be specified by the profile that is used.
The OAuth 2.0 AS uses a JSON structure in the payload of its The OAuth 2.0 AS uses a JSON structure in the payload of its
responses both to client and RS. This framework RECOMMENDS the use responses both to client and RS. This framework RECOMMENDS the use
of CBOR [RFC7049] instead. The requesting device can explicitly of CBOR [RFC7049] instead. The requesting device can explicitly
request this encoding by setting the CoAP Accept option in the request this encoding by setting the CoAP Accept option in the
request to "application/cbor". Depending on the profile, the content request to "application/cbor". Depending on the profile, the content
MAY arrive in a different format wrapping a CBOR payload. MAY arrive in a different format wrapping a CBOR payload.
6. The 'Token' Endpoint 5.1. Authorization Grants
In plain OAuth 2.0 the AS provides the /token endpoint for submitting To request an access token, the client obtains authorization from the
access token requests. This framework extends the functionality of resource owner or uses its client credentials as grant. The
the /token endpoint, giving the AS the possibility to help client and authorization is expressed in the form of an authorization grant.
RS to establish shared keys or to exchange their public keys.
Furthermore this framework defines encodings using CoAP and CBOR, in
addition to HTTP and JSON.
Authentication of the requesting client is done using client The OAuth framework defines four grant types. The grant types can be
credentials as defined by OAuth 2.0. A profile MAY specify new split up into two groups, those granted on behalf of the resource
client credentials types for the authentication of the client. owner (password, authorization code, implicit) and those for the
client (client credentials).
Profiles of this framework SHOULD specify how authentication of the The grant type selected depending based on the use case. In cases
AS is done and how communication security is implemented. If nothing where the client will act on behalf of the resource owner,
is specified TLS with server certificate is assumed as defined by authorization code grant is recommended. If the client should to act
OAuth 2.0. on be half of the user but does not have any display or very limited
interaction possibilities it is recommended to use the device code
grant defined in [I-D.ietf-oauth-device-flow]. In cases where the
client will not act on be half of the resource owner, client
credentials grant is recommended.
When requesting a token the client is authenticated with client For details on the different grant types see the OAuth 2.0 framework.
credentials and then a grant is presented that gives the client the The OAuth 2.0 framework provides an extension mechanism for defining
right to get a token. additional grant types so profiles of this framework MAY define
additional grant types if needed.
The figures of this section uses CBOR diagnostic notation without the 5.2. Client Credentials
integer abbreviations for the parameters or their values for better
readability.
6.1. Client Credentials and Grants Authentication of the client is mandatory independent of the grant
type when requesting the access token from the token endpoint. In
the case of client credentials grant type the authentication and
grant coincides.
To issue a token the client MUST be authenticated and present a valid Client registration and provisioning of client credentials to the
grant for the scopes requested. client is out of scope for this specification.
The OAuth framework, [RFC6749], defines one client credential type, The OAuth framework, [RFC6749], defines one client credential type,
client id and client secret. Profiles of this framework MAY extend client id and client secret. Profiles of this framework MAY extend
with additional client credentials such as DTLS pre-shared keys or with additional client credentials such as DTLS pre-shared keys or
client certificates. client certificates.
In the OAuth framework five grant types are defined. The grant types 5.3. AS Authentication
can be split up into three groups, those granted on behalf of the
resource owner (password, authorization code, implicit), those for
the client (client_credentials), and those used to prolong a grant
(refresh token).
profiles MAY define additional grant types if needed, e.g. a proof of Client credential does not by default authenticate the AS that the
possession refresh token. client connects to. In classic OAuth the AS is authenticated with a
TLS server certificate.
6.2. Client-to-AS Request Profiles of this framework SHOULD specify how clients authenticate
the AS and how communication security is implemented, otherwise
server side TLS certificates as defined by OAuth 2.0 is required.
5.4. The 'Authorize' Endpoint
The authorization endpoint is used to interact with the resource
owner and obtain an authorization grant. It is used for
authorization code and implicit grant, flows that requires online
user consent. In the most common implementation a users-agent is
used and redirected from the client to the AS. The AS shows a
consent dialog and directs back to the client, with the approved
grant or an error message.
The grant types defined in OAuth 2.0, that use the authorization
endpoint, require the use of a user agent (i.e. a browser). This
endpoint is therefore out of scope for this specification.
Implementations should use the definition and recommendations of
[RFC6749] and [RFC6819].
If clients involved cannot support HTTP and TLS profiles MAY define
mappings for the authorization endpoint.
5.5. The 'Token' Endpoint
In plain OAuth 2.0 the AS provides the /token endpoint for submitting
access token requests. This framework extends the functionality of
the /token endpoint, giving the AS the possibility to help client and
RS to establish shared keys or to exchange their public keys.
Furthermore this framework defines encodings using CoAP and CBOR, in
addition to HTTP and JSON.
For the AS to be able to issue a token the client MUST be
authenticated and present a valid grant for the scopes requested.
The figures of this section uses CBOR diagnostic notation without the
integer abbreviations for the parameters or their values for better
readability.
5.5.1. Client-to-AS Request
The client sends a CoAP POST request to the token endpoint at the AS, The client sends a CoAP POST request to the token endpoint at the AS,
the profile MUST specify the Content-Type and wrapping of the the profile MUST specify the Content-Type and wrapping of the
payload. The content of the request consists of the parameters payload. The content of the request consists of the parameters
specified in section 4 of the OAuth 2.0 specification [RFC6749] specified in section 4 of the OAuth 2.0 specification [RFC6749]
encoded as a CBOR map. encoded as a CBOR map.
In addition to these parameters, this framework defines the following In addition to these parameters, this framework defines the following
parameters for requesting an access token from a /token endpoint: parameters for requesting an access token from a /token endpoint:
skipping to change at page 16, line 4 skipping to change at page 16, line 46
encoded as a CBOR map. encoded as a CBOR map.
In addition to these parameters, this framework defines the following In addition to these parameters, this framework defines the following
parameters for requesting an access token from a /token endpoint: parameters for requesting an access token from a /token endpoint:
aud aud
OPTIONAL. Specifies the audience for which the client is OPTIONAL. Specifies the audience for which the client is
requesting an access token. If this parameter is missing it is requesting an access token. If this parameter is missing it is
assumed that the client and the AS have a pre-established assumed that the client and the AS have a pre-established
understanding of the audience that an access token should address. understanding of the audience that an access token should address.
If a client submits a request for an access token without If a client submits a request for an access token without
specifying an "aud" parameter, and the AS does not have a default specifying an "aud" parameter, and the AS does not have a default
"aud" value for this client, then the AS MUST respond with an "aud" value for this client, then the AS MUST respond with an
error message with the CoAP response code 4.00 (Bad Request). error message with the CoAP response code 4.00 (Bad Request).
cnf cnf
OPTIONAL. This field contains information about the key the OPTIONAL. This field contains information about the key the
client would like to bind to the access token for proof-of- client would like to bind to the access token for proof-of-
possession. It is NOT RECOMMENDED that a client submits a possession. It is NOT RECOMMENDED that a client submits a
symmetric key value to the AS using this parameter. See symmetric key value to the AS using this parameter. See
Section 6.5.5 for more details on the formatting of the 'cnf' Section 5.5.4.5 for more details on the formatting of the 'cnf'
parameter. parameter.
The following examples illustrate different types of requests for The following examples illustrate different types of requests for
proof-of-possession tokens. proof-of-possession tokens.
Figure 2 shows a request for a token with a symmetric proof-of- Figure 2 shows a request for a token with a symmetric proof-of-
possession key. Note that in this example we assume a DTLS-based possession key. Note that in this example we assume a DTLS-based
communication security profile, therefore the Content-Type is communication security profile, therefore the Content-Type is
"application/cbor". The content is displayed in CBOR diagnostic "application/cbor". The content is displayed in CBOR diagnostic
notation, without abbreviations for better readability. notation, without abbreviations for better readability.
skipping to change at page 18, line 5 skipping to change at page 19, line 5
"aud" : "valve424", "aud" : "valve424",
"scope" : "read", "scope" : "read",
"cnf" : { "cnf" : {
"kid" : b64'6kg0dXJM13U' "kid" : b64'6kg0dXJM13U'
} }
} }
Figure 4: Example request for an access token bound to a key Figure 4: Example request for an access token bound to a key
reference. reference.
6.3. AS-to-Client Response 5.5.2. AS-to-Client Response
If the access token request has been successfully verified by the AS If the access token request has been successfully verified by the AS
and the client is authorized to obtain an access token corresponding and the client is authorized to obtain an access token corresponding
to its access token request, the AS sends a response with the CoAP to its access token request, the AS sends a response with the CoAP
response code 2.01 (Created). If client request was invalid, or not response code 2.01 (Created). If client request was invalid, or not
authorized, the AS returns an error response as described in authorized, the AS returns an error response as described in
Section 6.4. Section 5.5.3.
Note that the AS decides which token type and profile to use when Note that the AS decides which token type and profile to use when
issuing a successful response. It is assumed that the AS has prior issuing a successful response. It is assumed that the AS has prior
knowledge of the capabilities of the client, and the RS (see knowledge of the capabilities of the client, and the RS (see
Appendix D. This prior knowledge may, for example, be set by the use Appendix D. This prior knowledge may, for example, be set by the use
of a dynamic client registration protocol exchange [RFC7591]. of a dynamic client registration protocol exchange [RFC7591].
The content of the successful reply is the RS Information. It MUST The content of the successful reply is the RS Information. It MUST
be encoded as CBOR map, containing parameters as specified in section be encoded as CBOR map, containing parameters as specified in section
5.1 of [RFC6749]. In addition to these parameters, the following 5.1 of [RFC6749]. In addition to these parameters, the following
parameters are also part of a successful response: parameters are also part of a successful response:
profile profile
REQUIRED. This indicates the profile that the client MUST use REQUIRED. This indicates the profile that the client MUST use
towards the RS. See Section 6.5.4 for the formatting of this towards the RS. See Section 5.5.4.4 for the formatting of this
parameter. parameter.
cnf cnf
REQUIRED if the token type is 'pop'. OPTIONAL otherwise. If a REQUIRED if the token type is 'pop'. OPTIONAL otherwise. If a
symmetric proof-of-possession algorithms was selected, this field symmetric proof-of-possession algorithms was selected, this field
contains the proof-of-possession key. If an asymmetric algorithm contains the proof-of-possession key. If an asymmetric algorithm
was selected, this field contains information about the public key was selected, this field contains information about the public key
used by the RS to authenticate. See Section 6.5.5 for the used by the RS to authenticate. See Section 5.5.4.5 for the
formatting of this parameter. formatting of this parameter.
token_type token_type
OPTIONAL. By default implementations of this framework SHOULD OPTIONAL. By default implementations of this framework SHOULD
assume that the token_type is 'pop'. If a specific use case assume that the token_type is 'pop'. If a specific use case
requires another token_type (e.g. 'Bearer') to be used then this requires another token_type (e.g. 'Bearer') to be used then this
parameter is REQUIRED. parameter is REQUIRED.
Note that if CBOR Web Tokens [I-D.ietf-ace-cbor-web-token] are used, Note that if CBOR Web Tokens [I-D.ietf-ace-cbor-web-token] are used,
the access token can also contain a 'cnf' claim. This claim is the access token can also contain a 'cnf' claim. This claim is
however consumed by a different party. The access token is created however consumed by a different party. The access token is created
skipping to change at page 20, line 5 skipping to change at page 21, line 5
"kty" : "Symmetric", "kty" : "Symmetric",
"kid" : b64'39Gqlw', "kid" : b64'39Gqlw',
"k" : b64'hJtXhkV8FJG+Onbc6mxCcQh' "k" : b64'hJtXhkV8FJG+Onbc6mxCcQh'
} }
} }
} }
Figure 6: Example AS response with an access token bound to a Figure 6: Example AS response with an access token bound to a
symmetric key. symmetric key.
6.4. Error Response 5.5.3. Error Response
The error responses for CoAP-based interactions with the AS are The error responses for CoAP-based interactions with the AS are
equivalent to the ones for HTTP-based interactions as defined in equivalent to the ones for HTTP-based interactions as defined in
section 5.2 of [RFC6749], with the following differences: section 5.2 of [RFC6749], with the following differences:
o The Content-Type MUST be specified by the communication security o The Content-Type MUST be specified by the communication security
profile used between client and AS. The raw payload before being profile used between client and AS. The raw payload before being
processed by the communication security protocol MUST be encoded processed by the communication security protocol MUST be encoded
as a CBOR map. as a CBOR map.
o The CoAP response code 4.00 (Bad Request) MUST be used for all o The CoAP response code 4.00 (Bad Request) MUST be used for all
skipping to change at page 20, line 37 skipping to change at page 21, line 37
| invalid_request | 0 | 0 (uint) | | invalid_request | 0 | 0 (uint) |
| invalid_client | 1 | 0 | | invalid_client | 1 | 0 |
| invalid_grant | 2 | 0 | | invalid_grant | 2 | 0 |
| unauthorized_client | 3 | 0 | | unauthorized_client | 3 | 0 |
| unsupported_grant_type | 4 | 0 | | unsupported_grant_type | 4 | 0 |
| invalid_scope | 5 | 0 | | invalid_scope | 5 | 0 |
\------------------------+----------+--------------/ \------------------------+----------+--------------/
Figure 7: CBOR abbreviations for common error codes Figure 7: CBOR abbreviations for common error codes
6.5. Request and Response Parameters 5.5.4. Request and Response Parameters
This section provides more detail about the new parameters that can This section provides more detail about the new parameters that can
be used in access token requests and responses, as well as be used in access token requests and responses, as well as
abbreviations for more compact encoding of existing parameters and abbreviations for more compact encoding of existing parameters and
common parameter values. common parameter values.
6.5.1. Audience 5.5.4.1. Audience
This parameter specifies for which audience the client is requesting This parameter specifies for which audience the client is requesting
a token. It should be encoded as CBOR text string (major type 3). a token. It should be encoded as CBOR text string (major type 3).
The formatting and semantics of these strings are application The formatting and semantics of these strings are application
specific. specific.
6.5.2. Grant Type 5.5.4.2. Grant Type
The abbreviations in Figure 8 MAY be used in CBOR encodings instead The abbreviations in Figure 8 MAY be used in CBOR encodings instead
of the string values defined in [RFC6749]. of the string values defined in [RFC6749].
/--------------------+----------+--------------\ /--------------------+----------+--------------\
| grant_type | CBOR Key | Major Type | | grant_type | CBOR Key | Major Type |
|--------------------+----------+--------------| |--------------------+----------+--------------|
| password | 0 | 0 (uint) | | password | 0 | 0 (uint) |
| authorization_code | 1 | 0 | | authorization_code | 1 | 0 |
| client_credentials | 2 | 0 | | client_credentials | 2 | 0 |
| refresh_token | 3 | 0 | | refresh_token | 3 | 0 |
\--------------------+----------+--------------/ \--------------------+----------+--------------/
Figure 8: CBOR abbreviations for common grant types Figure 8: CBOR abbreviations for common grant types
6.5.3. Token Type 5.5.4.3. Token Type
The toke_type parameter is defined in [RFC6749], allowing the AS to The token_type parameter is defined in [RFC6749], allowing the AS to
indicate to the client which type of access token it is receiving indicate to the client which type of access token it is receiving
(e.g. a bearer token). (e.g. a bearer token).
This document registers the new value "pop" for the OAuth Access This document registers the new value "pop" for the OAuth Access
Token Types registry, specifying a Proof-of-Possession token. How Token Types registry, specifying a Proof-of-Possession token. How
the proof-of-possession is performed MUST be specified by the the proof-of-possession is performed MUST be specified by the
profiles. profiles.
The values in the 'token_type' parameter MUST be CBOR text strings The values in the 'token_type' parameter MUST be CBOR text strings
(major type 3). (major type 3).
In this framework token type 'pop' MUST be assumed by default if the In this framework token type 'pop' MUST be assumed by default if the
AS does not provide a different value. AS does not provide a different value.
6.5.4. Profile 5.5.4.4. Profile
Profiles of this framework MUST define the communication protocol and Profiles of this framework MUST define the communication protocol and
the communication security protocol between the client and the RS. the communication security protocol between the client and the RS.
Furthermore profiles MUST define proof-of-possession methods, if they Furthermore profiles MUST define proof-of-possession methods, if they
support proof-of-possession tokens. support proof-of-possession tokens.
A profile MUST specify an identifier that is used to uniquely A profile MUST specify an identifier that is used to uniquely
identify itself in the 'profile' parameter. identify itself in the 'profile' parameter.
Profiles MAY define additional parameters for both the token request Profiles MAY define additional parameters for both the token request
and the RS Information in the access token response in order to and the RS Information in the access token response in order to
support negotiation or signalling of profile specific parameters. support negotiation or signalling of profile specific parameters.
6.5.5. Confirmation 5.5.4.5. Confirmation
The "cnf" parameter identifies or provides the key used for proof-of- The "cnf" parameter identifies or provides the key used for proof-of-
possession or for authenticating the RS depending on the proof-of- possession or for authenticating the RS depending on the proof-of-
possession algorithm and the context cnf is used in. This framework possession algorithm and the context cnf is used in. This framework
extends the definition of 'cnf' from [RFC7800] by adding CBOR/COSE extends the definition of 'cnf' from [RFC7800] by adding CBOR/COSE
encodings and the use of 'cnf' for transporting keys in the RS encodings and the use of 'cnf' for transporting keys in the RS
Information. Information.
The "cnf" parameter is used in the following contexts with the The "cnf" parameter is used in the following contexts with the
following meaning: following meaning:
skipping to change at page 23, line 51 skipping to change at page 24, line 51
transport in the access token, token request and token response. transport in the access token, token request and token response.
Figure 12 shows such an example. Figure 12 shows such an example.
"cnf" : { "cnf" : {
"kid" : b64'39Gqlw' "kid" : b64'39Gqlw'
} }
Figure 12: A Confirmation parameter with just a key identifier Figure 12: A Confirmation parameter with just a key identifier
This specification establishes the IANA "CWT Confirmation Methods" This specification establishes the IANA "CWT Confirmation Methods"
registry for these types of confirmation methods in Section 11.10 and registry for these types of confirmation methods in Section 8.10 and
registers the methods defined by this specification. Other registers the methods defined by this specification. Other
specifications can register other methods used for confirmation. The specifications can register other methods used for confirmation. The
registry is meant to be analogous to the "JWT Confirmation Methods" registry is meant to be analogous to the "JWT Confirmation Methods"
registry defined by [RFC7800]. registry defined by [RFC7800].
6.6. Mapping parameters to CBOR 5.5.5. Mapping parameters to CBOR
All OAuth parameters in access token requests and responses are All OAuth parameters in access token requests and responses are
mapped to CBOR types as follows and are given an integer key value to mapped to CBOR types as follows and are given an integer key value to
save space. save space.
/-------------------+----------+-----------------\ /-------------------+----------+-----------------\
| Parameter name | CBOR Key | Major Type | | Parameter name | CBOR Key | Major Type |
|-------------------+----------+-----------------| |-------------------+----------+-----------------|
| aud | 3 | 3 | | aud | 3 | 3 |
| client_id | 8 | 3 (text string) | | client_id | 8 | 3 (text string) |
skipping to change at page 24, line 42 skipping to change at page 25, line 42
| expires_in | 21 | 0 | | expires_in | 21 | 0 |
| username | 22 | 3 | | username | 22 | 3 |
| password | 23 | 3 | | password | 23 | 3 |
| refresh_token | 24 | 3 | | refresh_token | 24 | 3 |
| cnf | 25 | 5 (map) | | cnf | 25 | 5 (map) |
| profile | 26 | 3 | | profile | 26 | 3 |
\-------------------+----------+-----------------/ \-------------------+----------+-----------------/
Figure 13: CBOR mappings used in token requests Figure 13: CBOR mappings used in token requests
7. The 'Introspect' Endpoint 5.6. The 'Introspect' Endpoint
Token introspection [RFC7662] is used by the RS and potentially the Token introspection [RFC7662] is used by the RS and potentially the
client to query the AS for metadata about a given token e.g. validity client to query the AS for metadata about a given token e.g. validity
or scope. Analogous to the protocol defined in RFC 7662 [RFC7662] or scope. Analogous to the protocol defined in RFC 7662 [RFC7662]
for HTTP and JSON, this section defines adaptations to more for HTTP and JSON, this section defines adaptations to more
constrained environments using CoAP and CBOR. constrained environments using CoAP and CBOR.
Communication between the RS and the introspection endpoint at the AS Communication between the RS and the introspection endpoint at the AS
MUST be integrity protected and encrypted. Furthermore AS and RS MUST be integrity protected and encrypted. Furthermore AS and RS
MUST perform mutual authentication. Finally the AS SHOULD verify MUST perform mutual authentication. Finally the AS SHOULD verify
that the RS has the right to access introspection information about that the RS has the right to access introspection information about
the provided token. Profiles of this framework that support the provided token. Profiles of this framework that support
introspection MUST specify how authentication and communication introspection MUST specify how authentication and communication
security between RS and AS is implemented. security between RS and AS is implemented.
The figures of this section uses CBOR diagnostic notation without the The figures of this section uses CBOR diagnostic notation without the
integer abbreviations for the parameters or their values for better integer abbreviations for the parameters or their values for better
readability. readability.
7.1. RS-to-AS Request 5.6.1. RS-to-AS Request
The RS sends a CoAP POST request to the introspection endpoint at the The RS sends a CoAP POST request to the introspection endpoint at the
AS, the profile MUST specify the Content-Type and wrapping of the AS, the profile MUST specify the Content-Type and wrapping of the
payload. The payload MUST be encoded as a CBOR map with a 'token' payload. The payload MUST be encoded as a CBOR map with a 'token'
parameter containing the access token along with optional parameters parameter containing the access token along with optional parameters
representing additional context that is known by the RS to aid the AS representing additional context that is known by the RS to aid the AS
in its response. in its response.
The same parameters are required and optional as in section 2.1 of The same parameters are required and optional as in section 2.1 of
RFC 7662 [RFC7662]. RFC 7662 [RFC7662].
skipping to change at page 25, line 44 skipping to change at page 26, line 44
Uri-Path: "introspect" Uri-Path: "introspect"
Content-Type: "application/cose+cbor" Content-Type: "application/cose+cbor"
Payload: Payload:
{ {
"token" : b64'7gj0dXJQ43U', "token" : b64'7gj0dXJQ43U',
"token_type_hint" : "pop" "token_type_hint" : "pop"
} }
Figure 14: Example introspection request. Figure 14: Example introspection request.
7.2. AS-to-RS Response 5.6.2. AS-to-RS Response
If the introspection request is authorized and successfully If the introspection request is authorized and successfully
processed, the AS sends a response with the CoAP response code 2.01 processed, the AS sends a response with the CoAP response code 2.01
(Created). If the introspection request was invalid, not authorized (Created). If the introspection request was invalid, not authorized
or couldn't be processed the AS returns an error response as or couldn't be processed the AS returns an error response as
described in Section 7.3. described in Section 5.6.3.
In a successful response, the AS encodes the response parameters in a In a successful response, the AS encodes the response parameters in a
CBOR map including with the same required and optional parameters as CBOR map including with the same required and optional parameters as
in section 2.2. of RFC 7662 [RFC7662] with the following additions: in section 2.2. of RFC 7662 [RFC7662] with the following additions:
cnf cnf
OPTIONAL. This field contains information about the proof-of- OPTIONAL. This field contains information about the proof-of-
possession key that binds the client to the access token. See possession key that binds the client to the access token. See
Section 6.5.5 for more details on the formatting of the 'cnf' Section 5.5.4.5 for more details on the formatting of the 'cnf'
parameter. parameter.
profile profile
OPTIONAL. This indicates the profile that the RS MUST use with OPTIONAL. This indicates the profile that the RS MUST use with
the client. See Section 6.5.4 for more details on the formatting the client. See Section 5.5.4.4 for more details on the
of this parameter. formatting of this parameter.
client_token client_token
OPTIONAL. This parameter contains information that the RS MUST OPTIONAL. This parameter contains information that the RS MUST
pass on to the client. See Section 7.4 for more details. pass on to the client. See Section 5.6.4 for more details.
For example, Figure 15 shows an AS response to the introspection For example, Figure 15 shows an AS response to the introspection
request in Figure 14. Note that we assume a DTLS-based communication request in Figure 14. Note that we assume a DTLS-based communication
security profile for this example, therefore the Content-Type is security profile for this example, therefore the Content-Type is
"application/cbor". "application/cbor".
Header: Created Code=2.01) Header: Created Code=2.01)
Content-Type: "application/cbor" Content-Type: "application/cbor"
Payload: Payload:
{ {
skipping to change at page 27, line 5 skipping to change at page 28, line 5
"COSE_Key" : { "COSE_Key" : {
"kty" : "Symmetric", "kty" : "Symmetric",
"kid" : b64'39Gqlw', "kid" : b64'39Gqlw',
"k" : b64'hJtXhkV8FJG+Onbc6mxCcQh' "k" : b64'hJtXhkV8FJG+Onbc6mxCcQh'
} }
} }
} }
Figure 15: Example introspection response. Figure 15: Example introspection response.
7.3. Error Response 5.6.3. Error Response
The error responses for CoAP-based interactions with the AS are The error responses for CoAP-based interactions with the AS are
equivalent to the ones for HTTP-based interactions as defined in equivalent to the ones for HTTP-based interactions as defined in
section 2.3 of [RFC7662], with the following differences: section 2.3 of [RFC7662], with the following differences:
o If content is sent, the Content-Type MUST be set according to the o If content is sent, the Content-Type MUST be set according to the
specification of the communication security profile, and the specification of the communication security profile, and the
content payload MUST be encoded as a CBOR map. content payload MUST be encoded as a CBOR map.
o If the credentials used by the RS are invalid the AS MUST respond o If the credentials used by the RS are invalid the AS MUST respond
with the CoAP response code 4.01 (Unauthorized) and use the with the CoAP response code 4.01 (Unauthorized) and use the
skipping to change at page 27, line 32 skipping to change at page 28, line 32
abbreviated using the codes specified in table Figure 13. abbreviated using the codes specified in table Figure 13.
o The error codes MAY be abbreviated using the codes specified in o The error codes MAY be abbreviated using the codes specified in
table Figure 7. table Figure 7.
Note that a properly formed and authorized query for an inactive or Note that a properly formed and authorized query for an inactive or
otherwise invalid token does not warrant an error response by this otherwise invalid token does not warrant an error response by this
specification. In these cases, the authorization server MUST instead specification. In these cases, the authorization server MUST instead
respond with an introspection response with the "active" field set to respond with an introspection response with the "active" field set to
"false". "false".
7.4. Client Token 5.6.4. Client Token
EDITORIAL NOTE: We have tentatively introduced this concept and would EDITORIAL NOTE: We have tentatively introduced this concept and would
specifically like feedback whether this is viewed as a useful specifically like feedback whether this is viewed as a useful
addition to the framework. addition to the framework.
In cases where the client has limited connectivity and needs to get In cases where the client has limited connectivity and needs to get
access to a previously unknown resource servers, this framework access to a previously unknown resource servers, this framework
suggests the following approach: The client is pre-configured with a suggests the following approach: The client is pre-configured with a
generic, long-term access token when it is commissioned. When the generic, long-term access token when it is commissioned. When the
client then tries to access a RS it transmits this access token. The client then tries to access a RS it transmits this access token. The
skipping to change at page 28, line 32 skipping to change at page 29, line 32
| + Client Token | | + Client Token |
Figure 16: Use of the client_token parameter. Figure 16: Use of the client_token parameter.
The client token is a COSE_Encrypted object, containing as payload a The client token is a COSE_Encrypted object, containing as payload a
CBOR map with the following claims: CBOR map with the following claims:
cnf cnf
REQUIRED if the token type is 'pop', OPTIONAL otherwise. Contains REQUIRED if the token type is 'pop', OPTIONAL otherwise. Contains
information about the proof-of-possession key the client is to use information about the proof-of-possession key the client is to use
with its access token. See Section 6.5.5. with its access token. See Section 5.5.4.5.
token_type token_type
OPTIONAL. See Section 6.5.3. OPTIONAL. See Section 5.5.4.3.
profile profile
REQUIRED. See Section 6.5.4. REQUIRED. See Section 5.5.4.4.
rs_cnf rs_cnf
OPTIONAL. Contains information about the key that the RS uses to OPTIONAL. Contains information about the key that the RS uses to
authenticate towards the client. If the key is symmetric then authenticate towards the client. If the key is symmetric then
this claim MUST NOT be part of the Client Token, since this is the this claim MUST NOT be part of the Client Token, since this is the
same key as the one specified through the 'cnf' claim. This claim same key as the one specified through the 'cnf' claim. This claim
uses the same encoding as the 'cnf' parameter. See Section 6.5.4. uses the same encoding as the 'cnf' parameter. See
Section 5.5.4.4.
The AS encrypts this token using a key shared between the AS and the The AS encrypts this token using a key shared between the AS and the
client, so that only the client can decrypt it and access its client, so that only the client can decrypt it and access its
payload. How this key is established is out of scope of this payload. How this key is established is out of scope of this
framework. framework.
7.5. Mapping Introspection parameters to CBOR 5.6.5. Mapping Introspection parameters to CBOR
The introspection request and response parameters are mapped to CBOR The introspection request and response parameters are mapped to CBOR
types as follows and are given an integer key value to save space. types as follows and are given an integer key value to save space.
/-----------------+----------+-----------------\ /-----------------+----------+-----------------\
| Parameter name | CBOR Key | Major Type | | Parameter name | CBOR Key | Major Type |
|-----------------+----------+-----------------| |-----------------+----------+-----------------|
| iss | 1 | 3 (text string) | | iss | 1 | 3 (text string) |
| sub | 2 | 3 | | sub | 2 | 3 |
| aud | 3 | 3 | | aud | 3 | 3 |
skipping to change at page 29, line 35 skipping to change at page 30, line 35
| profile | 26 | 0 (uint) | | profile | 26 | 0 (uint) |
| token | 27 | 3 | | token | 27 | 3 |
| token_type_hint | 28 | 3 | | token_type_hint | 28 | 3 |
| active | 29 | 0 | | active | 29 | 0 |
| client_token | 30 | 3 | | client_token | 30 | 3 |
| rs_cnf | 31 | 5 | | rs_cnf | 31 | 5 |
\-----------------+----------+-----------------/ \-----------------+----------+-----------------/
Figure 17: CBOR Mappings to Token Introspection Parameters. Figure 17: CBOR Mappings to Token Introspection Parameters.
8. The Access Token 5.7. The Access Token
This framework RECOMMENDS the use of CBOR web token (CWT) as This framework RECOMMENDS the use of CBOR web token (CWT) as
specified in [I-D.ietf-ace-cbor-web-token]. specified in [I-D.ietf-ace-cbor-web-token].
In order to facilitate offline processing of access tokens, this In order to facilitate offline processing of access tokens, this
draft specifies the "cnf" and "scope" claims for CBOR web tokens. draft specifies the "cnf" and "scope" claims for CBOR web tokens.
The "scope" claim explicitly encodes the scope of a given access The "scope" claim explicitly encodes the scope of a given access
token. This claim follows the same encoding rules as defined in token. This claim follows the same encoding rules as defined in
section 3.3 of [RFC6749]. The meaning of a specific scope value is section 3.3 of [RFC6749]. The meaning of a specific scope value is
application specific and expected to be known to the RS running that application specific and expected to be known to the RS running that
application. application.
The "cnf" claim follows the same rules as specified for JSON web The "cnf" claim follows the same rules as specified for JSON web
token in RFC7800 [RFC7800], except that it is encoded in CBOR in the token in RFC7800 [RFC7800], except that it is encoded in CBOR in the
same way as specified for the "cnf" parameter in Section 6.5.5. same way as specified for the "cnf" parameter in Section 5.5.4.5.
8.1. The 'Authorization Information' Endpoint 5.7.1. The 'Authorization Information' Endpoint
The access token, containing authorization information and The access token, containing authorization information and
information about the key used by the client, needs to be transported information about the key used by the client, needs to be transported
to the RS so that the RS can authenticate and authorize the client to the RS so that the RS can authenticate and authorize the client
request. request.
This section defines a method for transporting the access token to This section defines a method for transporting the access token to
the RS using CoAP. Profiles of this framework MAY define other the RS using CoAP. Profiles of this framework MAY define other
methods for token transport. methods for token transport.
skipping to change at page 30, line 36 skipping to change at page 31, line 36
the token does not match the RS, the RS MUST respond with the CoAP the token does not match the RS, the RS MUST respond with the CoAP
response code 4.03 (Forbidden). If the token is valid but is response code 4.03 (Forbidden). If the token is valid but is
associated to claims that the RS cannot process (e.g. an unknown associated to claims that the RS cannot process (e.g. an unknown
scope) the RS MUST respond with the CoAP response code 4.00 (Bad scope) the RS MUST respond with the CoAP response code 4.00 (Bad
Request). In the latter case the RS MAY provide additional Request). In the latter case the RS MAY provide additional
information in the error response, in order to clarify what went information in the error response, in order to clarify what went
wrong. wrong.
The RS MAY make an introspection request to validate the token before The RS MAY make an introspection request to validate the token before
responding to the POST /authz-info request. If the introspection responding to the POST /authz-info request. If the introspection
response contains a client token (Section 7.4) then this token SHALL response contains a client token (Section 5.6.4) then this token
be included in the payload of the 2.01 (Created) response. SHALL be included in the payload of the 2.01 (Created) response.
Profiles MUST specify how the /authz-info endpoint is protected. Profiles MUST specify how the /authz-info endpoint is protected.
Note that since the token contains information that allow the client Note that since the token contains information that allow the client
and the RS to establish a security context in the first place, mutual and the RS to establish a security context in the first place, mutual
authentication may not be possible at this point. authentication may not be possible at this point.
The RS MUST be prepared to store more than one token for each client, The RS MUST be prepared to store more than one token for each client,
and MUST apply the combined permissions granted by all applicable, and MUST apply the combined permissions granted by all applicable,
valid tokens to client requests. valid tokens to client requests.
8.2. Token Expiration 5.7.2. Token Expiration
Depending on the capabilities of the RS, there are various ways in Depending on the capabilities of the RS, there are various ways in
which it can verify the validity of a received access token. We list which it can verify the validity of a received access token. We list
the possibilities here including what functionality they require of the possibilities here including what functionality they require of
the RS. the RS.
o The token is a CWT/JWT and includes a 'exp' claim and possibly the o The token is a CWT/JWT and includes a 'exp' claim and possibly the
'nbf' claim. The RS verifies these by comparing them to values 'nbf' claim. The RS verifies these by comparing them to values
from its internal clock as defined in [RFC7519]. In this case the from its internal clock as defined in [RFC7519]. In this case the
RS's internal clock must reflect the current date and time, or at RS's internal clock must reflect the current date and time, or at
least be synchronized with the AS's clock. How this clock least be synchronized with the AS's clock. How this clock
synchronization would be performed is out of scope for this memo. synchronization would be performed is out of scope for this memo.
o The RS verifies the validity of the token by performing an o The RS verifies the validity of the token by performing an
introspection request as specified in Section 7. This requires introspection request as specified in Section 5.6. This requires
the RS to have a reliable network connection to the AS and to be the RS to have a reliable network connection to the AS and to be
able to handle two secure sessions in parallel (C to RS and AS to able to handle two secure sessions in parallel (C to RS and AS to
RS). RS).
o The RS and the AS both store a sequence number linked to their o The RS and the AS both store a sequence number linked to their
common security association. The AS increments this number for common security association. The AS increments this number for
each access token it issues and includes it in the access token, each access token it issues and includes it in the access token,
which is a CWT/JWT. The RS keeps track of the most recently which is a CWT. The RS keeps track of the most recently received
received sequence number, and only accepts tokens as valid, that sequence number, and only accepts tokens as valid, that are in a
are in a certain range around this number. This method does only certain range around this number. This method does only require
require the RS to keep track of the sequence number. The method the RS to keep track of the sequence number. The method does not
does not provide timely expiration, but it makes sure that older provide timely expiration, but it makes sure that older tokens
tokens cease to be valid after a certain number of newer ones got cease to be valid after a certain number of newer ones got issued.
issued. For a constrained RS with no network connectivity and no For a constrained RS with no network connectivity and no means of
means of reliably measuring time, this is the best that can be reliably measuring time, this is the best that can be achieved.
achieved.
If a token, that authorizes a long running request such as e.g. a If a token, that authorizes a long running request such as e.g. a
CoAP Observe [RFC7641], expires, the RS MUST send an error response CoAP Observe [RFC7641], expires, the RS MUST send an error response
with the response code 4.01 Unauthorized to the client and then with the response code 4.01 Unauthorized to the client and then
terminate processing the long running request. terminate processing the long running request.
9. Security Considerations 6. Security Considerations
The entire document is about security. Security considerations The entire document is about security. Security considerations
applicable to authentication and authorization in RESTful applicable to authentication and authorization in RESTful
environments provided in OAuth 2.0 [RFC6749] apply to this work, as environments provided in OAuth 2.0 [RFC6749] apply to this work, as
well as the security considerations from [I-D.ietf-ace-actors]. well as the security considerations from [I-D.ietf-ace-actors].
Furthermore [RFC6819] provides additional security considerations for Furthermore [RFC6819] provides additional security considerations for
OAuth which apply to IoT deployments as well. OAuth which apply to IoT deployments as well.
A large range of threats can be mitigated by protecting the contents A large range of threats can be mitigated by protecting the contents
of the access token by using a digital signature or a keyed message of the access token by using a digital signature or a keyed message
skipping to change at page 33, line 10 skipping to change at page 34, line 7
SHOULD scope these access tokens to a specific permissions. SHOULD scope these access tokens to a specific permissions.
Furthermore access tokens SHOULD NOT apply to an audience that Furthermore access tokens SHOULD NOT apply to an audience that
comprises more than one RS, since otherwise any RS in the audience comprises more than one RS, since otherwise any RS in the audience
can impersonate the client towards the other members of the audience. can impersonate the client towards the other members of the audience.
Clients using an asymmetric key pair for proof-of-possession towards Clients using an asymmetric key pair for proof-of-possession towards
several different RS should be aware that they will need to rotate several different RS should be aware that they will need to rotate
that key pair more frequently than if it was only used towards a that key pair more frequently than if it was only used towards a
single RS. single RS.
10. Privacy Considerations 7. Privacy Considerations
Implementers and users should be aware of the privacy implications of Implementers and users should be aware of the privacy implications of
the different possible deployments of this framework. the different possible deployments of this framework.
The AS is in a very central position can potentially learn sensitive The AS is in a very central position can potentially learn sensitive
information about the clients requesting access tokens. If the information about the clients requesting access tokens. If the
client credentials grant is used, the AS can track what kind of client credentials grant is used, the AS can track what kind of
access the client intends to perform. With other grants, the access the client intends to perform. With other grants, the
Resource Owner can bind the grants to anonymous (rotating) Resource Owner can bind the grants to anonymous (rotating)
credentials, that do not allow the AS to link different access token credentials, that do not allow the AS to link different access token
skipping to change at page 33, line 36 skipping to change at page 34, line 33
JWTs the token may e.g. reveal the audience, the scope and the JWTs the token may e.g. reveal the audience, the scope and the
confirmation method used by the client. The latter may reveal the confirmation method used by the client. The latter may reveal the
client's identity. client's identity.
Clients using asymmetric keys for proof-of-possession should be aware Clients using asymmetric keys for proof-of-possession should be aware
of the consequences of using the same key pair for proof-of- of the consequences of using the same key pair for proof-of-
possession towards different RS. A set of colluding RS or an possession towards different RS. A set of colluding RS or an
attacker able to obtain the access tokens will be able to link the attacker able to obtain the access tokens will be able to link the
requests, or even to determine the client's identity. requests, or even to determine the client's identity.
11. IANA Considerations 8. IANA Considerations
This specification registers new parameters for OAuth and establishes This specification registers new parameters for OAuth and establishes
registries for mappings to CBOR. registries for mappings to CBOR.
11.1. OAuth Introspection Response Parameter Registration 8.1. OAuth Introspection Response Parameter Registration
This specification registers the following parameters in the OAuth This specification registers the following parameters in the OAuth
introspection response parameters introspection response parameters
o Name: "cnf" o Name: "cnf"
o Description: Key to prove the right to use an access token, as o Description: Key to prove the right to use an access token, as
defined in [RFC7800]. defined in [RFC7800].
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
skipping to change at page 34, line 6 skipping to change at page 35, line 4
o Name: "cnf" o Name: "cnf"
o Description: Key to prove the right to use an access token, as o Description: Key to prove the right to use an access token, as
defined in [RFC7800]. defined in [RFC7800].
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Name: "aud" o Name: "aud"
o Description: Reference to intended receiving RS, as defined in PoP o Description: Reference to intended receiving RS, as defined in PoP
token specification. token specification.
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Name: "profile" o Name: "profile"
o Description: The communication and communication security profile o Description: The communication and communication security profile
used between client and RS, as defined in ACE profiles. used between client and RS, as defined in ACE profiles.
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Name: "client_token" o Name: "client_token"
o Description: Information that the RS MUST pass to the client e.g. o Description: Information that the RS MUST pass to the client e.g.
about the proof-of-possession keys. about the proof-of-possession keys.
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Name: "rs_cnf" o Name: "rs_cnf"
o Description: Describes the public key the RS uses to authenticate. o Description: Describes the public key the RS uses to authenticate.
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
11.2. OAuth Parameter Registration 8.2. OAuth Parameter Registration
This specification registers the following parameters in the OAuth This specification registers the following parameters in the OAuth
Parameters Registry Parameters Registry
o Parameter name: "profile" o Parameter name: "profile"
o Parameter usage location: token request, and token response o Parameter usage location: token request, and token response
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Name: "cnf" o Name: "cnf"
o Description: Key to prove the right to use an access token, as o Description: Key to prove the right to use an access token, as
defined in [RFC7800]. defined in [RFC7800].
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
11.3. OAuth Access Token Types 8.3. OAuth Access Token Types
This specification registers the following new token type in the This specification registers the following new token type in the
OAuth Access Token Types Registry OAuth Access Token Types Registry
o Name: "PoP" o Name: "PoP"
o Description: A proof-of-possession token. o Description: A proof-of-possession token.
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
11.4. Token Type Mappings 8.4. Token Type Mappings
A new registry will be requested from IANA, entitled "Token Type A new registry will be requested from IANA, entitled "Token Type
Mappings". The registry is to be created as Expert Review Required. Mappings". The registry is to be created as Expert Review Required.
11.4.1. Registration Template 8.4.1. Registration Template
Token Type: Token Type:
Name of token type as registered in the OAuth token type registry Name of token type as registered in the OAuth token type registry
e.g. "Bearer". e.g. "Bearer".
Mapped value: Mapped value:
Integer representation for the token type value. The key value Integer representation for the token type value. The key value
MUST be an integer in the range of 1 to 65536. MUST be an integer in the range of 1 to 65536.
Change Controller: Change Controller:
For Standards Track RFCs, list the "IESG". For others, give the For Standards Track RFCs, list the "IESG". For others, give the
name of the responsible party. Other details (e.g., postal name of the responsible party. Other details (e.g., postal
address, email address, home page URI) may also be included. address, email address, home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document or documents that specify the Reference to the document or documents that specify the
parameter,preferably including URIs that can be used to retrieve parameter,preferably including URIs that can be used to retrieve
copies of the documents. An indication of the relevant sections copies of the documents. An indication of the relevant sections
may also be included but is not required. may also be included but is not required.
11.4.2. Initial Registry Contents 8.4.2. Initial Registry Contents
o Parameter name: "Bearer" o Parameter name: "Bearer"
o Mapped value: 1 o Mapped value: 1
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter name: "pop" o Parameter name: "pop"
o Mapped value: 2 o Mapped value: 2
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
11.5. CBOR Web Token Claims 8.5. CBOR Web Token Claims
This specification registers the following new claims in the CBOR Web This specification registers the following new claims in the CBOR Web
Token (CWT) registry: Token (CWT) registry:
o Claim Name: "scope" o Claim Name: "scope"
o Claim Description: The scope of an access token as defined in o Claim Description: The scope of an access token as defined in
[RFC6749]. [RFC6749].
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Claim Name: "cnf" o Claim Name: "cnf"
o Claim Description: The proof-of-possession key of an access token o Claim Description: The proof-of-possession key of an access token
as defined in [RFC7800]. as defined in [RFC7800].
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
11.6. ACE Profile Registry 8.6. ACE Profile Registry
A new registry will be requested from IANA, entitled "ACE Profile A new registry will be requested from IANA, entitled "ACE Profile
Registry". The registry is to be created as Expert Review Required. Registry". The registry is to be created as Expert Review Required.
11.6.1. Registration Template 8.6.1. Registration Template
Profile name: Profile name:
Name of the profile to be included in the profile attribute. Name of the profile to be included in the profile attribute.
Profile description: Profile description:
Text giving an overview of the profile and the context it is Text giving an overview of the profile and the context it is
developed for. developed for.
Profile ID: Profile ID:
Integer value to identify the profile. The value MUST be an Integer value to identify the profile. The value MUST be an
integer in the range of 1 to 65536. integer in the range of 1 to 65536.
Change Controller: Change Controller:
For Standards Track RFCs, list the "IESG". For others, give the For Standards Track RFCs, list the "IESG". For others, give the
name of the responsible party. Other details (e.g., postal name of the responsible party. Other details (e.g., postal
address, email address, home page URI) may also be included. address, email address, home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document or documents that specify the Reference to the document or documents that specify the
parameter,preferably including URIs that can be used to retrieve parameter,preferably including URIs that can be used to retrieve
copies of the documents. An indication of the relevant sections copies of the documents. An indication of the relevant sections
may also be included but is not required. may also be included but is not required.
11.7. OAuth Parameter Mappings Registry 8.7. OAuth Parameter Mappings Registry
A new registry will be requested from IANA, entitled "Token Endpoint A new registry will be requested from IANA, entitled "Token Endpoint
CBOR Mappings Registry". The registry is to be created as Expert CBOR Mappings Registry". The registry is to be created as Expert
Review Required. Review Required.
11.7.1. Registration Template 8.7.1. Registration Template
Parameter name: Parameter name:
OAuth Parameter name, refers to the name in the OAuth parameter OAuth Parameter name, refers to the name in the OAuth parameter
registry e.g. "client_id". registry e.g. "client_id".
CBOR key value: CBOR key value:
Key value for the claim. The key value MUST be an integer in the Key value for the claim. The key value MUST be an integer in the
range of 1 to 65536. range of 1 to 65536.
Change Controller: Change Controller:
For Standards Track RFCs, list the "IESG". For others, give the For Standards Track RFCs, list the "IESG". For others, give the
name of the responsible party. Other details (e.g., postal name of the responsible party. Other details (e.g., postal
address, email address, home page URI) may also be included. address, email address, home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document or documents that specify the Reference to the document or documents that specify the
parameter,preferably including URIs that can be used to retrieve parameter,preferably including URIs that can be used to retrieve
copies of the documents. An indication of the relevant sections copies of the documents. An indication of the relevant sections
may also be included but is not required. may also be included but is not required.
11.7.2. Initial Registry Contents 8.7.2. Initial Registry Contents
o Parameter name: "aud" o Parameter name: "aud"
o CBOR key value: 3 o CBOR key value: 3
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter name: "client_id" o Parameter name: "client_id"
o CBOR key value: 8 o CBOR key value: 8
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
skipping to change at page 39, line 16 skipping to change at page 40, line 16
o Parameter name: "cnf" o Parameter name: "cnf"
o CBOR key value: 25 o CBOR key value: 25
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter name: "profile" o Parameter name: "profile"
o CBOR key value: 26 o CBOR key value: 26
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
11.8. Introspection Endpoint CBOR Mappings Registry 8.8. Introspection Endpoint CBOR Mappings Registry
A new registry will be requested from IANA, entitled "Introspection A new registry will be requested from IANA, entitled "Introspection
Endpoint CBOR Mappings Registry". The registry is to be created as Endpoint CBOR Mappings Registry". The registry is to be created as
Expert Review Required. Expert Review Required.
11.8.1. Registration Template 8.8.1. Registration Template
Response parameter name: Response parameter name:
Name of the response parameter as defined in the "OAuth Token Name of the response parameter as defined in the "OAuth Token
Introspection Response" registry e.g. "active". Introspection Response" registry e.g. "active".
CBOR key value: CBOR key value:
Key value for the claim. The key value MUST be an integer in the Key value for the claim. The key value MUST be an integer in the
range of 1 to 65536. range of 1 to 65536.
Change Controller: Change Controller:
For Standards Track RFCs, list the "IESG". For others, give the For Standards Track RFCs, list the "IESG". For others, give the
name of the responsible party. Other details (e.g., postal name of the responsible party. Other details (e.g., postal
address, email address, home page URI) may also be included. address, email address, home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document or documents that specify the Reference to the document or documents that specify the
parameter,preferably including URIs that can be used to retrieve parameter,preferably including URIs that can be used to retrieve
copies of the documents. An indication of the relevant sections copies of the documents. An indication of the relevant sections
may also be included but is not required. may also be included but is not required.
11.8.2. Initial Registry Contents 8.8.2. Initial Registry Contents
o Response parameter name: "iss" o Response parameter name: "iss"
o CBOR key value: 1 o CBOR key value: 1
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Response parameter name: "sub" o Response parameter name: "sub"
o CBOR key value: 2 o CBOR key value: 2
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
skipping to change at page 41, line 36 skipping to change at page 42, line 36
o Response parameter name: "client_token" o Response parameter name: "client_token"
o CBOR key value: 30 o CBOR key value: 30
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Response parameter name: "rs_cnf" o Response parameter name: "rs_cnf"
o CBOR key value: 31 o CBOR key value: 31
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
11.9. CoAP Option Number Registration 8.9. CoAP Option Number Registration
This section registers the "Access-Token" CoAP Option Number in the This section registers the "Access-Token" CoAP Option Number in the
"CoRE Parameters" sub-registry "CoAP Option Numbers" in the manner "CoRE Parameters" sub-registry "CoAP Option Numbers" in the manner
described in [RFC7252]. described in [RFC7252].
Name Name
Access-Token Access-Token
Number Number
skipping to change at page 42, line 20 skipping to change at page 43, line 20
Yes Yes
Format Format
Based on the observer the format is perceived differently. Opaque Based on the observer the format is perceived differently. Opaque
data to the client and CWT or reference token to the RS. data to the client and CWT or reference token to the RS.
Length Length
Less then 255 bytes Less then 255 bytes
11.10. CWT Confirmation Methods Registry 8.10. CWT Confirmation Methods Registry
This specification establishes the IANA "CWT Confirmation Methods" This specification establishes the IANA "CWT Confirmation Methods"
registry for CWT "cnf" member values. The registry records the registry for CWT "cnf" member values. The registry records the
confirmation method member and a reference to the specification that confirmation method member and a reference to the specification that
defines it. defines it.
11.10.1. Registration Template 8.10.1. Registration Template
Confirmation Method Name: Confirmation Method Name:
The name requested (e.g., "kid"). This name is intended to be The name requested (e.g., "kid"). This name is intended to be
human readable and be used for debugging purposes. It is case human readable and be used for debugging purposes. It is case
sensitive. Names may not match other registered names in a case- sensitive. Names may not match other registered names in a case-
insensitive manner unless the Designated Experts state that there insensitive manner unless the Designated Experts state that there
is a compelling reason to allow an exception. is a compelling reason to allow an exception.
Confirmation Method Value: Confirmation Method Value:
Integer representation for the confirmation method value. Integer representation for the confirmation method value.
skipping to change at page 43, line 10 skipping to change at page 44, line 10
name of the responsible party. Other details (e.g., postal name of the responsible party. Other details (e.g., postal
address, email address, home page URI) may also be included. address, email address, home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document or documents that specify the parameter, Reference to the document or documents that specify the parameter,
preferably including URIs that can be used to retrieve copies of preferably including URIs that can be used to retrieve copies of
the documents. An indication of the relevant sections may also be the documents. An indication of the relevant sections may also be
included but is not required. included but is not required.
11.10.2. Initial Registry Contents 8.10.2. Initial Registry Contents
o Confirmation Method Name: "COSE_Key" o Confirmation Method Name: "COSE_Key"
o Confirmation Method Value: 1 o Confirmation Method Value: 1
o Confirmation Method Description: A COSE_Key that is either a o Confirmation Method Description: A COSE_Key that is either a
public key or a symmetric key. public key or a symmetric key.
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Confirmation Method Name: "COSE_Encrypted" o Confirmation Method Name: "COSE_Encrypted"
o Confirmation Method Value: 2 o Confirmation Method Value: 2
skipping to change at page 43, line 32 skipping to change at page 44, line 32
wraps a COSE_Key containing a symmetric key. wraps a COSE_Key containing a symmetric key.
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Confirmation Method Name: "Key Identifier" o Confirmation Method Name: "Key Identifier"
o Confirmation Method Value: 3 o Confirmation Method Value: 3
o Confirmation Method Description: A key identifier. o Confirmation Method Description: A key identifier.
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
12. Acknowledgments 9. Acknowledgments
We would like to thank Eve Maler for her contributions to the use of We would like to thank Eve Maler for her contributions to the use of
OAuth 2.0 and UMA in IoT scenarios, Robert Taylor for his discussion OAuth 2.0 and UMA in IoT scenarios, Robert Taylor for his discussion
input, and Malisa Vucinic for his input on the predecessors of this input, and Malisa Vucinic for his input on the predecessors of this
proposal. Finally, we would like to thank the ACE working group in proposal. Finally, we would like to thank the ACE working group in
general for their feedback. general for their feedback.
We would like to thank the authors of draft-ietf-oauth-pop-key- We would like to thank the authors of draft-ietf-oauth-pop-key-
distribution, from where we copied large parts of our security distribution, from where we copied large parts of our security
considerations. considerations.
Ludwig Seitz and Goeran Selander worked on this document as part of Ludwig Seitz and Goeran Selander worked on this document as part of
the CelticPlus project CyberWI, with funding from Vinnova. the CelticPlus project CyberWI, with funding from Vinnova.
13. References 10. References
13.1. Normative References 10.1. Normative References
[I-D.ietf-cose-msg] [I-D.ietf-cose-msg]
Schaad, J., "CBOR Object Signing and Encryption (COSE)", Schaad, J., "CBOR Object Signing and Encryption (COSE)",
draft-ietf-cose-msg-24 (work in progress), November 2016. draft-ietf-cose-msg-24 (work in progress), November 2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 44, line 33 skipping to change at page 45, line 33
[RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", [RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection",
RFC 7662, DOI 10.17487/RFC7662, October 2015, RFC 7662, DOI 10.17487/RFC7662, October 2015,
<http://www.rfc-editor.org/info/rfc7662>. <http://www.rfc-editor.org/info/rfc7662>.
[RFC7800] Jones, M., Bradley, J., and H. Tschofenig, "Proof-of- [RFC7800] Jones, M., Bradley, J., and H. Tschofenig, "Proof-of-
Possession Key Semantics for JSON Web Tokens (JWTs)", Possession Key Semantics for JSON Web Tokens (JWTs)",
RFC 7800, DOI 10.17487/RFC7800, April 2016, RFC 7800, DOI 10.17487/RFC7800, April 2016,
<http://www.rfc-editor.org/info/rfc7800>. <http://www.rfc-editor.org/info/rfc7800>.
13.2. Informative References 10.2. Informative References
[I-D.ietf-ace-actors] [I-D.ietf-ace-actors]
Gerdes, S., Seitz, L., Selander, G., and C. Bormann, "An Gerdes, S., Seitz, L., Selander, G., and C. Bormann, "An
architecture for authorization in constrained architecture for authorization in constrained
environments", draft-ietf-ace-actors-04 (work in environments", draft-ietf-ace-actors-05 (work in
progress), September 2016. progress), March 2017.
[I-D.ietf-ace-cbor-web-token] [I-D.ietf-ace-cbor-web-token]
Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig,
"CBOR Web Token (CWT)", draft-ietf-ace-cbor-web-token-02 "CBOR Web Token (CWT)", draft-ietf-ace-cbor-web-token-03
(work in progress), January 2017. (work in progress), March 2017.
[I-D.ietf-core-object-security] [I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz, Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security of CoAP (OSCOAP)", draft-ietf-core- "Object Security of CoAP (OSCOAP)", draft-ietf-core-
object-security-01 (work in progress), December 2016. object-security-01 (work in progress), December 2016.
[I-D.ietf-oauth-device-flow] [I-D.ietf-oauth-device-flow]
Denniss, W., Myrseth, S., Bradley, J., Jones, M., and H. Denniss, W., Bradley, J., Jones, M., and H. Tschofenig,
Tschofenig, "OAuth 2.0 Device Flow", draft-ietf-oauth- "OAuth 2.0 Device Flow for Browserless and Input
device-flow-03 (work in progress), July 2016. Constrained Devices", draft-ietf-oauth-device-flow-04
(work in progress), February 2017.
[I-D.ietf-oauth-native-apps] [I-D.ietf-oauth-native-apps]
Denniss, W. and J. Bradley, "OAuth 2.0 for Native Apps", Denniss, W. and J. Bradley, "OAuth 2.0 for Native Apps",
draft-ietf-oauth-native-apps-07 (work in progress), draft-ietf-oauth-native-apps-09 (work in progress), March
January 2017. 2017.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<http://www.rfc-editor.org/info/rfc4949>. <http://www.rfc-editor.org/info/rfc4949>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>. <http://www.rfc-editor.org/info/rfc5246>.
skipping to change at page 50, line 43 skipping to change at page 51, line 43
security. security.
Appendix C. Requirements on Profiles Appendix C. Requirements on Profiles
This section lists the requirements on profiles of this framework, This section lists the requirements on profiles of this framework,
for the convenience of a profile designer. for the convenience of a profile designer.
o Optionally Specify the discovery process of how the client finds o Optionally Specify the discovery process of how the client finds
the right AS for an RS it wants to send a request to. Section 4 the right AS for an RS it wants to send a request to. Section 4
o Specify the communication protocol the client and RS the must use o Specify the communication protocol the client and RS the must use
(e.g. CoAP). Section 5 and Section 6.5.4 (e.g. CoAP). Section 5 and Section 5.5.4.4
o Specify the security protocol the client and RS must use to o Specify the security protocol the client and RS must use to
protect their communication (e.g. OSCOAP or DTLS over CoAP). protect their communication (e.g. OSCOAP or DTLS over CoAP).
This must provide encryption and integrity protection. This must provide encryption and integrity protection.
Section 6.5.4 Section 5.5.4.4
o Specify how the client and the RS mutually authenticate. o Specify how the client and the RS mutually authenticate.
Section 4 Section 4
o Specify the Content-format of the protocol messages (e.g. o Specify the Content-format of the protocol messages (e.g.
"application/cbor" or "application/cose+cbor"). Section 4 "application/cbor" or "application/cose+cbor"). Section 4
o Specify the proof-of-possession protocol(s) and how to select one, o Specify the proof-of-possession protocol(s) and how to select one,
if several are available. Also specify which key types (e.g. if several are available. Also specify which key types (e.g.
symmetric/asymmetric) are supported by a specific proof-of- symmetric/asymmetric) are supported by a specific proof-of-
possession protocol. Section 6.5.3 possession protocol. Section 5.5.4.3
o Specify a unique profile identifier. Section 6.5.4 o Specify a unique profile identifier. Section 5.5.4.4
o Optionally specify how the RS talks to the AS for o Optionally specify how the RS talks to the AS for
introspection.Section 7 introspection.Section 5.6
o Optionally specify how the client talks to the AS for requesting a o Optionally specify how the client talks to the AS for requesting a
token. Section 6 token. Section 5.5
o Specify how/if the /authz-info endpoint is protected. Section 8.1 o Specify how/if the /authz-info endpoint is protected.
Section 5.7.1
o Optionally define other methods of token transport than the o Optionally define other methods of token transport than the
/authz-info endpoint. Section 8.1 /authz-info endpoint. Section 5.7.1
Appendix D. Assumptions on AS knowledge about C and RS Appendix D. Assumptions on AS knowledge about C and RS
This section lists the assumptions on what an AS should know about a This section lists the assumptions on what an AS should know about a
client and a RS in order to be able to respond to requests to the client and a RS in order to be able to respond to requests to the
/token and /introspect endpoints. How this information is /token and /introspect endpoints. How this information is
established is out of scope for this document. established is out of scope for this document.
o The identifier of the client or RS. o The identifier of the client or RS.
o The profiles that the client or RS supports. o The profiles that the client or RS supports.
skipping to change at page 59, line 30 skipping to change at page 60, line 30
| | Payload: <new state for the lock> | | Payload: <new state for the lock>
| | | |
F: |<--------+ Header: 2.04 Changed F: |<--------+ Header: 2.04 Changed
| 2.04 | Payload: <new state for the lock> | 2.04 | Payload: <new state for the lock>
| | | |
Figure 27: Resource request and response protected by OSCOAP Figure 27: Resource request and response protected by OSCOAP
Appendix F. Document Updates Appendix F. Document Updates
F.1. Version -04 to -05 F.1. Version -05 to -06
o Moved sections that define the ACE framework into a subsection of
the framework Section 5.
o Split section on client credentials and grant into two separate
sections, Section 5.1, and Section 5.2.
o Added Section 5.3 on AS authentication.
o Added Section 5.4 on the Authorize endpoint.
F.2. Version -04 to -05
o Added RFC 2119 language to the specification of the required o Added RFC 2119 language to the specification of the required
behavior of profile specifications. behavior of profile specifications.
o Added section 6.1 on the relation to the OAuth2 grant types. o Added Section 5.2 on the relation to the OAuth2 grant types.
o Added CBOR abbreviations for error and the error codes defined in o Added CBOR abbreviations for error and the error codes defined in
OAuth2. OAuth2.
o Added clarification about token expiration and long-running o Added clarification about token expiration and long-running
requests in section 8.2. requests in Section 5.7.2
o Added security considerations about tokens with symmetric pop keys o Added security considerations about tokens with symmetric pop keys
valid for more than one RS. valid for more than one RS.
o Added privacy considerations section. o Added privacy considerations section.
o Added IANA registry mapping the confirmation types from RFC 7800 o Added IANA registry mapping the confirmation types from RFC 7800
to equivalent COSE types. to equivalent COSE types.
o Added appendix D, describing assumptions about what the AS knows o Added appendix D, describing assumptions about what the AS knows
about the client and the RS. about the client and the RS.
F.2. Version -03 to -04 F.3. Version -03 to -04
o Added a description of the terms "framework" and "profiles" as o Added a description of the terms "framework" and "profiles" as
used in this document. used in this document.
o Clarified protection of access tokens in section 3.1. o Clarified protection of access tokens in section 3.1.
o Clarified uses of the 'cnf' parameter in section 6.4.5. o Clarified uses of the 'cnf' parameter in section 6.4.5.
o Clarified intended use of Client Token in section 7.4. o Clarified intended use of Client Token in section 7.4.
F.3. Version -02 to -03 F.4. Version -02 to -03
o Removed references to draft-ietf-oauth-pop-key-distribution since o Removed references to draft-ietf-oauth-pop-key-distribution since
the status of this draft is unclear. the status of this draft is unclear.
o Copied and adapted security considerations from draft-ietf-oauth- o Copied and adapted security considerations from draft-ietf-oauth-
pop-key-distribution. pop-key-distribution.
o Renamed "client information" to "RS information" since it is o Renamed "client information" to "RS information" since it is
information about the RS. information about the RS.
o Clarified the requirements on profiles of this framework. o Clarified the requirements on profiles of this framework.
o Clarified the token endpoint protocol and removed negotiation of o Clarified the token endpoint protocol and removed negotiation of
'profile' and 'alg' (section 6). 'profile' and 'alg' (section 6).
o Renumbered the abbreviations for claims and parameters to get a o Renumbered the abbreviations for claims and parameters to get a
consistent numbering across different endpoints. consistent numbering across different endpoints.
o Clarified the introspection endpoint. o Clarified the introspection endpoint.
o Renamed token, introspection and authz-info to 'endpoint' instead o Renamed token, introspection and authz-info to 'endpoint' instead
of 'resource' to mirror the OAuth 2.0 terminology. of 'resource' to mirror the OAuth 2.0 terminology.
o Updated the examples in the appendices. o Updated the examples in the appendices.
F.4. Version -01 to -02 F.5. Version -01 to -02
o Restructured to remove communication security parts. These shall o Restructured to remove communication security parts. These shall
now be defined in profiles. now be defined in profiles.
o Restructured section 5 to create new sections on the OAuth o Restructured section 5 to create new sections on the OAuth
endpoints /token, /introspect and /authz-info. endpoints /token, /introspect and /authz-info.
o Pulled in material from draft-ietf-oauth-pop-key-distribution in o Pulled in material from draft-ietf-oauth-pop-key-distribution in
order to define proof-of-possession key distribution. order to define proof-of-possession key distribution.
o Introduced the 'cnf' parameter as defined in RFC7800 to reference o Introduced the 'cnf' parameter as defined in RFC7800 to reference
or transport keys used for proof of possession. or transport keys used for proof of possession.
o Introduced the 'client-token' to transport client information from o Introduced the 'client-token' to transport client information from
the AS to the client via the RS in conjunction with introspection. the AS to the client via the RS in conjunction with introspection.
o Expanded the IANA section to define parameters for token request, o Expanded the IANA section to define parameters for token request,
introspection and CWT claims. introspection and CWT claims.
o Moved deployment scenarios to the appendix as examples. o Moved deployment scenarios to the appendix as examples.
F.5. Version -00 to -01 F.6. Version -00 to -01
o Changed 5.1. from "Communication Security Protocol" to "Client o Changed 5.1. from "Communication Security Protocol" to "Client
Information". Information".
o Major rewrite of 5.1 to clarify the information exchanged between o Major rewrite of 5.1 to clarify the information exchanged between
C and AS in the PoP token request profile for IoT. C and AS in the PoP token request profile for IoT.
* Allow the client to indicate preferences for the communication * Allow the client to indicate preferences for the communication
security protocol. security protocol.
* Defined the term "Client Information" for the additional * Defined the term "Client Information" for the additional
information returned to the client in addition to the access information returned to the client in addition to the access
skipping to change at page 61, line 4 skipping to change at page 62, line 17
o Changed 5.1. from "Communication Security Protocol" to "Client o Changed 5.1. from "Communication Security Protocol" to "Client
Information". Information".
o Major rewrite of 5.1 to clarify the information exchanged between o Major rewrite of 5.1 to clarify the information exchanged between
C and AS in the PoP token request profile for IoT. C and AS in the PoP token request profile for IoT.
* Allow the client to indicate preferences for the communication * Allow the client to indicate preferences for the communication
security protocol. security protocol.
* Defined the term "Client Information" for the additional * Defined the term "Client Information" for the additional
information returned to the client in addition to the access information returned to the client in addition to the access
token. token.
* Require that the messages between AS and client are secured, * Require that the messages between AS and client are secured,
either with (D)TLS or with COSE_Encrypted wrappers. either with (D)TLS or with COSE_Encrypted wrappers.
* Removed dependency on OSCoAP and added generic text about * Removed dependency on OSCOAP and added generic text about
object security instead. object security instead.
* Defined the "rpk" parameter in the client information to * Defined the "rpk" parameter in the client information to
transmit the raw public key of the RS from AS to client. transmit the raw public key of the RS from AS to client.
* (D)TLS MUST use the PoP key in the handshake (either as PSK or * (D)TLS MUST use the PoP key in the handshake (either as PSK or
as client RPK with client authentication). as client RPK with client authentication).
* Defined the use of x5c, x5t and x5tS256 parameters when a * Defined the use of x5c, x5t and x5tS256 parameters when a
client certificate is used for proof of possession. client certificate is used for proof of possession.
* Defined "tktn" parameter for signaling for how to transfer the * Defined "tktn" parameter for signaling for how to transfer the
access token. access token.
o Added 5.2. the CoAP Access-Token option for transferring access o Added 5.2. the CoAP Access-Token option for transferring access
skipping to change at page 61, line 29 skipping to change at page 62, line 41
o 5.3.2. Defined success and error responses from the RS when o 5.3.2. Defined success and error responses from the RS when
receiving an access token. receiving an access token.
o 5.6.:Added section giving guidance on how to handle token o 5.6.:Added section giving guidance on how to handle token
expiration in the absence of reliable time. expiration in the absence of reliable time.
o Appendix B Added list of roles and responsibilities for C, AS and o Appendix B Added list of roles and responsibilities for C, AS and
RS. RS.
Authors' Addresses Authors' Addresses
Ludwig Seitz Ludwig Seitz
SICS RISE SICS
Scheelevaegen 17 Scheelevaegen 17
Lund 223 70 Lund 223 70
SWEDEN SWEDEN
Email: ludwig@sics.se Email: ludwig@ri.se
Goeran Selander Goeran Selander
Ericsson Ericsson
Faroegatan 6 Faroegatan 6
Kista 164 80 Kista 164 80
SWEDEN SWEDEN
Email: goran.selander@ericsson.com Email: goran.selander@ericsson.com
Erik Wahlstroem Erik Wahlstroem
(no affiliation)
Sweden Sweden
Email: erik@wahlstromtekniska.se Email: erik@wahlstromtekniska.se
Samuel Erdtman Samuel Erdtman
Spotify AB Spotify AB
Birger Jarlsgatan 61, 4tr Birger Jarlsgatan 61, 4tr
Stockholm 113 56 Stockholm 113 56
Sweden Sweden
Email: erdtman@spotify.com Email: erdtman@spotify.com
Hannes Tschofenig Hannes Tschofenig
ARM Ltd. ARM Ltd.
 End of changes. 110 change blocks. 
207 lines changed or deleted 263 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/