| < draft-ietf-kitten-sasl-oauth-03.txt | draft-ietf-kitten-sasl-oauth-04.txt > | |||
|---|---|---|---|---|
| KITTEN W. Mills | KITTEN W. Mills | |||
| Internet-Draft Yahoo! Inc. | Internet-Draft Yahoo! Inc. | |||
| Intended status: Standards Track T. Showalter | Intended status: Standards Track T. Showalter | |||
| Expires: February 7, 2013 | Expires: February 21, 2013 | |||
| H. Tschofenig | H. Tschofenig | |||
| Nokia Siemens Networks | Nokia Siemens Networks | |||
| August 6, 2012 | August 20, 2012 | |||
| A SASL and GSS-API Mechanism for OAuth | A SASL and GSS-API Mechanism for OAuth | |||
| draft-ietf-kitten-sasl-oauth-03 | draft-ietf-kitten-sasl-oauth-04 | |||
| Abstract | Abstract | |||
| OAuth enables a third-party application to obtain limited access to a | OAuth enables a third-party application to obtain limited access to a | |||
| protected resource, either on behalf of a resource owner by | protected resource, either on behalf of a resource owner by | |||
| orchestrating an approval interaction, or by allowing the third-party | orchestrating an approval interaction, or by allowing the third-party | |||
| application to obtain access on its own behalf. | application to obtain access on its own behalf. | |||
| This document defines how an application client uses OAuth over the | This document defines how an application client uses OAuth over the | |||
| Simple Authentication and Security Layer (SASL) or the Generic | Simple Authentication and Security Layer (SASL) or the Generic | |||
| skipping to change at page 2, line 4 ¶ | skipping to change at page 2, line 4 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 7, 2013. | This Internet-Draft will expire on February 21, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3. OAuth SASL Mechanism Specification . . . . . . . . . . . . . . 8 | 3. OAuth SASL Mechanism Specification . . . . . . . . . . . . . . 9 | |||
| 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 8 | 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 9 | |||
| 3.1.1. Reserved Key/Values in OAUTH . . . . . . . . . . . . . 9 | 3.1.1. Reserved Key/Values in OAUTH . . . . . . . . . . . . . 10 | |||
| 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 9 | 3.1.2. Use of the gs2-header . . . . . . . . . . . . . . . . 11 | |||
| 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 9 | 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.2.2. Server response to failed authentication. . . . . . . 10 | 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 11 | |||
| 3.3. Use of Signature Type Authorization . . . . . . . . . . . 10 | 3.2.2. Server response to failed authentication. . . . . . . 12 | |||
| 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 11 | 3.2.3. Completing an error message sequence. . . . . . . . . 12 | |||
| 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 13 | 3.3. Use of Signature Type Authorization . . . . . . . . . . . 13 | |||
| 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 14 | 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 15 | |||
| 5.2. MAC Authentication with Channel Binding . . . . . . . . . 14 | 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 15 | 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 16 | |||
| 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 16 | 5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 17 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 19 | |||
| 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 18 | 5.5. SMTP Example of a failed negotiation. . . . . . . . . . . 19 | |||
| 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 18 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 19 | 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 22 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 20 | 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 22 | |||
| Appendix A. Document History . . . . . . . . . . . . . . . . . . 21 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 23 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 24 | ||||
| Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . . 25 | ||||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 26 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 | ||||
| 1. Introduction | 1. Introduction | |||
| OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain | OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain | |||
| limited access to a protected resource, either on behalf of a | limited access to a protected resource, either on behalf of a | |||
| resource owner by orchestrating an approval interaction, or by | resource owner by orchestrating an approval interaction, or by | |||
| allowing the third-party application to obtain access on its own | allowing the third-party application to obtain access on its own | |||
| behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not | behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not | |||
| define the interaction between the client and the resource server | define the interaction between the client and the resource server | |||
| with the access to a protected resource using an Access Token. This | with the access to a protected resource using an Access Token. This | |||
| functionality is described in two separate specifications, namely | functionality is described in separate specifications, for example | |||
| [I-D.ietf-oauth-v2-bearer], and [I-D.ietf-oauth-v2-http-mac], whereby | [I-D.ietf-oauth-v2-bearer], [I-D.ietf-oauth-v2-http-mac], and OAuth | |||
| the focus is on an HTTP-based environment only. | 1.0a [RFC5849] where the focus is on an HTTP-based environment only. | |||
| Figure 1 shows the abstract message flow as shown in Figure 1 of | Figure 1 shows the abstract message flow as shown in Figure 1 of | |||
| [I-D.ietf-oauth-v2]. | [I-D.ietf-oauth-v2]. | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| | |--(A)- Authorization Request ->| Resource | | | |--(A)- Authorization Request ->| Resource | | |||
| | | | Owner | | | | | Owner | | |||
| | |<-(B)-- Authorization Grant ---| | | | |<-(B)-- Authorization Grant ---| | | |||
| | | +---------------+ | | | +---------------+ | |||
| | | | | | | |||
| | | +---------------+ | | | +---------------+ | |||
| | |--(C)-- Authorization Grant -->| Authorization | | | |--(C)-- Authorization Grant -->| Authorization | | |||
| | Client | | Server | | | Client | | Server | | |||
| | |<-(D)----- Access Token -------| | | | |<-(D)----- Access Token -------| | | |||
| | | +---------------+ | | | +---------------+ | |||
| | | | | | | |||
| | | +---------------+ | | | +---h------------+ | |||
| | |--(E)----- Access Token ------>| Resource | | | |--(E)----- Access Token ------>| Resource | | |||
| | | | Server | | | | | Server | | |||
| | |<-(F)--- Protected Resource ---| | | | |<-(F)--- Protected Resource ---| | | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| Figure 1: Abstract OAuth 2.0 Protocol Flow | Figure 1: Abstract OAuth 2.0 Protocol Flow | |||
| This document takes advantage of the OAuth protocol and its | This document takes advantage of the OAuth protocol and its | |||
| deployment base to provide a way to use SASL [RFC4422] as well as the | deployment base to provide a way to use SASL [RFC4422] as well as the | |||
| GSS-API [RFC2743] to gain access to resources when using non-HTTP- | GSS-API [RFC2743] to gain access to resources when using non-HTTP- | |||
| based protocols, such as the Internet Message Access Protocol (IMAP) | based protocols, such as the Internet Message Access Protocol (IMAP) | |||
| [RFC3501], which is what this memo uses in the examples. | [RFC3501] and SMTP [RFC5321], which is what this memo uses in the | |||
| examples. | ||||
| The Simple Authentication and Security Layer (SASL) is a framework | The Simple Authentication and Security Layer (SASL) is a framework | |||
| for providing authentication and data security services in | for providing authentication and data security services in | |||
| connection-oriented protocols via replaceable mechanisms. It | connection-oriented protocols via replaceable mechanisms. It | |||
| provides a structured interface between protocols and mechanisms. | provides a structured interface between protocols and mechanisms. | |||
| The resulting framework allows new protocols to reuse existing | The resulting framework allows new protocols to reuse existing | |||
| mechanisms and allows old protocols to make use of new mechanisms. | mechanisms and allows old protocols to make use of new mechanisms. | |||
| The framework also provides a protocol for securing subsequent | The framework also provides a protocol for securing subsequent | |||
| protocol exchanges within a data security layer. | protocol exchanges within a data security layer. | |||
| The Generic Security Service Application Program Interface (GSS-API) | The Generic Security Service Application Program Interface (GSS-API) | |||
| [RFC2743] provides a framework for applications to support multiple | [RFC2743] provides a framework for applications to support multiple | |||
| authentication mechanisms through a unified interface. | authentication mechanisms through a unified interface. | |||
| This document defines a SASL mechanism for OAuth, but it conforms to | This document defines a SASL mechanism for OAuth, but it conforms to | |||
| skipping to change at page 5, line 49 ¶ | skipping to change at page 5, line 51 ¶ | |||
| authorization server and presenting the authorization grant. | authorization server and presenting the authorization grant. | |||
| (D) The authorization server authenticates the client and | (D) The authorization server authenticates the client and | |||
| validates the authorization grant, and if valid issues an access | validates the authorization grant, and if valid issues an access | |||
| token. | token. | |||
| (E) The client requests the protected resource from the resource | (E) The client requests the protected resource from the resource | |||
| server and authenticates by presenting the access token. | server and authenticates by presenting the access token. | |||
| (F) The resource server validates the access token, and if valid, | (F) The resource server validates the access token, and if valid, | |||
| serves the request. | indicates a successful authentication. | |||
| Steps (E) and (F) are not defined in [I-D.ietf-oauth-v2] and are the | Steps (E) and (F) are not defined in [I-D.ietf-oauth-v2] and are the | |||
| main functionality specified within this document. Consequently, the | main functionality specified within this document. Consequently, the | |||
| message exchange shown in Figure 2 is the result of this | message exchange shown in Figure 2 is the result of this | |||
| specification. The client will genrally need to determine the | specification. The client will genrally need to determine the | |||
| authentication endpoints (and perhaps the service endpoints) before | authentication endpoints (and perhaps the service endpoints) before | |||
| the OAuth 2.0 protocol exchange messages in steps (A)-(D) are | the OAuth 2.0 protocol exchange messages in steps (A)-(D) are | |||
| executed. The discovery of the resource owner and authorization | executed. The discovery of the resource owner and authorization | |||
| server endpoints is outside the scope of this specification. The | server endpoints is outside the scope of this specification. The | |||
| client must discover those endpoints using a discovery mechanisms | client must discover those endpoints using a discovery mechanisms | |||
| such as Webfinger using host-meta [I-D.jones-appsawg-webfinger]. In | such as Webfinger using host-meta [I-D.jones-appsawg-webfinger]. In | |||
| band discovery is not tenable if clients support the OAuth 2.0 | band discovery is not tenable if clients support the OAuth 2.0 | |||
| password grant. Once credentials are obtained the client proceeds to | password grant. Once credentials are obtained the client proceeds to | |||
| steps (E) and (F) defined in this specification. | steps (E) and (F) defined in this specification. | |||
| The client need not implement more than one authorization scheme, and | ||||
| there are no mandatory to implement schemes. The server MUST | ||||
| advertise at least one scheme if the OAUTH mechanism is offered. | ||||
| During discovery the client might not find any schemes that it | ||||
| supports, an OAuth 2.0 enabled client MAY attempt to fetch a | ||||
| credential for a scheme it supports from a discovered OAuth 2.0 | ||||
| authorization endpoint. If the client finds no schemes it supports | ||||
| the client SHOULD provide feedback to the user that the requested | ||||
| enpoint can not be supported. | ||||
| ----+ | ----+ | |||
| +--------+ +---------------+ | | +--------+ +---------------+ | | |||
| | |--(A)-- Authorization Request --->| Resource | | | | |--(A)-- Authorization Request --->| Resource | | | |||
| | | | Owner | |Plain | | | | Owner | |Plain | |||
| | |<-(B)------ Access Grant ---------| | |OAuth | | |<-(B)------ Access Grant ---------| | |OAuth | |||
| | | +---------------+ |2.0 | | | +---------------+ |2.0 | |||
| | | | | | | | | |||
| | | Client Credentials & +---------------+ | | | | Client Credentials & +---------------+ | | |||
| | |--(C)------ Access Grant -------->| Authorization | | | | |--(C)------ Access Grant -------->| Authorization | | | |||
| | Client | | Server | | | | Client | | Server | | | |||
| skipping to change at page 6, line 42 ¶ | skipping to change at page 8, line 5 ¶ | |||
| | | | | |OAuth | | | | | |OAuth | |||
| | |--(E)------ Access Token -------->| Resource | |over | | |--(E)------ Access Token -------->| Resource | |over | |||
| | | | Server | |SASL/ | | | | Server | |SASL/ | |||
| | |<-(F)---- Protected Resource -----| | |GSS- | | |<-(F)---- Protected Resource -----| | |GSS- | |||
| | | | | |API | | | | | |API | |||
| +--------+ +---------------+ | | +--------+ +---------------+ | | |||
| ----+ | ----+ | |||
| Figure 2: OAuth SASL Architecture | Figure 2: OAuth SASL Architecture | |||
| It is worthwhile to note that this specification is also compatible | ||||
| with OAuth 1.0a [RFC5849]. | ||||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| The reader is assumed to be familiar with the terms used in the OAuth | The reader is assumed to be familiar with the terms used in the OAuth | |||
| 2.0 specification [I-D.ietf-oauth-v2]. | 2.0 specification [I-D.ietf-oauth-v2]. | |||
| In examples, "C:" and "S:" indicate lines sent by the client and | In examples, "C:" and "S:" indicate lines sent by the client and | |||
| server respectively. Line breaks have been inserted for readability. | server respectively. Line breaks have been inserted for readability. | |||
| Note that the IMAP SASL specification requires base64 encoding | Note that the IMAP SASL specification requires base64 encoding | |||
| message, not this memo. | message, not this memo. | |||
| 3. OAuth SASL Mechanism Specification | 3. OAuth SASL Mechanism Specification | |||
| SASL is used as a generalized authentication method in a variety of | SASL is used as a generalized authentication method in a variety of | |||
| application layer protocols. This document defines two SASL | application layer protocols. This document defines two SASL | |||
| mechanisms for usage with OAuth: "OAUTH" and "OAUTH-PLUS". The | mechanisms for usage with OAuth: "OAUTH" and "OAUTH-PLUS". The | |||
| "OAUTH" SASL mechanism enables OAuth authorizattion schemes for SASL, | "OAUTH" SASL mechanism enables OAuth authorization schemes for SASL, | |||
| "OAUTH-PLUS" adds channel binding [RFC5056] capability for additional | "OAUTH-PLUS" adds channel binding [RFC5056] capability for additional | |||
| security guarantees. | security guarantees. | |||
| This mechanism is client initiated and lock-step, the server always | ||||
| replying to a client message. In the case where the client has and | ||||
| correctly uses a valid token the flow is: | ||||
| o Client sends a valid and correct initial client response. | ||||
| o Server responds with a successful authentication. | ||||
| In the case where authorization fails the server sends an error | ||||
| result, then client MUST then send an additional message to the | ||||
| server in order to allow the server to finish the exchange. Some | ||||
| protocols and common SASL implementations do not support both sending | ||||
| a SASL message and finalizing a SASL negotiation, the additional | ||||
| client message in the error case deals with this problem. This | ||||
| exchange is: | ||||
| o Client sends an invalid initial client response. | ||||
| o Server responds with an error message. | ||||
| o Client sends an empty client reponse. | ||||
| o Server fails the authentication. | ||||
| 3.1. Initial Client Response | 3.1. Initial Client Response | |||
| Client responses are a key/value pair sequence. These key/value | Client responses are a key/value pair sequence. The initial client | |||
| pairs carry the equivalent values from an HTTP context in order to be | response includes a gs2-header as defined in GSS-API [RFC5801], which | |||
| able to complete an OAuth style HTTP authorization. The ABNF | carries the authorization ID as a hint. These key/value pairs carry | |||
| [RFC5234] syntax is | the equivalent values from an HTTP context in order to be able to | |||
| complete an OAuth style HTTP authorization. The client MUST send an | ||||
| authorization ID in the gs2-header. The server MAY use this as a | ||||
| routing or database lookup hint. The server MUST NOT use this as | ||||
| authoritative, the user name MUST be asserted by the OAuth | ||||
| credential. The ABNF [RFC5234] syntax is: | ||||
| kvsep = %x01 | kvsep = %x01 | |||
| key = 1*ALPHA | key = 1*ALPHA | |||
| value = *(VCHAR | SP | HTAB | CR | LF ) | value = *(VCHAR | SP | HTAB | CR | LF ) | |||
| kvpair = key "=" value kvsep | kvpair = key "=" value kvsep | |||
| client_resp = 1*kvpair kvsep | client_resp = 0*kvpair kvsep | |||
| ;; gs2-header = As defined in GSS-API | ||||
| initial_client_resp = gs2-header kvsep client_resp | ||||
| The following key/value pairs are defined in the client response: | The following key/value pairs are defined in the client response: | |||
| auth (REQUIRED): The payload of the HTTP Authorization header for | auth (REQUIRED): The payload of the HTTP Authorization header for | |||
| an equivalent HTTP OAuth authroization. | an equivalent HTTP OAuth authroization. | |||
| user (REQUIRED): Contains the user name being authenticated. The | ||||
| server MAY use this as a routing or database lookup hint. The | ||||
| server MUST NOT use this as authoritative, the user name MUST | ||||
| be asserted by the OAuth credential. | ||||
| host: Contains the host name to which the client connected. | host: Contains the host name to which the client connected. | |||
| port: Contains the port number represented as a decimal positive | port: Contains the port number represented as a decimal positive | |||
| integer string without leading zeros to which the client | integer string without leading zeros to which the client | |||
| connected. | connected. | |||
| qs: The HTTP query string. In OAUTH this is reserved, the client | ||||
| SHOUD NOT send it, and has the default value of "". In OAUTH- | ||||
| PLUS this carries a single key value pair "cbdata" for the | ||||
| channel binding data payload formatted as an HTTP query string. | ||||
| In authorization schemes that use signatures, the client MUST send | In authorization schemes that use signatures, the client MUST send | |||
| host and port number key/values, and the server MUST fail an | host and port number key/values, and the server MUST fail an | |||
| authorization request requiring signatures that does not have host | authorization request requiring signatures that does not have host | |||
| and port values. | and port values. For authorization schemes that require a scheme as | |||
| part of the URI being signed "http" is always used. | ||||
| 3.1.1. Reserved Key/Values in OAUTH | 3.1.1. Reserved Key/Values in OAUTH | |||
| In the OAUTH mechanism values for path, query string and post body | In the OAUTH mechanism values for path, query string and post body | |||
| are assigned default values. OAuth authorization schemes MAY define | are assigned default values. OAuth authorization schemes MAY define | |||
| usage of these in the SASL context and extend this specification. | usage of these in the SASL context and extend this specification. | |||
| For OAuth schemes that use request signatures the default values MUST | For OAuth schemes that use request signatures the default values MUST | |||
| be used unless explict values are provided in the client response. | be used unless explict values are provided in the client response. | |||
| The following key values are reserved for future use: | The following key values are reserved for future use: | |||
| path (RESERVED): HTTP path data, the default value is "/". | mthd (RESERVED): HTTP method for use in signatures, the default | |||
| value is "POST". | ||||
| qs (RESERVED): HTTP query string, the default value is "". | path (RESERVED): HTTP path data, the default value is "/". | |||
| post (RESERVED): HTTP post data, the default value is "". | post (RESERVED): HTTP post data, the default value is "". | |||
| 3.1.2. Use of the gs2-header | ||||
| The gs2-header is used as follows: | ||||
| o The "gs2-nonstd-flag" MUST NOT be present. | ||||
| o The "gs2-authzid" carries the authorization identity as specified | ||||
| in [RFC5801]. | ||||
| In the OAUTH mechanism the "gs2-cb-flag" MUST be set to "n" because | ||||
| channel-binding [RFC5056] data is not expected. In the OAUTH-PLUS | ||||
| mechanism the "gs2-cb-flag" MUST be set appropriately by the client. | ||||
| 3.2. Server's Response | 3.2. Server's Response | |||
| The server validates the response per the specification for the | The server validates the response per the specification for the | |||
| authorization scheme used. If the authorization scheme used includes | authorization scheme used. If the authorization scheme used includes | |||
| signing of the request parameters the client must provide a client | signing of the request parameters the client must provide a client | |||
| response that satisfies the data requirements for the scheme in use. | response that satisfies the data requirements for the scheme in use. | |||
| In the OAUTH-PLUS mechanism the server examines the channel binding | In the OAUTH-PLUS mechanism the server examines the channel binding | |||
| data, extracts the channel binding unique prefix, and extracts the | data, extracts the channel binding unique prefix, and extracts the | |||
| raw channel biding data based on the channel binding type used. It | raw channel biding data based on the channel binding type used. It | |||
| then computes it's own copy of the channel binding payload and | then computes it's own copy of the channel binding payload and | |||
| compares that to the payload sent by the client in the cbdata key/ | compares that to the payload sent by the client in the cbdata key/ | |||
| value. Those two must be equal for channel binding to succeed. | value. Those two must be equal for channel binding to succeed. | |||
| The server responds to a successfully verified client message by | The server responds to a successfully verified client message by | |||
| completing the SASL negotiation. The authentication scheme MUST | completing the SASL negotiation. The authorization scheme MUST carry | |||
| carry the user ID to be used as the authorization identity (identity | the user ID to be used as the authorization identity (identity to act | |||
| to act as). The server MUST use the ID obtained from the credential | as). The server MUST use the ID obtained from the credential as the | |||
| as the user being authorized. | user being authorized. | |||
| 3.2.1. Mapping to SASL Identities | 3.2.1. Mapping to SASL Identities | |||
| Some OAuth mechanisms can provide both an authorization identity and | Some OAuth mechanisms can provide both an authorization identity and | |||
| an authentication identity. An example of this is OAuth 1.0a | an authentication identity. An example of this is OAuth 1.0a | |||
| [RFC5849] where the consumer key (oauth_consumer_key) identifies the | [RFC5849] where the consumer key (oauth_consumer_key) identifies the | |||
| entity using the token which equates to the SASL authentication | entity using the token which equates to the SASL authentication | |||
| identity, and is authenticated using the shared secret. The | identity, and is authenticated using the shared secret. The | |||
| authorization identity in the OAuth 1.0a case is carried in the token | authorization identity in the OAuth 1.0a case is carried in the token | |||
| (per the requirement above), which SHOULD be validated independently. | (per the requirement above), which SHOULD be validated independently. | |||
| skipping to change at page 10, line 22 ¶ | skipping to change at page 12, line 22 ¶ | |||
| result consists of the following values: | result consists of the following values: | |||
| status (REQUIRED): The authorization error code. Valid error | status (REQUIRED): The authorization error code. Valid error | |||
| codes are defined in the IANA [[need registry name]] registry | codes are defined in the IANA [[need registry name]] registry | |||
| specified in the OAuth 2 core specification. | specified in the OAuth 2 core specification. | |||
| schemes (REQUIRED): A space separated list of the OAuth | schemes (REQUIRED): A space separated list of the OAuth | |||
| authorization schemes supported by the server, i.e. "bearer" or | authorization schemes supported by the server, i.e. "bearer" or | |||
| "bearer mac". | "bearer mac". | |||
| scope (OPTIONAL): The OAuth scope required to access the service. | scope (OPTIONAL): An OAuth scope which is valid to access the | |||
| service. This may be empty which implies that unscoped tokens | ||||
| are required, or a space separated list. Use of a space | ||||
| separated list is NOT RECOMMENDED. | ||||
| If the resource server provides a scope the client SHOULD always | If the resource server provides a scope the client SHOULD always | |||
| request scoped tokens from the token endpoint. The client MAY use a | request scoped tokens from the token endpoint. The client MAY use a | |||
| scope other than the one provided by the resource server. Scopes | scope other than the one provided by the resource server. Scopes | |||
| other than those advertised by the resource server are be defined by | other than those advertised by the resource server are be defined by | |||
| the resource owner and provided in service documentation or discovery | the resource owner and provided in service documentation or discovery | |||
| information (which is beyond the scope of this memo). If not present | information (which is beyond the scope of this memo). If not present | |||
| then the client SHOULD presume an empty scope (unscoped token) is | then the client SHOULD presume an empty scope (unscoped token) is | |||
| needed. | needed. | |||
| If channel binding is in use and the channel binding fails the server | If channel binding is in use and the channel binding fails the server | |||
| responds with a status code set to 412 to indicate that the channel | responds with a status code set to 412 to indicate that the channel | |||
| binding precondition failed. If the authentication scheme in use | binding precondition failed. If the authentication scheme in use | |||
| does not include signing the server SHOULD revoke the presented | does not include signing the server SHOULD revoke the presented | |||
| credential and the client SHOULD discard that credential. | credential and the client SHOULD discard that credential. | |||
| 3.2.3. Completing an error message sequence. | ||||
| If the client gets an error message form the server it MUST send an | ||||
| empty client response consisting of a single %x01 (control A) | ||||
| character, which is a correctly formatted client response with no | ||||
| key/value pairs. The server then completes the SASL negotiation with | ||||
| a failure result. | ||||
| 3.3. Use of Signature Type Authorization | 3.3. Use of Signature Type Authorization | |||
| This mechanism supports authorization using signatures, which | This mechanism supports authorization using signatures, which | |||
| requires that both client and server construct the string to be | requires that both client and server construct the string to be | |||
| signed. OAuth 2 is designed for authentication/authorization to | signed. OAuth 2 is designed for authentication/authorization to | |||
| access specific URIs. SASL is designed for user authentication, and | access specific URIs. SASL is designed for user authentication, and | |||
| has no facility for being more specific. In this mechanism we | has no facility for being more specific. In this mechanism we | |||
| require or define default values for the data elements from an HTTP | require or define default values for the data elements from an HTTP | |||
| request which allow the signature base string to be constructed | request which allow the signature base string to be constructed | |||
| properly. The default HTTP path is "/" and the default post body is | properly. The default HTTP path is "/" and the default post body is | |||
| empty. These atoms are defined as extension points so that no | empty. These atoms are defined as extension points so that no | |||
| changes are needed if there is a revision of SASL which supports more | changes are needed if there is a revision of SASL which supports more | |||
| specific resource authorization, e.g. IMAP access to a specific | specific resource authorization, e.g. IMAP access to a specific | |||
| folder or FTP access limited to a specific directory. | folder or FTP access limited to a specific directory. | |||
| Using the example in the MAC specification | Using the example in the OAuth 1.0a specification as a starting | |||
| [I-D.ietf-oauth-v2-http-mac] as a starting point, on an IMAP server | point, on an IMAP server running on port 143 and given the OAuth 1.0a | |||
| running on port 143 and given the MAC style authorization request | style authorization request (with %x01 shown as ^A and line breaks | |||
| (with %x01 shown as ^A and line breaks added for readability) below: | added for readability) below: | |||
| host=server.example.com^A | n,a=user@example.com,^A | |||
| user=user@example.com^A | host=example.com^A | |||
| port=143^A | port=143^A | |||
| auth=MAC token="h480djs93hd8",timestamp="137131200",nonce="dj83hs9s", | auth=OAuth realm="Example", | |||
| signature="YTVjyNSujYs1WsDurFnvFi4JK6o="^A^A | oauth_consumer_key="9djdj82h48djs9d2", | |||
| oauth_token="kkk9d7dh3k39sjv7", | ||||
| oauth_signature_method="HMAC-SHA1", | ||||
| oauth_timestamp="137131201", | ||||
| oauth_nonce="7d8f3e4a", | ||||
| oauth_signature="Tm90IGEgcmVhbCBzaWduYXR1cmU%3D"^A^A | ||||
| The normalized request string would be constructed per the MAC | The signature base string would be constructed per the OAuth 1.0 | |||
| specification [I-D.ietf-oauth-v2-http-mac]. In this example the | specification [RFC5849] with the following things noted: | |||
| normalized request string with the new line separator character is | ||||
| represented by "\n" for display purposes only would be: | ||||
| h480djs93hi8\n | o The method value is defaulted to POST. | |||
| 137131200\n | ||||
| dj83hs9s\n | o The scheme defaults to be "http", and any port number other than | |||
| \n | 80 is included. | |||
| GET\n | ||||
| server.example.com\n | o The path defaults to "/". | |||
| 143\n | ||||
| /\n | o The query string defaults to "". | |||
| \n | ||||
| In this example the signature base string with line breaks added for | ||||
| readability would be: | ||||
| POST&http%3A%2F%2Fexample.com:143%2F&oauth_consumer_key%3D9djdj82h4 | ||||
| 8djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_method%3DHMAC-SH | ||||
| A1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk9d7dh3k39sjv7 | ||||
| 3.4. Channel Binding | 3.4. Channel Binding | |||
| If the specification for the underlying authorization scheme requires | The channel binding data is carried in the "qs" (query string) key | |||
| a security layer, such as TLS [RFC5246], the server SHOULD only offer | value pair formatted as a standard HTTP query parameter with the name | |||
| a mechanism where channel binding can be enabled. | "cbdata". Channel binding requires that the channel binding data be | |||
| integrity protected end-to-end in order to protect against man-in- | ||||
| the-middle attacks. All authorization schemes offered in an OAUTH- | ||||
| PLUS mechanism MUST provide integrity protection. It should be noted | ||||
| that while the Bearer token scheme specifies SSL for normal usage it | ||||
| offers no integrity protection and is not suitable for use in OAUTH- | ||||
| PLUS. | ||||
| The channel binding data is computed by the client based on it's | The channel binding data is computed by the client based on it's | |||
| choice of preferred channel binding type. As specified in [RFC5056], | choice of preferred channel binding type. As specified in [RFC5056], | |||
| the channel binding information MUST start with the channel binding | the channel binding information MUST start with the channel binding | |||
| unique prefix, followed by a colon (ASCII 0x3A), followed by a base64 | unique prefix, followed by a colon (ASCII 0x3A), followed by a base64 | |||
| encoded channel binding payload. The channel binding payload is the | encoded channel binding payload. The channel binding payload is the | |||
| raw data from the channel binding type if the raw channel binding | raw data from the channel binding type. For example, if the client | |||
| data is less than 500 bytes. If the raw channel binding data is 500 | is using tls-unique for channel binding then the raw channel binding | |||
| bytes or larger then a SHA-1 [RFC3174] hash of the raw channel | data is the TLS finished message as specified in section 3.1 of | |||
| binding data is computed. | [RFC5929]. | |||
| If the client is using tls-unique for a channel binding then the raw | ||||
| channel binding data equals the first TLS finished message. This is | ||||
| under the 500 byte limit, so the channel binding payload sent to the | ||||
| server would be the base64 encoded first TLS finished message. | ||||
| In the case where the client has chosen tls-endpoint, the raw channel | ||||
| binding data is the certificate of the server the client connected | ||||
| to, which will frequently be 500 bytes or more. If it is then the | ||||
| channel binding payload is the base64 encoded SHA-1 hash of the | ||||
| server certificate. | ||||
| 4. GSS-API OAuth Mechanism Specification | 4. GSS-API OAuth Mechanism Specification | |||
| Note: The normative references in this section are informational for | Note: The normative references in this section are informational for | |||
| SASL implementers, but they are normative for GSS-API implementers. | SASL implementers, but they are normative for GSS-API implementers. | |||
| The SASL OAuth mechanism is also a GSS-API mechanism and the messages | The SASL OAuth mechanism is also a GSS-API mechanism and the messages | |||
| described in Section 3 are the same, but | described in Section 3 are the same, but | |||
| 1. the GS2 header on the client's first message is excluded when | 1. the initial context token header is prefixed to the client's | |||
| OAUTH is used as a GSS-API mechanism, and | first authentication message (context token), as described in | |||
| Section 3.1 of RFC 2743, | ||||
| 2. initial context token header is prefixed to the client's first | ||||
| authentication message (context token), as described in Section | ||||
| 3.1 of RFC 2743, | ||||
| The GSS-API mechanism OID for OAuth is [[TBD: IANA]]. | The GSS-API mechanism OID for OAuth is [[TBD: IANA]]. | |||
| OAuth security contexts always have the mutual_state flag | OAuth security contexts always have the mutual_state flag | |||
| (GSS_C_MUTUAL_FLAG) set to TRUE. OAuth supports credential | (GSS_C_MUTUAL_FLAG) set to TRUE. OAuth supports credential | |||
| delegation, therefore security contexts may have the deleg_state flag | delegation, therefore security contexts may have the deleg_state flag | |||
| (GSS_C_DELEG_FLAG) set to either TRUE or FALSE. | (GSS_C_DELEG_FLAG) set to either TRUE or FALSE. | |||
| The mutual authentication property of this mechanism relies on | The mutual authentication property of this mechanism relies on | |||
| successfully comparing the TLS server identity with the negotiated | successfully comparing the TLS server identity with the negotiated | |||
| skipping to change at page 14, line 16 ¶ | skipping to change at page 16, line 16 ¶ | |||
| These example illustrate exchanges between an IMAP client and an IMAP | These example illustrate exchanges between an IMAP client and an IMAP | |||
| server. | server. | |||
| Note to implementers: Authorization scheme names are case | Note to implementers: Authorization scheme names are case | |||
| insensitive. One example uses "Bearer" but that could as easily be | insensitive. One example uses "Bearer" but that could as easily be | |||
| "bearer", "BEARER", or "BeArEr". | "bearer", "BEARER", or "BeArEr". | |||
| 5.1. Successful Bearer Token Exchange | 5.1. Successful Bearer Token Exchange | |||
| This example shows a successful OAuth 2.0 bearer token exchange with | This example shows a successful OAuth 2.0 bearer token exchange. | |||
| an initial client response. Note that line breaks are inserted for | Note that line breaks are inserted for readability. | |||
| readability. | ||||
| S: * IMAP4rev1 Server Ready | S: * IMAP4rev1 Server Ready | |||
| C: t0 CAPABILITY | C: t0 CAPABILITY | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH | S: * CAPABILITY IMAP4rev1 AUTH=OAUTH | |||
| S: t0 OK Completed | S: t0 OK Completed | |||
| C: t1 AUTHENTICATE OAUTH aG9zdD1zZXJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMB | C: t1 AUTHENTICATE OAUTH bixhPXVzZXJAZXhhbXBsZS5jb20sAWhvc3Q9c2VydmVy | |||
| dXNlcj11c2VyQGV4YW1wbGUuY29tAWF1dGg9QmVhcmVyIHZGOWRmdDRxbVRjMk5 | LmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9QmVhcmVyIHZGOWRmdDRxbVRjMk5 | |||
| 2YjNSbGNrQmhiSFJoZG1semRHRXVZMjl0Q2c9PQEB | 2YjNSbGNrQmhiSFJoZG1semRHRXVZMjl0Q2c9PQEB | |||
| S: + | ||||
| S: t1 OK SASL authentication succeeded | S: t1 OK SASL authentication succeeded | |||
| As required by IMAP [RFC3501], the payloads are base64-encoded. The | As required by IMAP [RFC3501], the payloads are base64-encoded. The | |||
| decoded initial client response (with %x01 represented as ^A and long | decoded initial client response (with %x01 represented as ^A and long | |||
| lines wrapped for readability) is: | lines wrapped for readability) is: | |||
| host=server.example.com^Aport=143^Auser=user@example.com^A | n,a=user@example.com,^Ahost=server.example.com^Aport=143^A | |||
| auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==^A^A | auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==^A^A | |||
| The line containing just a "+" and a space is an empty response from | The same credential used in an SMTP exchange is shown below. Note | |||
| the server. This response contains error information, and in the | that line breaks are inserted for readability, and that the SMTP | |||
| success case the error response is empty. Like other messages, and | protocol terminates lines with CR and LF characters (ASCII values | |||
| in accordance with the IMAP SASL binding, the empty response is | 0x0D and 0x0A), these are not displayed explicitly in the example. | |||
| base64-encoded. | ||||
| 5.2. MAC Authentication with Channel Binding | [connection begins] | |||
| S: 220 mx.example.com ESMTP 12sm2095603fks.9 | ||||
| C: EHLO sender.example.com | ||||
| S: 250-mx.example.com at your service,[172.31.135.47] | ||||
| S: 250-SIZE 35651584 | ||||
| S: 250-8BITMIME | ||||
| S: 250-AUTH LOGIN PLAIN OAUTH | ||||
| S: 250-ENHANCEDSTATUSCODES | ||||
| S: 250-PIPELINING | ||||
| C: t1 AUTHENTICATE OAUTH bixhPXVzZXJAZXhhbXBsZS5jb20sAWhvc3Q9c2VydmVy | ||||
| LmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9QmVhcmVyIHZGOWRmdDRxbVRjMk5 | ||||
| 2YjNSbGNrQmhiSFJoZG1semRHRXVZMjl0Q2c9PQEB | ||||
| S: 235 Authentication successful. | ||||
| [connection continues...] | ||||
| This example shows a channel binding failure. The example sends the | 5.2. OAuth 1.0a Authorization with Channel Binding | |||
| same request as above, but in the context of an OAUTH-PLUS exchange | ||||
| the channel binding information is missing. Note that line breaks | This example shows channel binding in the context of an OAuth 1.0a | |||
| are inserted for readability. | signed authorization request. Note that line breaks are inserted for | |||
| readability. | ||||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH SASL-IR IMAP4rev1 Server Ready | S: * CAPABILITY IMAP4rev1 AUTH=OAUTH SASL-IR IMAP4rev1 Server Ready | |||
| S: t0 OK Completed | S: t0 OK Completed | |||
| C: t1 AUTHENTICATE OAUTH-PLUS aG9zdD1zZXJ2ZXIuZXhhbXBsZS5jb20BdXNlcj11c2 | C: t1 AUTHENTICATE OAUTH-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20sAWhvc3Q9c2Vydm | |||
| VyQGV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9TUFDIHRva2VuPSJoNDgwZGpzOTNo | VyLmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9T0F1dGggcmVhbG09IkV4YW1wbGUi | |||
| ZDgiLHRpbWVzdGFtcD0iMTM3MTMxMjAwIixub25jZT0iZGo4M2hzOXMiLHNpZ25hdH | LG9hdXRoX2NvbnN1bWVyX2tleT0iOWRqZGo4Mmg0OGRqczlkMiIsb2F1dGhfdG9rZW | |||
| VyZT0iWVRWanlOU3VqWXMxV3NEdXJGbnZGaTRKSzZvPSIBY2JkYXRhPVNHOTNJR0pw | 49ImtrazlkN2RoM2szOXNqdjciLG9hdXRoX3NpZ25hdHVyZV9tZXRob2Q9IkhNQUMt | |||
| WnlCcGN5QmhJRlJNVXlCbWFXNWhiQ0J0WlhOellXZGxQd289AQE= | U0hBMSIsb2F1dGhfdGltZXN0YW1wPSIxMzcxMzEyMDEiLG9hdXRoX25vbmNlPSI3ZD | |||
| S: + | hmM2U0YSIsb2F1dGhfc2lnbmF0dXJlPSJTU2R0SUdFZ2JHbDBkR3hsSUhSbFlTQndi | |||
| M1F1IgFxcz1jYmRhdGE9dGxzLXVuaXF1ZTpTRzkzSUdKcFp5QnBjeUJoSUZSTVV5Qm | ||||
| 1hVzVoYkNCdFpYTnpZV2RsUHdvPQEB | ||||
| S: t1 OK SASL authentication succeeded | S: t1 OK SASL authentication succeeded | |||
| As required by IMAP [RFC3501], the payloads are base64-encoded. The | As required by IMAP [RFC3501], the payloads are base64-encoded. The | |||
| decoded initial client response (with %x01 represented as ^A and long | decoded initial client response (with %x01 represented as ^A and | |||
| lines wrapped for readability) is: | lines wrapped for readability) is: | |||
| - | y,a=user@example.com,^A | |||
| host=server.example.com^A | host=server.example.com^A | |||
| user=user@example.com^A | ||||
| port=143^A | port=143^A | |||
| auth=MAC token="h480djs93hd8",timestamp="137131200",nonce="dj83hs9s", | auth=OAuth realm="Example", | |||
| signature="YTVjyNSujYs1WsDurFnvFi4JK6o="^A | oauth_consumer_key="9djdj82h48djs9d2", | |||
| cbdata=SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A | oauth_token="kkk9d7dh3k39sjv7", | |||
| oauth_signature_method="HMAC-SHA1", | ||||
| oauth_timestamp="137131201", | ||||
| oauth_nonce="7d8f3e4a", | ||||
| oauth_signature="SSdtIGEgbGl0dGxlIHRlYSBwb3Qu"^A | ||||
| qs=cbdata=tls-unique:SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A | ||||
| The line containing just a "+" and a space is an empty response from | In this example the signature base string with line breaks added for | |||
| the server. This response contains discovery information, and in the | readability would be: | |||
| success case no discovery information is necessary so the response is | ||||
| empty. Like other messages, and in accordance with the IMAP SASL | POST&http%3A%2F%2Fserver.example.com:143%2F&cbdata=tls-unique:SG93I | |||
| binding, the empty response is base64-encoded. | GJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=%26oauth_consumer_key%3D9djd | |||
| j82h48djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_method%3DHM | ||||
| AC-SHA1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk9d7dh3k39s | ||||
| jv7 | ||||
| 5.3. Failed Exchange | 5.3. Failed Exchange | |||
| This example shows a failed exchange because of the empty | This example shows a failed exchange because of the empty | |||
| Authorization header, which is how a client can query for the needed | Authorization header, which is how a client can query for the needed | |||
| scope. Note that line breaks are inserted for readability. | scope. Note that line breaks are inserted for readability. | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH SASL-IR IMAP4rev1 Server Ready | S: * CAPABILITY IMAP4rev1 AUTH=OAUTH SASL-IR IMAP4rev1 Server Ready | |||
| S: t0 OK Completed | S: t0 OK Completed | |||
| C: t1 AUTHENTICATE OAUTH aG9zdD1zZXJ2ZXIuZXhhbXBsZS5jb20BdXNlcj11 | C: t1 AUTHENTICATE OAUTH bixhPXVzZXJAZXhhbXBsZS5jb20sAWhvc3Q9c2Vy | |||
| c2VyQGV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9AQE= | dmVyLmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9AQE= | |||
| S: + eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3Bl | S: + ewoic3RhdHVzIjoiNDAxIiwKInNjaGVtZXMiOiJiZWFyZXIiLAoic2NvcGUi | |||
| IjoiZXhhbXBsZV9zY29wZSJ9 | OiJleGFtcGxlX3Njb3BlIgp9 | |||
| C: + AQ== | ||||
| S: t1 NO SASL authentication failed | S: t1 NO SASL authentication failed | |||
| The decoded initial client response is: | The decoded initial client response is: | |||
| host=server.example.com^Auser=user@example.com^Aport=143^Aauth=^A^A | n,a=user@example.com,^Ahost=server.example.com^Aport=143^Aauth=^A^A | |||
| The decoded server error response is: | The decoded server error response is: | |||
| { | { | |||
| "status":"401", | "status":"401", | |||
| "schemes":"bearer mac", | "schemes":"bearer", | |||
| "scope":"example_scope" | "scope":"example_scope" | |||
| } | } | |||
| The client responds with the required empty response. | ||||
| 5.4. Failed Channel Binding | 5.4. Failed Channel Binding | |||
| This example shows a channel binding failure in an empty request. | This example shows a channel binding failure in an empty request. | |||
| The channel binding information is empty. Note that line breaks are | The channel binding information is empty. Note that line breaks are | |||
| inserted for readability. | inserted for readability. | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH SASL-IR IMAP4rev1 Server Ready | S: * CAPABILITY IMAP4rev1 AUTH=OAUTH OAUTH-PLUS SASL-IR IMAP4rev1 Server | |||
| S: t0 OK Completed | Ready | |||
| C: t1 AUTHENTICATE OAUTH aG9zdD1zZXJ2ZXIuZXhhbXBsZS5jb20BdXNlcj11 | S: t0 OK Completed | |||
| c2VyQGV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9AWNiZGF0YT0BAQ== | C: t1 AUTHENTICATE OAUTH-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20sAWhvc3Q9c2Vydm | |||
| S: + eyJzdGF0dXMiOiI0MTIiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3Bl | VyLmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9AWNiZGF0YT0BAQ== | |||
| IjoiZXhhbXBsZV9zY29wZSJ9 | S: + ewoic3RhdHVzIjoiNDEyIiwKInNjaGVtZXMiOiJiZWFyZXIgb2F1dGgiLAoi | |||
| S: t1 NO SASL authentication failed | c2NvcGUiOiJleGFtcGxlX3Njb3BlIgp9 | |||
| C: + AQ== | ||||
| S: t1 NO SASL authentication failed | ||||
| The decoded initial client response is: | The decoded initial client response is: | |||
| host=server.example.com^Auser=user@example.com^Aport=143^A | y,a=user@example.com,^A | |||
| host=server.example.com^Aport=143^A | ||||
| auth=^Acbdata=^A^A | auth=^Acbdata=^A^A | |||
| The decoded server response is: | The decoded server response is: | |||
| { | { | |||
| "status":"412", | "status":"412", | |||
| "schemes":"bearer mac", | "schemes":"bearer oauth", | |||
| "scope":"example_scope" | "scope":"example_scope" | |||
| } | } | |||
| The client responds with the required empty response. | ||||
| 5.5. SMTP Example of a failed negotiation. | ||||
| This example shows an authorization failure in an SMTP exchange. | ||||
| Note that line breaks are inserted for readability, and that the SMTP | ||||
| protocol terminates lines with CR and LF characters (ASCII values | ||||
| 0x0D and 0x0A), these are not displayed explicitly in the example. | ||||
| [connection begins] | ||||
| S: 220 mx.example.com ESMTP 12sm2095603fks.9 | ||||
| C: EHLO sender.example.com | ||||
| S: 250-mx.example.com at your service,[172.31.135.47] | ||||
| S: 250-SIZE 35651584 | ||||
| S: 250-8BITMIME | ||||
| S: 250-AUTH LOGIN PLAIN OAUTH | ||||
| S: 250-ENHANCEDSTATUSCODES | ||||
| S: 250-PIPELINING | ||||
| C: AUTH OAUTH dXNlcj1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB2RjlkZn | ||||
| Q0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQo= | ||||
| S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia | ||||
| HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K | ||||
| C: AQ== | ||||
| S: 535-5.7.1 Username and Password not accepted. Learn more at | ||||
| S: 535 5.7.1 http://support.example.com/mail/oauth | ||||
| [connection continues...] | ||||
| The client responds with the required empty response. | ||||
| 6. Security Considerations | 6. Security Considerations | |||
| This mechanism does not provide a security layer, but does provide a | This mechanism does not provide a security layer, but does provide a | |||
| provision for channel binding. The OAuth 2 specification | provision for channel binding. The OAuth 2 specification | |||
| [I-D.ietf-oauth-v2] allows for a variety of usages, and the security | [I-D.ietf-oauth-v2] allows for a variety of usages, and the security | |||
| properties of these profiles vary. The usage of bearer tokens, for | properties of these profiles vary. The usage of bearer tokens, for | |||
| example, provide security features similar to cookies. Applications | example, provide security features similar to cookies. Applications | |||
| using this mechanism SHOULD exercise the same level of care using | using this mechanism SHOULD exercise the same level of care using | |||
| this mechanism as they would in using the SASL PLAIN mechanism. In | this mechanism as they would in using the SASL PLAIN mechanism. In | |||
| particular, TLS 1.2 or an equivalent secure channel MUST be | particular, TLS 1.2 or an equivalent secure channel MUST be | |||
| implemented and its usage is RECOMMENDED. | implemented and its usage is RECOMMENDED. | |||
| Channel binding in this mechanism has different properties based on | The channel binding in this mechanism has different properties based | |||
| the authentication scheme used. Channel binding to TLS with a bearer | on the authentication scheme used. The integrity guarantee for | |||
| token provides only a binding to the TLS layer. Authentication | channel binding depends on the quality of the guarantee in the the | |||
| schemes like MAC tokens can implement a signature over the channel | authorization scheme. | |||
| binding information. These provide additional protection against a | ||||
| man in the middle attacks, and the MAC authorization header is bound | ||||
| to the channel and only valid in that context. | ||||
| It is possible that SASL will be authenticating a connection and the | It is possible that SASL will be authenticating a connection and the | |||
| life of that connection may outlast the life of the token used to | life of that connection may outlast the life of the token used to | |||
| authenticate it. This is a common problem in application protocols | authenticate it. This is a common problem in application protocols | |||
| where connections are long-lived, and not a problem with this | where connections are long-lived, and not a problem with this | |||
| mechanism per se. Servers MAY unilaterally disconnect clients in | mechanism per se. Servers MAY unilaterally disconnect clients in | |||
| accordance with the application protocol. | accordance with the application protocol. | |||
| An OAuth credential is not equivalent to the password or primary | An OAuth credential is not equivalent to the password or primary | |||
| account credential. There are protocols like XMPP that allow actions | account credential. There are protocols like XMPP that allow actions | |||
| like change password. The server SHOULD ensure that actions taken in | like change password. The server SHOULD ensure that actions taken in | |||
| the authenticated channel are appropriate to the strength of the | the authenticated channel are appropriate to the strength of the | |||
| presented credential. | presented credential. | |||
| Tokens have a lifetime associated with them. Reducing the lifetime | Tokens have a lifetime associated with them. Reducing the lifetime | |||
| of a token provides security benefits in case that tokens leak. In | of a token provides security benefits in the case that tokens leak. | |||
| addition a previously obtained token MAY be revoked or rendered | In addition a previously obtained token MAY be revoked or rendered | |||
| invalid at any time. The client MAY request a new access token for | invalid at any time. The client MAY request a new access token for | |||
| each connection to a resource server, but it SHOULD cache and re-use | each connection to a resource server, but it SHOULD cache and re-use | |||
| access credentials that appear to be valid. | access credentials that appear to be valid. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| 7.1. SASL Registration | 7.1. SASL Registration | |||
| The IANA is requested to register the following SASL profile: | The IANA is requested to register the following SASL profile: | |||
| skipping to change at page 19, line 19 ¶ | skipping to change at page 23, line 19 ¶ | |||
| [I-D.ietf-oauth-v2] | [I-D.ietf-oauth-v2] | |||
| Hardt, D., "The OAuth 2.0 Authorization Framework", | Hardt, D., "The OAuth 2.0 Authorization Framework", | |||
| draft-ietf-oauth-v2-31 (work in progress), August 2012. | draft-ietf-oauth-v2-31 (work in progress), August 2012. | |||
| [I-D.ietf-oauth-v2-bearer] | [I-D.ietf-oauth-v2-bearer] | |||
| Jones, M. and D. Hardt, "The OAuth 2.0 Authorization | Jones, M. and D. Hardt, "The OAuth 2.0 Authorization | |||
| Framework: Bearer Token Usage", | Framework: Bearer Token Usage", | |||
| draft-ietf-oauth-v2-bearer-23 (work in progress), | draft-ietf-oauth-v2-bearer-23 (work in progress), | |||
| August 2012. | August 2012. | |||
| [I-D.ietf-oauth-v2-http-mac] | ||||
| Hammer-Lahav, E., "HTTP Authentication: MAC Access | ||||
| Authentication", draft-ietf-oauth-v2-http-mac-01 (work in | ||||
| progress), February 2012. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | |||
| Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | |||
| Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | |||
| [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | |||
| Leach, P., Luotonen, A., and L. Stewart, "HTTP | Leach, P., Luotonen, A., and L. Stewart, "HTTP | |||
| Authentication: Basic and Digest Access Authentication", | Authentication: Basic and Digest Access Authentication", | |||
| skipping to change at page 20, line 8 ¶ | skipping to change at page 23, line 52 ¶ | |||
| [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | |||
| Channels", RFC 5056, November 2007. | Channels", RFC 5056, November 2007. | |||
| [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | |||
| Specifications: ABNF", STD 68, RFC 5234, January 2008. | Specifications: ABNF", STD 68, RFC 5234, January 2008. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, | ||||
| October 2008. | ||||
| [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security | [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security | |||
| Service Application Program Interface (GSS-API) Mechanisms | Service Application Program Interface (GSS-API) Mechanisms | |||
| in Simple Authentication and Security Layer (SASL): The | in Simple Authentication and Security Layer (SASL): The | |||
| GS2 Mechanism Family", RFC 5801, July 2010. | GS2 Mechanism Family", RFC 5801, July 2010. | |||
| [RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, | [RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, | |||
| April 2010. | April 2010. | |||
| [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings | [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings | |||
| for TLS", RFC 5929, July 2010. | for TLS", RFC 5929, July 2010. | |||
| skipping to change at page 20, line 29 ¶ | skipping to change at page 24, line 27 ¶ | |||
| [RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010. | [RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010. | |||
| [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | |||
| Verification of Domain-Based Application Service Identity | Verification of Domain-Based Application Service Identity | |||
| within Internet Public Key Infrastructure Using X.509 | within Internet Public Key Infrastructure Using X.509 | |||
| (PKIX) Certificates in the Context of Transport Layer | (PKIX) Certificates in the Context of Transport Layer | |||
| Security (TLS)", RFC 6125, March 2011. | Security (TLS)", RFC 6125, March 2011. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [I-D.ietf-oauth-v2-http-mac] | ||||
| Hammer-Lahav, E., "HTTP Authentication: MAC Access | ||||
| Authentication", draft-ietf-oauth-v2-http-mac-01 (work in | ||||
| progress), February 2012. | ||||
| [I-D.jones-appsawg-webfinger] | [I-D.jones-appsawg-webfinger] | |||
| Jones, P., Salgueiro, G., and J. Smarr, "WebFinger", | Jones, P., Salgueiro, G., and J. Smarr, "WebFinger", | |||
| draft-jones-appsawg-webfinger-06 (work in progress), | draft-jones-appsawg-webfinger-06 (work in progress), | |||
| June 2012. | June 2012. | |||
| [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION | [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION | |||
| 4rev1", RFC 3501, March 2003. | 4rev1", RFC 3501, March 2003. | |||
| Appendix A. Document History | Appendix A. Acknowlegements | |||
| The authors would like to thank the members of the Kitten working | ||||
| group, and in addition and specifically: Simon Josefson, Torsten | ||||
| Lodderstadt, Ryan Troll, and Nico Williams. | ||||
| Appendix B. Document History | ||||
| [[ to be removed by RFC editor before publication as an RFC ]] | [[ to be removed by RFC editor before publication as an RFC ]] | |||
| -04 | ||||
| o Changed user field to be carried in the gs2-header, and made gs2 | ||||
| header explicit in all cases. | ||||
| o Converted MAC examples to OAuth 1.0a. Moved MAC to an informative | ||||
| reference. | ||||
| o Changed to sending an empty client response (single control-A) as | ||||
| the second message of a failed sequence. | ||||
| o Fixed channel binding prose to refer to the normative specs and | ||||
| removed the hashing of large channel binding data, which brought | ||||
| mroe problems than it solved. | ||||
| o Added a SMTP examples for Bearer use case. | ||||
| -03 | -03 | |||
| o Added user field into examples and fixed egregious errors there as | o Added user field into examples and fixed egregious errors there as | |||
| well. | well. | |||
| o Added text reminding developers that Authorization scheme names | o Added text reminding developers that Authorization scheme names | |||
| are case insensitive. | are case insensitive. | |||
| -02 | -02 | |||
| skipping to change at page 21, line 37 ¶ | skipping to change at page 28, line 5 ¶ | |||
| o Replacing HTTP as the message format and adjusted all examples. | o Replacing HTTP as the message format and adjusted all examples. | |||
| -00 | -00 | |||
| o Renamed draft into proper IETF naming format now that it's | o Renamed draft into proper IETF naming format now that it's | |||
| adopted. | adopted. | |||
| o Minor fixes. | o Minor fixes. | |||
| -00 | ||||
| o Initial revision | ||||
| Authors' Addresses | Authors' Addresses | |||
| William Mills | William Mills | |||
| Yahoo! Inc. | Yahoo! Inc. | |||
| Phone: | Phone: | |||
| Email: wmills@yahoo-inc.com | Email: wmills@yahoo-inc.com | |||
| Tim Showalter | Tim Showalter | |||
| End of changes. 62 change blocks. | ||||
| 169 lines changed or deleted | 315 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||